CrowdStrike Integration
Overview
This document describes the integration between CrowdStrike Falcon and our alert management platform. CrowdStrike Falcon is an endpoint detection and response (EDR) platform that monitors devices for threats, malware, and suspicious behavior in real time. When a detection or incident is triggered, Falcon can deliver a structured webhook payload to external systems for centralized alerting and on-call management.
This integration uses CrowdStrike's Falcon Fusion SOAR workflow engine to send detection events via webhook to the platform endpoint.
Integration Flow
CrowdStrike Falcon detects a threat or suspicious activity on a monitored endpoint.
A Falcon Fusion SOAR workflow is triggered, evaluating the detection against configured conditions.
The workflow executes a Call Webhook action using the configured webhook from the CrowdStrike Store, sending the detection payload to the platform.
When a detection is closed or resolved in CrowdStrike, the workflow sends an updated payload with
status: closedto clear the alert on the platform.
Webhook Payload Schema
The payload sent to the platform is constructed using CrowdStrike Fusion template variables. The following schema is the recommended structure for this integration.
incident_id
string
Yes
Unique detection ID used to correlate trigger and resolution events
title
string
Yes
Human-readable detection title, typically includes detection name
status
string
Yes
Current detection status: new, in_progress, true_positive, closed
severity
string
Yes
Severity label: Critical, High, Medium, Low, Informational
description
string
No
Detailed description of the detected behavior or threat
host
string
No
Hostname of the affected endpoint
link
string
No
Direct URL to the detection in the Falcon console
timestamp
string
No
ISO 8601 timestamp of when the detection was created
Severity / Status Mapping
Status → Alert Type
new
ALERT
Detection is newly created and unreviewed
in_progress
ALERT
Detection is being actively investigated
true_positive
ALERT
Detection confirmed as a real threat
closed
RESOLVE
Detection has been closed or resolved
Severity → Priority
Critical
CRITICAL
High
HIGH
Medium
MEDIUM
Low
LOW
Informational
LOW
Alert Payload Examples
Raised (New Detection)
This payload is sent when CrowdStrike Falcon detects a new threat on an endpoint.
Cleared (Detection Closed)
This payload is sent when the detection is reviewed and closed in the Falcon console.
Installation & Configuration
Step 1: Create an Alert Source in the Platform
Log in to the alert management platform.
Navigate to Integrations → Add Integration.
Select CrowdStrike Falcon as the provider.
Name the integration (e.g.,
CrowdStrike Production).Save and copy the generated Webhook URL and Token.
Step 2: Open Falcon Fusion SOAR
Log in to the CrowdStrike Falcon Console.
Click the CrowdStrike logo on the top left and choose Workflows.
Click Create a Workflow on the top right.
Step 3: Configure the Trigger
On the workflow canvas, add a trigger and choose New Detection.
Optionally add a Condition to filter by severity (e.g., severity greater than Medium).
Step 4: Configure the Webhook from Store
Click Add Action → choose Action type Notification → select Call Webhook.
If the webhook is not yet configured, click the Store link and click Configure on the Webhook item.
The Configure CrowdStrike Webhook modal will open.
Fill in the fields as follows:
Name: A descriptive name for this connection (e.g.,
platform-oncall)Webhook URL: Your platform webhook URL (e.g.,
https://<your-platform>/)HMAC Secret Key: Leave empty
Signature Header Name: Leave as default (x-itoc-360)
Custom headers: Add your platform token on line 1:
Click Save configuration.
Step 5: Set the JSON Body
Back in the workflow canvas, select the webhook you just configured.
In the data field, paste the following JSON body:
Step 6: Save and Activate the Workflow
Click Save to save the workflow.
Toggle the workflow to Active.
For recovery notifications, create a second workflow triggered on detection status change to
closed, using the same webhook and JSON body.
Testing
Method 1: Trigger a Test Detection
In the Falcon console, navigate to Activity → Detections.
Use a test or simulated detection event if available in your environment.
Verify the payload is received in the platform's event log.
Method 2: Replay a Workflow
Navigate to Fusion SOAR → Workflows.
Open the configured workflow.
Click Run or Test to manually execute the workflow with a sample event.
Check the platform's
eventsandalertstables for the incoming record.
Method 3: Validate with Webhook.site
Before connecting to the platform, set the Webhook URL to https://webhook.site temporarily to inspect the raw payload and confirm all template variables are resolving correctly.
Troubleshooting
No alerts received
Workflow not active
Ensure the workflow is toggled to Active in Falcon Fusion
No alerts received
Incorrect webhook URL or token
Verify the Webhook URL and x-itoc360-token in Custom headers of the webhook configuration
Template variables empty
Wrong variable path in JSON body
Test the workflow and inspect the raw payload in webhook.site to verify variable resolution
Recovery alerts missing
No separate workflow for closed detections
Create a second workflow triggered on detection status change to closed
Invalid payload error
Missing required fields in the JSON body
Ensure incident_id, title, status, and severity are all present and non-empty
Duplicate alerts
Workflow triggering on every detection update
Add a condition to trigger only on status = new for the alert workflow
Severity not mapping
severity_display_name returns unexpected value
Check the Falcon console for the exact severity string and update the platform mapping accordingly
Webhook config not visible
Webhook not yet added from Store
Navigate to Store → Configure the Webhook item before selecting it in the workflow action
Last updated
Was this helpful?