This repository enhances the native CrowdStrike Falcon integration within Palo Alto Networks Cortex XSIAM. It provides layouts, correlation rules, mappers, and data model extensions to optimize threat visibility and automate response actions within a SOC workflow.
- Configure CrowdStrike Falcon integration via Marketplace
- If using CrowdStrike Platform integration, disable Alert Fetch
This pack enables Cortex XSIAM to more effectively operationalize CrowdStrike Falcon telemetry by:
- 📊 Centralizing endpoint threat and detection data.
- ⚙️ Automating detection, triage, and response for endpoint-related incidents.
- 🔁 Enriching alerts with actionable context and reducing the need to pivot tools.
- 🧩 Enabling correlation with identity, email, and network telemetry.
| Component | Description |
|---|---|
| Layouts | Analyst-centric views showing CrowdStrike event details, detections, and host context. |
| Correlation Rules | Rules for identifying lateral movement, hands-on-keyboard activity, and malware execution. |
| Data Models | XDM schema extensions aligned to Falcon detection and event fields. |
| Automation Scripts | |
displayCrowdStrikeEvidence_xsiam |
Displays raw alert record cleanly in layout tab/dynamic sections. |
displayCrowdStrikeHostRecord_xsiam |
Renders full host record in layout tab/dynamic sections. |
displayCrowdStrikeHostStatus_xsiam |
Shows host status in a structured format inside layout sections. |
- Improved endpoint visibility within Cortex XSIAM.
- Context-aware enrichment across SOC alerts.
- Faster threat detection and reduced MTTR.
- Direct action capability via Falcon integration.
🔄 Compatible with the SOC Optimization Framework for standardized detection and response across data sources.
- Malware Investigation
- Lateral Movement Detection
- Privilege Escalation Monitoring
- Automated Host Containment
- Cortex XSIAM tenant
- CrowdStrike Falcon data ingested via XDR integration or broker
- This pack handles all normalization via mappers and model extensions
- Clone this repository.
- Use the Demisto “XSOAR” SDK to upload content to Cortex XSIAM.
- Choose and enable correlation rules based on your detection objectives.
- Deploy and validate layouts, and models.
- Tune as needed for your threat model and operational needs.
To install this content pack using the Demisto SDK, run the following command:
demisto-sdk upload -x -z -i ./Packs/soc-crowdstrike-falcon
Note:
-xensures the pack is zipped before upload.-zuploads the zipped pack.- Adjust the path (
-i) as needed to match your local directory structure.
Make sure your environment is properly configured with the XSIAM host and API key by using either:
- A
.envfile, or - Setting the following environment variables:
DEMISTO_BASE_URLDEMISTO_API_KEYXSIAM_AUTH_ID
After uploading the pack, complete the following steps to ensure alerts are displayed properly:
- Navigate to Settings > Alert Layout Rules in XSIAM.
- Click Add Layout Rule.
- Configure the rule with the following values:
- Rule Name:
CrowdStrike - Layout to Display:
CrowdStrike Endpoint Alert Layout - Alert Type:
CrowdStrikeFalcon_XSIAM
- Rule Name:
⚠️ Important: TheAlert Typemust exactly match the dataset name created by the integration:
CrowdStrikeFalcon_XSIAM
Contributions are welcome via pull requests or issues.
CrowdStrike Falcon Endpoint Malware XSIAM SOC Automation
Once configured, alerts ingested from CrowdStrike Falcon will automatically use the custom layout defined in this pack.