Analyze Crowdstrike Detections search for IOCs in VirusTotal create a ticket in Jira and post a message in Slack
This workflow is designed to automate the response to security incidents by periodically retrieving threat detection data from CrowdStrike, analyzing it item by item, and querying VirusTotal for enhanced intelligence. It automatically creates Jira tickets to standardize security incident management and promptly notifies the security team via Slack, ensuring efficient response and handling. The overall process optimizes the analysis of detection data, reduces manual operations, and improves the speed and accuracy of threat identification and resolution, making it suitable for the automation needs of security operations centers and enterprise environments.
Tags
Workflow Name
Analyze_Crowdstrike_Detections__search_for_IOCs_in_VirusTotal__create_a_ticket_in_Jira_and_post_a_message_in_Slack
Key Features and Highlights
This workflow enables security operations automation by periodically retrieving the latest threat detection data from CrowdStrike. It dissects each detection event to analyze behavioral details, queries the VirusTotal API to enrich and validate Indicators of Compromise (IOCs), automatically generates detailed Jira tickets for incident tracking, and sends critical alerts to the security team via Slack to ensure rapid response. The workflow is thoughtfully designed to support batch processing and rate limiting, preventing API call overuse.
Core Problems Addressed
- Automates the integration of multi-source threat intelligence, eliminating the need for manual searching and analysis of detection data by security teams.
- Enriches detection data in real-time to quickly identify potentially malicious files and behaviors.
- Automatically creates incident tickets to standardize security event management processes.
- Provides timely notifications to relevant personnel, improving incident response efficiency and reducing resolution time.
Use Cases
- Automated threat response in Security Operations Centers (SOC).
- Automated processing of CrowdStrike detection alerts within enterprise environments.
- Threat intelligence enrichment and validation by integrating VirusTotal queries.
- Unified security incident management and tracking through Jira.
- Immediate alerting of critical warnings to security teams via Slack.
Main Workflow Steps
- Scheduled Trigger: Automatically initiates the workflow on a daily schedule.
- Retrieve Detection Events: Calls the CrowdStrike API to fetch the latest detections with a “new” status.
- Split Detection Items: Breaks down detection events into individual entries for sequential processing.
- Fetch Detection Details: (Disabled in configuration) Refines detection information retrieval.
- Split Behavioral Details: Decomposes the array of behaviors within each detection for individual analysis.
- Query VirusTotal: Sequentially queries VirusTotal for file SHA256 hashes and IOC values found in behaviors to obtain threat intelligence.
- Merge Behavior Descriptions: Concatenates and summarizes behavior-related descriptions to generate a comprehensive incident narrative.
- Create Jira Ticket: Automatically generates a Jira issue containing detailed detection and intelligence information.
- Slack Notification: Sends an alert summary and Jira ticket link to designated Slack users to notify the security team.
Involved Systems and Services
- CrowdStrike: Provides the latest security detection data.
- VirusTotal: Used for querying threat intelligence on files and IOCs to enrich detection information.
- Jira: Facilitates creation and management of security incident tickets.
- Slack: Delivers real-time alert notifications to promote team communication.
Target Users and Value
- Security Operations Teams (SOC): Automates integration and processing of detection alerts to enhance operational efficiency.
- Security Analysts: Quickly access enriched threat intelligence to support incident investigation.
- IT Operations and Managers: Achieve standardized security incident tracking and management via Jira tickets.
- Enterprise Security Leaders: Ensure timely notification and response to security incidents, reducing organizational risk.
- Any security automation scenario requiring integration of CrowdStrike with VirusTotal, Jira, and Slack.
This workflow empowers security teams to fully automate the detection-to-response lifecycle, minimizing manual effort while accelerating the speed and accuracy of threat detection and handling. It is an indispensable tool in modern security operations.
Upload a File and Retrieve a List of All Files in a Bucket
This workflow automates the process of downloading files from web requests, uploading them to a specified Amazon S3 bucket, and retrieving a list of all files within that bucket. By streamlining file upload and management operations, users can efficiently handle files, reduce manual intervention and error rates. It is suitable for scenarios such as cloud storage management, regular file synchronization, and real-time monitoring of storage content, thereby enhancing enterprise work efficiency.
Google Calendar to Slack Status & Philips Hue
This workflow automatically syncs the meeting status from Google Calendar to the Slack user status and intelligently controls the Philips Hue lighting system to reflect team members' availability in real time. By utilizing the color coding of calendar events, it flexibly adjusts Slack statuses and lighting modes to enhance communication efficiency in the office. It is suitable for remote and hybrid work scenarios, helping to optimize resource usage and reduce distractions, while also improving personal time management and creating a more intelligent work environment.
Weather via Slack
This workflow provides an instant weather inquiry service through Slack. Users simply need to send a request containing the location name, and the system will automatically retrieve the latitude and longitude of that location and call the meteorological bureau's API to obtain detailed weather information. Ultimately, the formatted weather forecast will be pushed to the designated Slack channel. This automated process greatly enhances the efficiency of the team in obtaining weather information and is suitable for internal corporate communication, customer support, and personal daily activity planning, saving time on switching applications.
Creating an Onfleet Task for a New Shopify Fulfillment
This workflow is designed to automatically create delivery tasks in the Onfleet system when Shopify orders are shipped, streamlining the process from order processing to delivery task generation. By seamlessly connecting the two platforms, it significantly enhances logistics delivery efficiency, reduces delays and errors caused by manual operations, and ensures timely and accurate deliveries. It is particularly suitable for e-commerce operations teams and logistics dispatch personnel.
IT Ops AI SlackBot Workflow
This workflow combines artificial intelligence with instant messaging tools to achieve intelligent automated responses for IT inquiries. It can receive IT-related questions posed by employees on Slack in real time, automatically retrieve information from the Confluence knowledge base, generate accurate answers, and promptly respond to users. This significantly enhances IT support efficiency, reduces manual intervention, and improves the employee inquiry experience. Through contextual memory and multi-user conversation management, the system effectively addresses the issues of dispersed information queries and repetitive work, helping enterprises create an efficient digital office environment.
Restore Your Workflows from GitHub
This workflow is designed to help users automatically batch restore workflow backups from GitHub repositories, enabling one-click restoration to ensure data security and operational convenience. By configuring GitHub information, users can quickly synchronize and restore multiple workflows, effectively addressing recovery challenges caused by operational errors or data loss. It reduces the complexity of manual imports and enhances the continuous and stable operation of workflows, making it suitable for teams and technical personnel that require frequent backups and restorations.
Create an Onfleet Task When a File in Google Drive Is Updated
This workflow can automatically monitor specified files in Google Drive. Once a file is updated, it immediately creates a new task in Onfleet, ensuring timely information transfer and swift task implementation. Through minute-by-minute polling and precise triggering, it significantly enhances work efficiency and reduces manual intervention. It is suitable for fields such as logistics, project management, and customer service, helping businesses achieve process automation and optimize work response speed and customer experience.
ServiceNow Ticket Search and Notification Slack Integration Workflow
This workflow achieves deep integration between Slack and ServiceNow, allowing users to directly query ticket information within Slack. By entering priority and status conditions in a pop-up window, users can quickly obtain tickets that meet the criteria, with the query results sent in an aesthetically pleasing format, supporting the display of up to 5 ticket details. The workflow also provides friendly reminders when there are no matching results, ensuring that users are always informed about the query status, thereby enhancing the efficiency of information retrieval and the collaboration experience.