How to integrate alerts collected by CrowdStrike Falcon Complete

MiY · 4 weeks ago

Hello. I have a few questions regarding the implementation of the following requirements.

#Requirements (Integration Flow)
1. Alert information collected by CrowdStrike Falcon Complete (CS) is integrated into SNOW and records are automatically created.
2. The user records the action taken and updates the status on the record created in 1.
3. Updates from 2. are automatically reflected in the source alert in CS.

#Questions
1. Can this requirement be achieved without implementing SecOps?
2. If it can be achieved without SecOps, are there any plugins or SecOps Store products that can be used?
3. Are there any SNOW tables suitable for storing CS alerts?

Viraj Hudlikar · 4 weeks ago

Hello @MiY

Yes, these requirements can be achieved without implementing the full Security Operations (SecOps) suite, although using SecOps would be the standard and recommended approach.

1 -> Yes, it's possible to achieve this without SecOps.

2 -> Yes, you can use the Integration Hub (and its spokes) or build a custom integration. There isn't a specific free store app for this exact flow, so a custom solution using the REST API is the most common approach.

3 -> The em_alert table is suitable for storing alerts if you're using Event Management, but if not, you would typically create a custom table to store the raw alert data.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

Thanks & Regards
Viraj Hudlikar.

Ct111 · 4 weeks ago

1. Without SecOps?
✅ Yes — use IntegrationHub or REST APIs + custom tables/flows. No need for SecOps, but you’ll build more yourself.

2. Plugins/Store apps?
⚠ No OOTB plugin without SecOps.

SecOps has CrowdStrike Falcon Endpoint Protection Store app.

Without SecOps → build custom spoke using CrowdStrike REST API.

3. Suitable table?

No-SecOps → custom table (u_cs_alert) or use incident.

SecOps → sn_si_incident + related security tables.