Skip to main content

CrowdStrike Falcon - SIEM ingestion Get Incident Data

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles incident ingestion from the SIEM. The user provides the field for the incident ID or detection ID as well as the field indicating whether the ingested item is an incident or detection. This playbook enables changing the severity scale in Cortex XSOAR as well as fetching CrowdStrike detections based on the CrowdStrike incident type.


This playbook uses the following sub-playbooks, integrations, and scripts.


CrowdStrike Falcon - Get Detections by Incident




This playbook does not use any scripts.


  • cs-falcon-list-incident-summaries
  • extractIndicators
  • cs-falcon-search-detection
  • setIncident
  • endpoint

Playbook Inputs#

NameDescriptionDefault ValueRequired
SIEMincidentFieldForTypeThe incident field that determines if this is a detection or an incident.${incident.externalcategoryname}Optional
SIEMincidentFieldForIDThe incident field that contains the detection ID or incident ID.${incident.externalsystemid}Optional
ScaleToSetSeverityThe severity scale in the EDR.
For example, CrowdStrike uses values from 0 to 100
so the scale can be divided into ranges such as
SeverityValuesMappingThe mapping from the EDR severity scale to the Cortex XSOAR severity scale.
For example:
0.5, 1, 2, 3,4
Possible values to use are 0,0.5, 1, 2, 3,4
which represent Unknown, Informational, Low, Medium, High, Critical.
0.5, 1, 2, 3,4Optional
OverrideSIEMSeverityWhether to set the severity according to the EDR severity scale and its mapping to Cortex XSOAR (True) or keep the original severity scale as mapped by the SIEM (False).FalseOptional

Playbook Outputs#

CrowdStrike.Detection.Behavior.FileNameThe file name of the behavior.string
CrowdStrike.Detection.Behavior.ScenarioThe scenario name of the behavior.string
CrowdStrike.Detection.Behavior.MD5The MD5 hash of the IOC of the behavior.string
CrowdStrike.Detection.Behavior.SHA256The SHA256 hash of the IOC of the behavior.string
CrowdStrike.Detection.Behavior.IOCTypeThe IOC type of the IOC.string
CrowdStrike.Detection.Behavior.IOCValueThe value of the IOC.string
CrowdStrike.Detection.Behavior.CommandLineThe command line executed in the behavior.string
CrowdStrike.Detection.Behavior.UserNameThe user name related to the behavior.string
CrowdStrike.Detection.Behavior.SensorIDThe sensor ID related to the behavior.string
CrowdStrike.Detection.Behavior.ParentProcessIDThe ID of the parent process.string
CrowdStrike.Detection.Behavior.ProcessIDThe process ID of the behavior.string
CrowdStrike.Detection.Behavior.IDThe ID of the behavior.string
CrowdStrike.Detection.SystemThe system name of the detection.string
CrowdStrike.Detection.CustomerIDThe ID of the customer (CID).string
CrowdStrike.Detection.MachineDomainThe name of the domain of the detection machine.string
CrowdStrike.Detection.IDThe detection ID.string
CrowdStrike.Detection.ProcessStartTimeThe start time of the process that generated the detection.string
EndpointThe details of the endpoint.string
CrowdStrike.FoundDetectionsIndicates whether detections were found.string

Playbook Image#

CrowdStrike Falcon - SIEM ingestion Get Incident Data