Skip to main content
Crowdstrike Falcon

By connecting Crowdstrike Falcon you will be able to bring alerts around security breaches in your organization

incident.io Engineering Team avatar
Written by incident.io Engineering Team
Updated over a week ago

Automatically page the right people and create incidents for alerts received from Falcon.

Customers can seamlessly connect Falcon with incident.io to import crucial information. When an alert comes through Falcon, it enables incident.io to page the right person based on the customer’s configuration, provide detailed information about the alert, and gather the necessary team members in the incident channel to collaborate on resolving the incident. Additionally, incident.io can automatically create incidents from alert sources and filter and group them according to the customer’s preferences.

This article provides step by step instructions for setting up Crowdstrike Falcon as an alert source within incident.io.

🛠️ Instructions

1️⃣ Head over to the Alerts section in your incident.io dashboard and select the sources tab at the top of the page

2️⃣ Press the 'New alert source' button and search for 'Crowdstrike Falcon' and click continue to create the alert source

3️⃣ Then click the Crowdstrike Falcon marketplace and choose Configure, head to Webhook and then choose Configure in the Webhook and in the modal 'Add configuration'. You will need to have all four options defaulted to Ok

4️⃣ Now you can go back to incident.io and copy and paste the Name, Webhook URL, HMAC Secret key and Signature Header Name to the Crowdstrike Falcon modal.

5️⃣ After head to 'All Workflows' in Crowdstrike Falcon and click 'Create workflow' and choose the trigger to be an Event, Name the workflow and click Next to get to the workflow builder

6️⃣ Click sequential so it says 'Action'. Click 'Notify' from the modal and 'Call webhook' and then choose webhook name you copy pasted earlier from the drop down menu.

7️⃣ Choose Data format to be Custom JSON and go back to incident.io and copy the payload from the alert source

8️⃣ Finish the configuration, give a name for the workflow and turn it on and save

9️⃣ Now you can go and test the workflow by going to the workflow, click 'Edit' and then 'Execute workflow'

🔟 You should receive the alert now in incident.io and now you can parse things from the payload!

Detailed instructions in the video below


Can't find the alert source you are looking for? Head to our integrations page or message us to [email protected]

Did this answer your question?