CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.

What can Zenduty do for CrowdStrike users?

CrowdStrike provides security and IT operations capabilities including IT hygiene, vulnerability management, and patching. All of this gets enriched by world-class threat intelligence, including capabilities to conduct malware searching and sandbox analysis that are fully integrated and automated to deliver security teams deep context and predictive capabilities.

With the Zenduty-CrowdStrike integration, you would be able to create new Incidents/Alerts in Zenduty whenever any Alerts are triggered or New Endpoints are detected in CrowdStrike.

You can also use Alert Rules to custom route specific CrowdStrike alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.

To integrate CrowdStrike with Zenduty, complete the following steps:

In Zenduty:

1. To add a new CrowdStrike integration, go to Teams on Zenduty and click on the team you want to add the integration to.

2. Next, go to Services and click on the relevant Service.

3. Go to Integrations and then Add New Integration. Give it a name and select the application CrowdStrike from the dropdown menu.

4. Go to Configure under your Integrations and copy the generated Webhook URL & Integration Key.

In CrowdStrike:

5. Log into CrowdStrike, and head to the CrowdStrike Store from Menu. Select All apps and search for Webhook.

   

6. Configure the Webhook application by clicking on the Configure and then Add configuration button. Give a name for this configuration, e.g. Zenduty. Paste the copied URL under Webhook URL, copy the Integration Key from Zenduty and paste it under HMAC Secret Key. Save the Configuration.

   
   

7. Head to Falcon Workflows by following path Host setup and management' > 'Automated workflows. Edit an existing workflow or create new as per your requirement, select notification as Call Webhook and select the webhook which was created in the previous step.

   
   

8. Select the fields which you want to be included in the JSON payload. Below listed fields are required to be selected in order to create an incident with accurate details.

   Mandatory Data fields to include for Workflow Execution trigger

   Workflow Description
   Workflow Status
   Workflow Name
   

   Mandatory Data fields to include for New endpoint detection trigger

   Hostname
   Local IP
   Mac Address
   Sensor ID
   Command Line
   Detection ID
   Severity
   Endpoint detection status
   

   Mandatory Data fields to include for Audit event > Policy trigger

   Created by email
   Modified by email
   PolicyDetail description
   PolicyDetail name
   Policy type
   PolicyDetail platform
   

   Mandatory Data fields to include for Audit event > Endpoint detection > Comment trigger

   Endpoint Detection ID
   Comment text
   

   Mandatory Data fields to include for Audit event > Endpoint detection > Status trigger

   Endpoint Detection ID
   Endpoint detection severity
   Endpoint detection status
   

   It is recommended to add all fields if possible. With the available payload fields, Alert Rules can be configured for custom actions fine tuning your incident response with CrowdStrike.

   Note: We are replacing "." with "___" (3 underscores) in payload keys - so it can be used in Alert Rules.

   e.g.

   Original value: detections.severity 
   Replaced value: detections___severity
   

9. CrowdStrike is now integrated with Zenduty.