Crowdstrike
This is a detailed guide on implementing a Crowdstrike Fusion workflow that will auto-close Prelude originating detections.
-
Start by contacting Prelude Support [email protected] and requesting the "Alert Suppression" file. Save the "PreludeAlertMan.txt" file to your local system and change extension to .json
-
Open Crowdstrike and navigate to the Fusion SOAR overview page where all enable/disabled Fusion Workflows are listed.
-
Right click in browser and select "inspect" or optionally open Dev Tools in browser
-
In Dev Tools, navigate to the "Console" page
- In the area highlighted in the above screenshot copy and paste the following script and hit enter (if in the event you get any errors entering the script below try copying and pasting it from the "UpdateScript.txt" file I've attached. Note: if your Crowdstrike instance is not us-2 as listed below, update the URL in the script below to match your instance.
(async function(){function c(){try{return JSON.parse(decodeURIComponent(document.getElementsByName("falcon-workflow/config/environment")[0].content))["data-core"].apiHost}catch{return"/api2"}}try{const o=c(),r=document.querySelector("#cs-csrf-token").content,a={types:[{description:"Workflow File",accept:{"application/json":[".json"]}}]},[i]=await window.showOpenFilePicker(a),l=await i.getFile(),{model:e,description:n}=JSON.parse(await l.text()),s=`Imported At (${Date.now()})`,d={name:s,model:{...e,name:s,description:n??"",gateways:e.gateways??{},sub_models:e.sub_models??{}},description:n??"",enabled:!1},t=await fetch(`${o}/workflows/entities/definitions/v2`,{headers:{"content-type":"application/json","x-csrf-token":r},referrerPolicy:"no-referrer",body:JSON.stringify(d),method:"POST",mode:"cors",credentials:"include"});if(!t.ok){console.log("Import failed",t);return}const w=(await t.json()).resources[0];console.log("workflow id is",w),window.location.reload()}catch(o){console.error(o)}})();
- If successful it will open a import dialogue with which you can select the .json file downloaded in step 1
- That's it, you should see a new workflow created with the name of "Imported At xxxxx".
At this point you can rename it to something more readable
Set your desired alerting mechanism in the Fusion Workflow by modifying "action" parameter that's currently set to sleep. This is where you would specify "Send Email" or "Send Slack message" depending on your preference.
- Ensure you enable the newly imported workflow (it's disabled by default after importing).
Important Note:
In some instances you may see a small percentage of Crowdstrike Detections remain open. This is due to a timing issue where the detection details are blank when the Fusion Workflow runs, as a result the Fusion Workflow can't identify the detection as Prelude Detect Originating. In this case you can set up two workflows, one that runs immediately as shown above and second that runs again after a 15 minute delay.
Workflow 1:
- Change last step (highlighted yellow below) to Sleep 1 min.
Workflow 2:
- Make a copy of Workflow 1
- Add a 15 minute sleep (highlighted below) after new EPP Detection arrives
- Change the Sleep Option (highlighted below) to notification method of choice (Slack/Email etc)
Updated 8 months ago