• Documentation

Use CrowdStrike Falcon with automation

 

This article refers to features that are currently rolling out. CrowdStrike Falcon actions require Jira Service Management Cloud on a Premium or Enterprise plan.

You can connect your CrowdStrike Falcon account with your space to automate security operations. For example, use it for looking up alerts and users during incident responses or enriching your automation rules with CrowdStrike data.

To use these actions, you need to connect the CrowdStrike Falcon app to Atlassian Automation. For most of the automation actions, you'll get a connection setup message when you select them. Once the connection is established, you can use CrowdStrike Falcon actions in your rules.

Authentication uses a CrowdStrike Falcon API OAuth 2.0 client credentials connection. The required CrowdStrike API scopes are Alerts (Read) and User management (Read).

Before you begin

To manage space automations, you must have the appropriate space permissions:

  • Company-managed spaces: You'll need the Administer spaces and Browse spaces permissions for your space.

  • Team-managed spaces: You'll need Administrator access for your space.

To manage global automations, you'll need the Administer Jira permission.

Connect CrowdStrike Falcon to Atlassian Automation

Before you connect, create an API client in the CrowdStrike Falcon console (Support and resources > API clients and keys) and note its client ID and client secret. Grant the API client the Alerts (Read) and User management (Read) scopes.

When you add a CrowdStrike Falcon action to a rule, select Connect, then enter the following fields:

  • Connection name: Choose a memorable name so you can easily find and reuse this connection in your automation rules.

  • Client ID: Enter your CrowdStrike Falcon API client ID.

  • Client secret: Enter the secret key that pairs with your client ID.

  • Base URL: Enter the API base URL for your specific region. For example, use https://api.us-2.crowdstrike.com for US-2.

Use the base URL that matches your CrowdStrike cloud:

CrowdStrike region

Base URL

US-1

https://api.crowdstrike.com

US-2

https://api.us-2.crowdstrike.com

EU-1

https://api.eu-1.crowdstrike.com

US-GOV-1

https://api.laggar.gcw.crowdstrike.com

Select Connect. Once the connection is established, you can use CrowdStrike Falcon actions in your rules.

Actions

Query CrowdStrike Falcon alerts

You can use this action to search and filter your CrowdStrike Falcon alerts and find specific alert IDs. The results can then be used later in the rule to fetch full alert details or drive downstream incident-response steps.

Enter the following fields or select using smart values:

  • Filter (optional): Enter a Falcon Query Language (FQL) expression to narrow down your results. For example, status:'new'+severity:>=70.

  • Sort by (optional): Choose how to order your results. For example, created_timestamp|desc.

  • Maximum limit (optional): Set how many results you want returned at once.

  • Pagination offset (optional): Enter the pagination offset returned by CrowdStrike to page through large result sets.

This action is usually the starting point for alert automation, because Get CrowdStrike Falcon alert details needs the composite IDs returned here.

Get CrowdStrike Falcon alert details

You can use this action to get the full details of one or more alerts using their unique composite IDs. The result can then be used later in the rule to inspect alert severity, tactics, and status.

Enter the following field or select using smart values:

  • Alert composite IDs (required): Enter one or more composite IDs, separated by commas. You can find them using the Query CrowdStrike Falcon alerts action.

Query CrowdStrike Falcon users

You can use this action to search and filter your CrowdStrike Falcon users and find specific user IDs. The results can then be used later in the rule to look up user profiles or route work to the right people.

Enter the following fields or select using smart values:

  • Filter (optional): Enter a Falcon Query Language (FQL) expression to narrow down your results. For example, last_login_timestamp:>'2024-01-01'.

  • Sort by (optional): Choose how to order your results. For example, last_login_timestamp|desc.

  • Maximum limit (optional): Set how many results you want returned at once.

  • Pagination offset (optional): Enter the pagination offset returned by CrowdStrike to page through the user list.

This action is usually the starting point for user automation, because Get CrowdStrike Falcon user details needs the user ID returned here.

Get CrowdStrike Falcon user details

You can use this action to look up a specific CrowdStrike Falcon user and view their full profile. The result can then be used later in the rule to read user attributes such as name, email, and status.

Enter the following field or select using smart values:

  • User ID (UUID) (required): Enter the user's unique ID. You can find it using the Query CrowdStrike Falcon users action.

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageBefore you beginConnect CrowdStrike Falcon to Atlassian AutomationActionsQuery CrowdStrike Falcon alertsGet CrowdStrike Falcon alert detailsQuery CrowdStrike Falcon usersGet CrowdStrike Falcon user details
CommunityQuestions, discussions, and articles