For CrowdStrike, this automated workflow enhances cybersecurity response by daily retrieving new detection alerts, enriching them with VirusTotal intelligence, and creating actionable Jira tickets for tracking. It ensures timely notifications in Slack, enabling the security team to promptly address potential threats, thereby improving incident management and response efficiency.
This workflow is particularly beneficial for:
- Cybersecurity Teams: Professionals who need to monitor and respond to potential threats detected by CrowdStrike.
- Incident Response Teams: Teams responsible for managing and resolving security incidents efficiently.
- IT Administrators: Individuals who oversee security tools and need to ensure timely responses to alerts.
- DevOps Engineers: Those who integrate security monitoring into their development pipelines.
- Management: Stakeholders interested in understanding the security posture and incident management processes.
This workflow addresses the challenge of automating the detection and response process to cybersecurity threats. It streamlines the workflow by:
- Reducing Manual Efforts: Automating the retrieval of alerts from CrowdStrike and enriching them with VirusTotal data.
- Ensuring Timely Responses: Creating Jira tickets and sending Slack notifications to facilitate quick action on incidents.
- Enhancing Threat Intelligence: Providing enriched data from VirusTotal to inform decision-making during incident response.
The workflow consists of the following steps:
1. Scheduled Trigger: The workflow runs daily at midnight to fetch new detection events from CrowdStrike.
2. Get Recent Detections: It retrieves alerts marked as 'new' from the CrowdStrike API.
3. Split Detections: Each detection is processed individually for detailed analysis.
4. Get Detection Details: Additional information about each detection is fetched from CrowdStrike.
5. Split Behaviors: The behaviors associated with each detection are extracted for further analysis.
6. Look Up SHA in VirusTotal: Each detection's SHA256 is checked against VirusTotal for threat intelligence.
7. Pause: A 1-second pause is included to comply with VirusTotal's rate limits.
8. Look Up IOC in VirusTotal: Indicators of compromise (IOCs) are also checked in VirusTotal.
9. Set Behavior Descriptions: Descriptions are constructed based on the gathered data.
10. Merge Behavior Descriptions: All behavior descriptions are combined for a comprehensive overview.
11. Create Jira Issue: A Jira ticket is created for each detection, containing detailed information and links to relevant data.
12. Post Notification on Slack: A notification is sent to a designated Slack channel to alert the security team about the new detection.
Users can customize this workflow by:
- Adjusting the Schedule: Modify the Schedule Trigger settings to run the workflow at different intervals (e.g., hourly, weekly).
- Changing API Credentials: Update the API credentials for CrowdStrike and VirusTotal to match your accounts.
- Modifying Jira Ticket Fields: Customize the Jira issue fields such as project ID, issue type, and description to fit your organization's requirements.
- Altering Slack Notification Settings: Change the Slack channel or user for notifications to ensure the right team members are alerted.
- Adding Additional Enrichment: Incorporate more APIs or data sources to enrich the detections further, such as threat intelligence platforms.