Crowdstrike Falcon
Crowdstrike Falcon helps to secure the most critical areas of enterprise risk – endpoints, cloud workloads, identities, and data.
Route detailed alerts from Crowdstrike Falcon to the right users in Squadcast.
Using Crowdstrike Falcon as an Alert Source
(1) From the navigation bar on the left, select Services. Pick the applicable Team from the Team-picker on the top. Next, click on Alert Sources for the applicable Service
(2) Search for Crowdstrike Falcon from the Alert Source drop-down and copy the Webhook URL
For an Alert Source to turn active (indicated by a green dot - Receiving alerts against the name of the Alert Source in the drop-down), you can either generate a test alert or wait for a real-time alert to be generated by the Alert Source.
An Alert Source is active if there is a recorded incident via that Alert Source for the Service in the last 30 days.
Create a Squadcast Webhook URL REST Endpoint in Crowdstrike Falcon
(1) Login to your Crowdstrike Falcon dashboard. Head over to Workflows
(2) Click on Create Workflow. Select trigger as New detection or New incident and then under workflow diagram choose condition. Choose Parameter as Detection status or Incident status, Operator as is equal to & Value as New. Then click on + and add Action. Choose Notifications as Action type and Call webhook as Action.
Add webhook by clicking to Go to Store. Click on Configure and then add Squadcast as Name. Paste the previously copied Squadcast Webhook URL in the placeholder for Webhook URL. Then click on Save configuration.
Choose Squadcast as Webhook name and add the data you want to send to Squadcast.
Important
- For New Detection :
Always add Detection Id and Detection Status in the data you want to send to Squadcast.
- For New Incident :
Always add Incident Id and Incident Status in the data you want to send to Squadcast.
Again add a condition after the Trigger event. Choose Parameter as Detection status or Incident status, Operator as is equal to & Value as Closed. Then click on + and add Action. Choose Notifications as Action type and Call webhook as Action. Choose Squadcast as Webhook name and add the data you want to send to Squadcast.
Then click on Finish. Give it a name and set the Workflow Status as On. Then click on Save workflow
That’s it, you are good to go! Your Crowdstrike Falcon integration is now complete. Whenever Crowdstrike Falcon fires an alert, an incident will be created in Squadcast for it. Also, when an status has changed to Closed, the corresponding incident gets auto-resolved in Squadcast.