CrowdStrike
Connect CrowdStrike Falcon with All Quiet
Integrate Crowdstrike Falcon with All Quiet in a matter of minutes. With webhooks, you can automatically send alerts from CrowdStrike Falcon directly to All Quiet, streamlining your team’s incident management process.
1. Create CrowdStrike Integration on All Quiet
Sign in to your All Quiet account.
Create Integration
- Click on the
Integrations > Inbound
tab. - Click
Create New Integration
.
Select CrowdStrike as the integration’s type
- Enter a display name for your integration, e.g.
CrowdStrike Falcon
. - Select a team.
- Select
CrowdStrike
as the integration’s type. - Click
Create Inbound Integration
.
Get the All Quiet Webhook URL
After creating the integration on All Quiet
- you can view and copy the webhook URL. You will require this URL in step 2 when configuring the custom integration on CrowdStrike.
2. Configure the integration with CrowdStrike
Once you’ve set up an integration of type “CrowdStrike” with All Quiet, it takes only three more steps in your CrowdStrike account to finish off your setup.
Set up the Webhook to All Quiet
Sign in to your CrowdStrike Account. We first need to create the Webhook
- From the home screen, open the side navigation and select
CrowdStrike Store
- Select
All apps
- In the store, search for `Webhook“
- Select the
CrowdStrike Webhook
- Click
Configure
- Select
Add configuration
- Select a name for you Webhook, like
All Quiet
- As
Webhook URL
, paste in the All Quiet Webhook URL you’ve obtained in step Get the All Quiet Webhook URL. - Remove the
HMAC Secret Keys
- Remove the
Signature Header Name
- Save the Webhook.
Set up Workflow for Incident Creation
Now, we need to set up a workflow to create All Quiet incidents from CrowdStrike alerts.
- In the sidebar navigation, select `Fusion SOAR“
- Open
Workflows
In the workflows overview, select Create workflow
- Select
Create workflow from scratch
- Click
Next
Define the trigger. To select a trigger that creates new incidents,
- open the
Endpoint security
section - and select
Alert
. This selection differs from the worflow we will create later to update incidents that already got created
- After selecting
Alert
clickNext
.
- Now, we need to add an
Action
to the triggering alert. - Select the
CrowdStrike
section. - Select
Call webhook
.
Now, we need to configure the Call webhook
action.
- As Webhook, select the
All Quiet
Webhook we configured in the previous step. - For Data format, select
Default
. - As Data to include, select all
Alert
objects from the dropdown and add them. - Click
Next
.
We’re almost done with this step. Time to Save and exit
the workflow.
To save and exit
,
- Give your worflow a name, like
All Quiet Create Incident
- Don’t forget to activate it.
- Confirm.
Set up Workflow for Incident Updates
Add an extra Workflow.
- This time, select
Audit event > Alert
as trigger, as we want to listen to updates for existing incidents.
- As we want to listen to all kinds for updates, select
All
as type and continue.
After setting up the trigger, add the similar action with the same settings as in the previous step when defining the workflow to create incidents. This ensures incident updates are sent to All Quiet via the same webhook.
When saving the workflow
- Make sure to add a suitable name, like
All Quiet - Update Incident
. - Activate the workflow.
- And click
Save and exit
to confirm.
Adjust Payload Mapping
Looking to customize the fields of your incidents by adjusting the pre-built payload mapping? Simply head over to the “Payload” tab within your integration and make the necessary edits to the mapping. For detailed guidance, you may check out our payload mapping documentation.
allquiet_integration_mapping
resource for the CrowdStrike integration. Simply copy the syntax to your .tf file and tailor the resource to your team’s needs!