# CrowdStrike Integration
### Overview
This document describes the integration between [CrowdStrike Falcon](https://www.crowdstrike.com/en-us/) and our alert management platform. CrowdStrike Falcon is an endpoint detection and response (EDR) platform that monitors devices for threats, malware, and suspicious behavior in real time. When a detection or incident is triggered, Falcon can deliver a structured webhook payload to external systems for centralized alerting and on-call management.
This integration uses CrowdStrike's **Falcon Fusion SOAR** workflow engine to send detection events via webhook to the platform endpoint.
### Integration Flow
1. CrowdStrike Falcon detects a threat or suspicious activity on a monitored endpoint.
2. A Falcon Fusion SOAR workflow is triggered, evaluating the detection against configured conditions.
3. The workflow executes a **Call Webhook** action using the configured webhook from the CrowdStrike Store, sending the detection payload to the platform.
4. When a detection is closed or resolved in CrowdStrike, the workflow sends an updated payload with `status: closed` to clear the alert on the platform.
### Webhook Payload Schema
The payload sent to the platform is constructed using CrowdStrike Fusion template variables. The following schema is the recommended structure for this integration.
| Field | Type | Required | Description |
| ------------ | ------ | -------- | ------------------------------------------------------------------------- |
| incident\_id | string | Yes | Unique detection ID used to correlate trigger and resolution events |
| title | string | Yes | Human-readable detection title, typically includes detection name |
| status | string | Yes | Current detection status: `new`, `in_progress`, `true_positive`, `closed` |
| severity | string | Yes | Severity label: `Critical`, `High`, `Medium`, `Low`, `Informational` |
| description | string | No | Detailed description of the detected behavior or threat |
| host | string | No | Hostname of the affected endpoint |
| link | string | No | Direct URL to the detection in the Falcon console |
| timestamp | string | No | ISO 8601 timestamp of when the detection was created |
### Severity / Status Mapping
#### Status → Alert Type
| CrowdStrike Status | Platform Status | Description |
| ------------------ | --------------- | ----------------------------------------- |
| new | ALERT | Detection is newly created and unreviewed |
| in\_progress | ALERT | Detection is being actively investigated |
| true\_positive | ALERT | Detection confirmed as a real threat |
| closed | RESOLVE | Detection has been closed or resolved |
#### Severity → Priority
| CrowdStrike Severity | Platform Priority |
| -------------------- | ----------------- |
| Critical | CRITICAL |
| High | HIGH |
| Medium | MEDIUM |
| Low | LOW |
| Informational | LOW |
### Alert Payload Examples
#### Raised (New Detection)
This payload is sent when CrowdStrike Falcon detects a new threat on an endpoint.
```json
{
"description": "A suspicious PowerShell command was executed with encoded parameters, commonly used to evade detection.",
"detection_id": "ldt:abc123def456:789012345",
"event_id": "evt-abc123def456789012345",
"link": "https://falcon.crowdstrike.com/activity/detections/detail/ldt:abc123def456:789012345",
"severity": "High",
"severity_score": "70",
"source": "WORKSTATION-042",
"status": "new",
"summary": "Suspicious PowerShell Execution",
"timestamp": "2026-02-26T10:15:30.000Z"
}
```
#### Cleared (Detection Closed)
This payload is sent when the detection is reviewed and closed in the Falcon console.
```json
{
"description": "Detection reviewed and closed by analyst. Confirmed false positive.",
"detection_id": "ldt:abc123def456:789012345",
"event_id": "evt-abc123def456789012345",
"link": "https://falcon.crowdstrike.com/activity/detections/detail/ldt:abc123def456:789012345",
"severity": "High",
"severity_score": "70",
"source": "WORKSTATION-042",
"status": "closed",
"summary": "Suspicious PowerShell Execution",
"timestamp": "2026-02-26T10:45:00.000Z"
}
```
### Installation & Configuration
#### Step 1: Create an Alert Source in the Platform
1. Log in to the alert management platform.
2. Navigate to **Integrations** → **Add Integration**.
3. Select **CrowdStrike Falcon** as the provider.
4. Name the integration (e.g., `CrowdStrike Production`).
5. Save and copy the generated **Webhook URL** and **Token**.
#### Step 2: Open Falcon Fusion SOAR
1. Log in to the **CrowdStrike Falcon Console**.
2. Click the **CrowdStrike** logo on the top left and choose **Workflows**.
3. Click **Create a Workflow** on the top right.
#### Step 3: Configure the Trigger
1. On the workflow canvas, add a trigger and choose **New Detection**.
2. Optionally add a **Condition** to filter by severity (e.g., severity greater than Medium).
#### Step 4: Configure the Webhook from Store
1. Click **Add Action** → choose Action type **Notification** → select **Call Webhook**.
2. If the webhook is not yet configured, click the **Store** link and click **Configure** on the Webhook item.
3. The **Configure CrowdStrike Webhook** modal will open.
Fill in the fields as follows:
* **Name**: A descriptive name for this connection (e.g., `platform-oncall`)
* **Webhook URL**: Your platform webhook URL (e.g., `https:///`)
* **HMAC Secret Key**: Leave empty
* **Signature Header Name**: Leave as default (x-itoc-360)
* **Custom headers**: Add your platform token on line 1:
4. Click **Save configuration**.
#### Step 5: Set the JSON Body
1. Back in the workflow canvas, select the webhook you just configured.
2. In the data field, paste the following JSON body:
```json
{
"description": "{{Detection.Description}}",
"detection_id": "{{Detection.ID}}",
"event_id": "{{ID}}",
"link": "{{SourceEventURL}}",
"severity": "{{Detection.SeverityDisplayName}}",
"severity_score": "{{Detection.Severity}}",
"source": "{{Source}}",
"status": "{{Detection.Status}}",
"summary": "{{Detection.Name}}",
"timestamp": "{{ObservedTime}}"
}
```
#### Step 6: Save and Activate the Workflow
1. Click **Save** to save the workflow.
2. Toggle the workflow to **Active**.
3. For recovery notifications, create a second workflow triggered on detection status change to `closed`, using the same webhook and JSON body.
## Testing
#### Method 1: Trigger a Test Detection
1. In the Falcon console, navigate to **Activity** → **Detections**.
2. Use a test or simulated detection event if available in your environment.
3. Verify the payload is received in the platform's event log.
#### Method 2: Replay a Workflow
1. Navigate to **Fusion SOAR** → **Workflows**.
2. Open the configured workflow.
3. Click **Run** or **Test** to manually execute the workflow with a sample event.
4. Check the platform's `events` and `alerts` tables for the incoming record.
#### Method 3: Validate with Webhook.site
Before connecting to the platform, set the Webhook URL to `https://webhook.site` temporarily to inspect the raw payload and confirm all template variables are resolving correctly.
### Troubleshooting
| Issue | Possible Cause | Resolution |
| -------------------------- | ------------------------------------------------ | -------------------------------------------------------------------------------------------------- |
| No alerts received | Workflow not active | Ensure the workflow is toggled to Active in Falcon Fusion |
| No alerts received | Incorrect webhook URL or token | Verify the Webhook URL and `x-itoc360-token` in Custom headers of the webhook configuration |
| Template variables empty | Wrong variable path in JSON body | Test the workflow and inspect the raw payload in webhook.site to verify variable resolution |
| Recovery alerts missing | No separate workflow for closed detections | Create a second workflow triggered on detection status change to `closed` |
| Invalid payload error | Missing required fields in the JSON body | Ensure `incident_id`, `title`, `status`, and `severity` are all present and non-empty |
| Duplicate alerts | Workflow triggering on every detection update | Add a condition to trigger only on `status = new` for the alert workflow |
| Severity not mapping | `severity_display_name` returns unexpected value | Check the Falcon console for the exact severity string and update the platform mapping accordingly |
| Webhook config not visible | Webhook not yet added from Store | Navigate to Store → Configure the Webhook item before selecting it in the workflow action |
