Close modal icon featuring an X formed by two crossed lines.

CrowdStrike Integration Guide

CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.

What can Xurrent IMR do for CrowdStrike users?

CrowdStrike provides security and IT operations capabilities including IT hygiene, vulnerability management, and patching. All of this gets enriched by world-class threat intelligence, including capabilities to conduct malware searching and sandbox analysis that are fully integrated and automated to deliver security teams deep context and predictive capabilities.

With the Xurrent IMR-CrowdStrike integration, you would be able to create new Incidents/Alerts in Xurrent IMR whenever any Alerts are triggered or New Endpoints are detected in CrowdStrike.

You can also use Alert Rules to custom route specific CrowdStrike alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.

To integrate CrowdStrike with Xurrent IMR, complete the following steps:

In Xurrent IMR:

  1. To add a new CrowdStrike integration, go to Teams on Xurrent IMR and click on the team you want to add the integration to.
  2. Next, go to Services and click on the relevant Service.
  3. Go to Integrations and then Add New Integration. Give it a name and select the application CrowdStrike from the dropdown menu.
  4. Go to Configure under your Integrations and copy the generated Webhook URL & Integration Key.

In CrowdStrike:

  1. Log into CrowdStrike, and head to the CrowdStrike Store from Menu. Select All apps and search for Webhook.
  1. Configure the Webhook application by clicking on the Configure and then Add configuration button. Give a name for this configuration, e.g. Xurrent IMR. Paste the copied URL under Webhook URL, copy the Integration Key from Xurrent IMR and paste it under HMAC Secret Key. Save the Configuration.

  1. Head to Falcon Workflows by following path Host setup and management' > 'Automated workflows. Edit an existing workflow or create new as per your requirement, select notification as Call Webhook and select the webhook which was created in the previous step.

  1. Select the fields which you want to be included in the JSON payload. Below listed fields are required to be selected in order to create an incident with accurate details.
  2. Mandatory Data fields to include for Workflow Execution trigger
  3. Mandatory Data fields to include for New endpoint detection trigger
  4. Mandatory Data fields to include for Audit event > Policy trigger
  5. Mandatory Data fields to include for Audit event > Endpoint detection > Comment trigger
  6. Mandatory Data fields to include for Audit event > Endpoint detection > Status trigger
  7. It is recommended to add all fields if possible. With the available payload fields, Alert Rules can be configured for custom actions fine tuning your incident response with CrowdStrike.
  8. Note: We are replacing "." with "___" (3 underscores) in payload keys - so it can be used in Alert Rules.
  9. e.g.
  10. CrowdStrike is now integrated with Xurrent IMR.

In this article

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6