I’ve imported the workflow “Blacklist Indicators with CrowdStrike Falcon from Slack” and got it working; kind of. I get a success message in Slack and the InsightConnect job shows it completed successfully. I blacklisted a test file’s MD5 successfully. My question is, where can I see that in Crowdstrike? I checked the IOC Management and the MD5 is not in there. I checked and verified that the API Key in CrowdStrike being used by InsightConnect has read/write access to the right Scopes. I also verified the connection works - it’s the same one I use in a device quarantine workflow which works.
Is there somewhere else in CrowdStrike I should be looking for to verify the MD5 was added? What’s the URL the plugin is calling to add the IOC?