CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.
What can Zenduty do for CrowdStrike users?
CrowdStrike provides security and IT operations capabilities including IT hygiene, vulnerability management, and patching. All of this gets enriched by world-class threat intelligence, including capabilities to conduct malware searching and sandbox analysis that are fully integrated and automated to deliver security teams deep context and predictive capabilities.
With the Zenduty-CrowdStrike integration, you would be able to create new Incidents/Alerts in Zenduty whenever any Alerts are triggered or New Endpoints are detected in CrowdStrike.
You can also use Alert Rules to custom route specific CrowdStrike alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.
To integrate CrowdStrike with Zenduty, complete the following steps:
To add a new CrowdStrike integration, go to Teams on Zenduty and click on the team you want to add the integration to.
Next, go to Services and click on the relevant Service.
Go to Integrations and then Add New Integration. Give it a name and select the application CrowdStrike from the dropdown menu.
Go to Configure under your Integrations and copy the generated Webhook URL & Integration Key.
Log into CrowdStrike, and head to the CrowdStrike Store from Menu. Select All apps and search for Webhook.
Configure the Webhook application by clicking on the Configure and then Add configuration button. Give a name for this configuration, e.g. Zenduty. Paste the copied URL under Webhook URL, copy the Integration Key from Zenduty and paste it under HMAC Secret Key. Save the Configuration.
Head to Falcon Workflows by following path Host setup and management' > 'Automated workflows. Edit an existing workflow or create new as per your requirement, select notification as Call Webhook and select the webhook which was created in the previous step.
Select the fields which you want to be included in the JSON payload. Below listed fields are required to be selected in order to create an incident with accurate details.
Mandatory Data fields to include for Workflow Execution trigger
Workflow Description Workflow Status Workflow Name
Mandatory Data fields to include for New endpoint detection trigger
Hostname Local IP Mac Address Sensor ID Command Line Detection ID Severity Endpoint detection status
Mandatory Data fields to include for Audit event > Policy trigger
Created by email Modified by email PolicyDetail description PolicyDetail name Policy type PolicyDetail platform
Mandatory Data fields to include for Audit event > Endpoint detection > Comment trigger
Endpoint Detection ID Comment text
Mandatory Data fields to include for Audit event > Endpoint detection > Status trigger
Endpoint Detection ID Endpoint detection severity Endpoint detection status
It is recommended to add all fields if possible. With the available payload fields, Alert Rules can be configured for custom actions fine tuning your incident response with CrowdStrike.
Note: We are replacing "." with "___" (3 underscores) in payload keys - so it can be used in Alert Rules.
Original value: detections.severity Replaced value: detections___severity
CrowdStrike is now integrated with Zenduty.