Crowdstrike Falcon
Send alerts to Squadcast from Crowdstrike Falcon
Crowdstrike Falcon helps to secure the most critical areas of enterprise risk – endpoints, cloud workloads, identities, and data.
Route detailed alerts from Crowdstrike Falcon to the right users in Squadcast.
Using Crowdstrike Falcon as an Alert Source
Navigate to Services -> Service Overview -> select or search for your Service. Expand the accordion -> In the Alert Sources section, click Add.
2. Select Crowdstrike Falcon. Copy the displayed Webhook URL to configure it within Crowdstrike Falcon. Finish by clicking Add Alert Source -> Done.
Important:
When an alert source turns Active, it’ll show up under Configured Alert Sources. You can either generate a test alert from the integration or wait for a real-time alert to be generated by the Alert Source. An Alert Source is active if there is a recorded incident via that Alert Source for the Service.
Create a Squadcast Webhook URL REST Endpoint in Crowdstrike Falcon
(1) Login to your Crowdstrike Falcon dashboard. Head over to Workflows
(2) Click on Create Workflow. Select trigger as New detection or New incident and then under workflow diagram choose condition. Choose Parameter as Detection status or Incident status, Operator as is equal to & Value as New. Then click on + and add Action. Choose Notifications as Action type and Call webhook as Action.
Add webhook by clicking to Go to Store. Click on Configure and then add Squadcast as Name. Paste the previously copied Squadcast Webhook URL in the placeholder for Webhook URL. Then click on Save configuration.
Choose Squadcast as Webhook name and add the data you want to send to Squadcast.
Note: Squadcast does not validate HMAC Secret Key, so the user can send any random secret key of their choice.
Important
For New Detection :
Always add Detection Id and Detection Status in the data you want to send to Squadcast.
For New Incident :
Always add Incident Id and Incident Status in the data you want to send to Squadcast.
Again add a condition after the Trigger event. Choose Parameter as Detection status or Incident status, Operator as is equal to & Value as Closed. Then click on + and add Action. Choose Notifications as Action type and Call webhook as Action. Choose Squadcast as Webhook name and add the data you want to send to Squadcast.
Then click on Finish. Give it a name and set the Workflow Status as On. Then click on Save workflow
That's it, you are good to go! Your Crowdstrike Falcon integration is now complete. Whenever Crowdstrike Falcon fires an alert, an incident will be created in Squadcast for it. Also, when an status has changed to Closed, the corresponding incident gets auto-resolved in Squadcast.
Have any questions? Ask the community.
Last updated