Introduction to the CrowdStrike Falcon SyncPack

Download this manual as a PDF file

This section describes how you can configure and use the "CrowdStrike Falcon" SyncPack with the PowerFlow platform to sync SL1 events and CrowdStrike detections.

This SyncPack uses the "CrowdStrike Integration" PowerPack.

What Can I Do with this SyncPack?

The "CrowdStrike Falcon" SyncPack let you sync SL1 events and CrowdStrike Falcon detections (security events). You can configure the automation policies in the "CrowdStrike Falcon Automation" PowerPack to pull events from CrowdStrike into SL1 for use in event correlation and incident management.

Integration with the CrowdStrike Falcon platform allows security teams to accelerate operations by improving threat detection accuracy through a single interface. When a security detection occurs within the Falcon platform, such as potential malware on a device, the detection will be automatically sent to SL1 as an event. From there, SL1 can simultaneously create an incident to document the issue and trigger a response as defined by rules set by an administrator.

This SyncPack includes the following integrations:

  • Fetch Detections from CrowdStrike and Send Alert to SL1. This application acquires tokens and New Detections from CrowdStrike and creates alerts for SL1.
  • Clear Detection from Cache. This application acquires and saves event details to send to SL1.

Contents of the SyncPack

This section lists the contents of the "CrowdStrike Falcon" SyncPack.

PowerFlow Applications

  • Fetch Detections from CrowdStrike and Send Alert to SL1. This application acquires tokens and New Detections from CrowdStrike and creates alerts for SL1.
  • Clear Detection from Cache. This application acquires and saves event details to send to SL1.

For more information about how to configure these applications, see Configuring Applications for the CrowdStrike Falcon SyncPack.

Configuration Object

  • CrowdStrike Sample Configuration. This configuration object can be used as a template after the SyncPack is installed on the PowerFlow system.

Steps

The following steps are included in this SyncPack:

  • Fetch Detections and Generate Payloads for SL1
  • Fetch New Detections from CrowdStrike
  • Get Alerted Detections from Cache
  • Get Each Detection and Create SL1 Alerts
  • Get Event Details and Clear Detections ID