I’ve imported the workflow “Blacklist Indicators with CrowdStrike Falcon from Slack” and got it working; kind of. I get a success message in Slack and the InsightConnect job shows it completed successfully. I blacklisted a test file’s MD5 successfully. My question is, where can I see that in Crowdstrike? I checked the IOC Management and the MD5 is not in there. I checked and verified that the API Key in CrowdStrike being used by InsightConnect has read/write access to the right Scopes. I also verified the connection works - it’s the same one I use in a device quarantine workflow which works.
Is there somewhere else in CrowdStrike I should be looking for to verify the MD5 was added? What’s the URL the plugin is calling to add the IOC?
@levi_steuer What is the output of the Crowdstrike step that performs the blacklist in the workflow. If you go to Job’s page, you can view the full details for the job and copy and paste the raw output. I want to double-check that it was successful.
Here’s the raw data:
{
“$success”: true,
“ioc_information”: {
“errors”: [],
“meta”: {
“query_time”: 0.011797561,
“trace_id”: “db7a6c02-3649-4238-93f9-9f5a462989fe”
},
“resources”: [
{
“created_timestamp”: “2021-06-16T19:35:51Z”,
“description”: “IOC Managed from InsightConnect”,
“modified_timestamp”: “2021-06-16T19:35:51Z”,
“policy”: “detect”,
“share_level”: “red”,
“type”: “md5”,
“value”: “1a9804f0c374283b094e9e55dc5ee128”
}
]
},
“success”: true
}
@levi_steuer thanks for sharing that, this looks to be successful. We will need to check on this in our Crowdstrike lab and document it accordingly in the workflow and plugin, and follow back up.