Skip to main content

Integrations

CrowdStrike Integration Guide

CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.

What can Zenduty do for CrowdStrike users?

CrowdStrike provides security and IT operations capabilities including IT hygiene, vulnerability management, and patching. All of this gets enriched by world-class threat intelligence, including capabilities to conduct malware searching and sandbox analysis that are fully integrated and automated to deliver security teams deep context and predictive capabilities.

With the Zenduty-CrowdStrike integration, you would be able to create new Incidents/Alerts in Zenduty whenever any Alerts are triggered or New Endpoints are detected in CrowdStrike.

You can also use Alert Rules to custom route specific CrowdStrike alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.

To integrate CrowdStrike with Zenduty, complete the following steps:

In Zenduty:

  1. To add a new CrowdStrike integration, go to Teams on Zenduty and click on the team you want to add the integration to.

  2. Next, go to Services and click on the relevant Service.

  3. Go to Integrations and then Add New Integration. Give it a name and select the application CrowdStrike from the dropdown menu.

  4. Go to Configure under your Integrations and copy the generated Webhook URL & Integration Key.

In CrowdStrike:

  1. Log into CrowdStrike, and head to the CrowdStrike Store from Menu. Select All apps and search for Webhook.

  2. Configure the Webhook application by clicking on the Configure and then Add configuration button. Give a name for this configuration, e.g. Zenduty. Paste the copied URL under Webhook URL, copy the Integration Key from Zenduty and paste it under HMAC Secret Key. Save the Configuration.


  3. Head to Falcon Workflows by following path Host setup and management' > 'Automated workflows. Edit an existing workflow or create new as per your requirement, select notification as Call Webhook and select the webhook which was created in the previous step.


  4. Select the fields which you want to be included in the JSON payload. Below listed fields are required to be selected in order to create an incident with accurate details.

    Mandatory Data fields to include for Workflow Execution trigger

    Workflow Description
Workflow Status
Workflow Name

    Mandatory Data fields to include for New endpoint detection trigger

    Hostname
Local IP
Mac Address
Sensor ID
Command Line
Detection ID
Severity
Endpoint detection status

    Mandatory Data fields to include for Audit event > Policy trigger

    Created by email
Modified by email
PolicyDetail description
PolicyDetail name
Policy type
PolicyDetail platform

    Mandatory Data fields to include for Audit event > Endpoint detection > Comment trigger

    Endpoint Detection ID
Comment text

    Mandatory Data fields to include for Audit event > Endpoint detection > Status trigger

    Endpoint Detection ID
Endpoint detection severity
Endpoint detection status

    It is recommended to add all fields if possible. With the available payload fields, Alert Rules can be configured for custom actions fine tuning your incident response with CrowdStrike.

    Note: We are replacing "." with "___" (3 underscores) in payload keys - so it can be used in Alert Rules.

    e.g.

    Original value: detections.severity 
Replaced value: detections___severity

  5. CrowdStrike is now integrated with Zenduty.

Zenduty SignUp