Analyze Crowdstrike Detections search for IOCs in VirusTotal create a ticket in Jira and post a message in Slack

Workflow Name

Analyze_Crowdstrike_Detections__search_for_IOCs_in_VirusTotal__create_a_ticket_in_Jira_and_post_a_message_in_Slack

Key Features and Highlights

This workflow enables security operations automation by periodically retrieving the latest threat detection data from CrowdStrike. It dissects each detection event to analyze behavioral details, queries the VirusTotal API to enrich and validate Indicators of Compromise (IOCs), automatically generates detailed Jira tickets for incident tracking, and sends critical alerts to the security team via Slack to ensure rapid response. The workflow is thoughtfully designed to support batch processing and rate limiting, preventing API call overuse.

Core Problems Addressed

Automates the integration of multi-source threat intelligence, eliminating the need for manual searching and analysis of detection data by security teams.
Enriches detection data in real-time to quickly identify potentially malicious files and behaviors.
Automatically creates incident tickets to standardize security event management processes.
Provides timely notifications to relevant personnel, improving incident response efficiency and reducing resolution time.

Use Cases

Automated threat response in Security Operations Centers (SOC).
Automated processing of CrowdStrike detection alerts within enterprise environments.
Threat intelligence enrichment and validation by integrating VirusTotal queries.
Unified security incident management and tracking through Jira.
Immediate alerting of critical warnings to security teams via Slack.

Main Workflow Steps

Scheduled Trigger: Automatically initiates the workflow on a daily schedule.
Retrieve Detection Events: Calls the CrowdStrike API to fetch the latest detections with a “new” status.
Split Detection Items: Breaks down detection events into individual entries for sequential processing.
Fetch Detection Details: (Disabled in configuration) Refines detection information retrieval.
Split Behavioral Details: Decomposes the array of behaviors within each detection for individual analysis.
Query VirusTotal: Sequentially queries VirusTotal for file SHA256 hashes and IOC values found in behaviors to obtain threat intelligence.
Merge Behavior Descriptions: Concatenates and summarizes behavior-related descriptions to generate a comprehensive incident narrative.
Create Jira Ticket: Automatically generates a Jira issue containing detailed detection and intelligence information.
Slack Notification: Sends an alert summary and Jira ticket link to designated Slack users to notify the security team.

Involved Systems and Services

CrowdStrike: Provides the latest security detection data.
VirusTotal: Used for querying threat intelligence on files and IOCs to enrich detection information.
Jira: Facilitates creation and management of security incident tickets.
Slack: Delivers real-time alert notifications to promote team communication.

Target Users and Value

Security Operations Teams (SOC): Automates integration and processing of detection alerts to enhance operational efficiency.
Security Analysts: Quickly access enriched threat intelligence to support incident investigation.
IT Operations and Managers: Achieve standardized security incident tracking and management via Jira tickets.
Enterprise Security Leaders: Ensure timely notification and response to security incidents, reducing organizational risk.
Any security automation scenario requiring integration of CrowdStrike with VirusTotal, Jira, and Slack.

This workflow empowers security teams to fully automate the detection-to-response lifecycle, minimizing manual effort while accelerating the speed and accuracy of threat detection and handling. It is an indispensable tool in modern security operations.