CrowdStrike - Get Vulnerability Summary for Assets
This incident response workflow allows to document a summary of vulnerabilities for hosts in an incident using CrowdStrike from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to identify vulnerabilities for. When using this workflow with an incident automation rule, the identification is done for all target hosts involved in the incident.
Description
This incident response workflow allows to document a summary of vulnerabilities for hosts in an incident using CrowdStrike from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to identify vulnerabilities for. When using this workflow with an incident automation rule, the identification is done for all target hosts involved in the incident.
Target: CrowdStrike
Steps:
- Detect the start type and extract the supported observables
- Check if any supported observables were found (if not, end the workflow)
- For each observable:
- Check this observable's type:
- If a CrowdStrike ID, set the local ID variable
- If a hostname, IP address, or MAC address, then update corresponding variables and search for the host
- Fetch the host's details from CrowdStrike
- Fetch the host's CVE summary and update the workflow result
- Check this observable's type:
This workflow requires the following targets to be available before it can be run.
Integration targets
- CrowdStrike