Triage for CrowdStrike alerts (single tenant)
- 02 Apr 2025
- 1 Minute to read
- DarkLight
- PDF
Triage for CrowdStrike alerts (single tenant)
- Updated on 02 Apr 2025
- 1 Minute to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Triage for CrowdStrike alerts (single tenant)
Description
This playbook covers the investigation and remediation of CrowdStrike detections. The playbook has four phases:
Evidence collection - collecting detection details, such as detection type and severity and involved assets like user and machine.
Enrich assets - collect related details for the involved assets, such as related historical alerts, user privileges, and machine OS type (workstation/server).
Investigation - decision tree according to information gathered in the previous phases, and additional information such as process chain, related network activity, etc.
Response - based on the decision from the previous phase, a response action is taken. A response action can be varied from file deletion to host isolation. Intrusive response actions can be limited.
Trigger Request
HTTP Post Request
Headers:
| Key | Value |
|---|---|
| Content-Type | application/json |
- Json body parameters:
| Parameters | Type | Description |
|---|---|---|
| alertID | string | The CDC alert ID that triggered the playbook. |
| detectionID | string | The CrowdStrike detection ID that triggered the alert. |
Supported CDC Versions
- 2.8
Was this article helpful?