The CrowdStrike Falcon Endpoint App on ServiceNow provides users with the ability to integrate alert and detection data from the Falcon platform into their incident response process, by allowing for creation of ITSM incidents. Creation of security incidents within the Security Operations module can be achieved by installing the CrowdStrike Falcon Endpoint For Security Operations application in addition to this app. The integration automates workflows by sending endpoint security events discovered within the CrowdStrike Falcon Platform into Service Now for centralized investigations and faster time to resolution.
CrowdStrike Falcon endpoint protection platform provides cloud delivered Next-Generation Anti-Virus, EDR, IT Hygiene and Managed Hunting in a single sensor. CrowdStrike Falcon protects customers against advanced cyber attacks, using sophisticated signatureless artificial intelligence/machine learning and Indicator of Attack (IOA) based threat prevention to stop known and unknown threats in real-time.
- Automate incident creation and response within ServiceNow based on malicious endpoint event activity detected by CrowdStrike Falcon platform
- Accelerate investigations within ServiceNow by bringing back all relevant endpoint event activity captured by CrowdStrike
- Enable security teams to quickly perform remediation tasks before an incident results in a breach
- Unify security and IT to accelerate threat prioritization and response
- Remediate Incidents with Real Time Response and Network Containment
- Support Falcon Case Mirroring
Overview
This release introduces Case Mirroring functionality, enabling seamless bidirectional synchronization of case data between ServiceNow and CrowdStrike.
New Features
Case Mirroring
Bidirectional Data Synchronization: Automatically sync case information between ServiceNow and connected platforms in real-time
Configurable Mirroring Rules: Define which case fields and data elements to synchronize based on business requirements
Database Changes
New Tables
Mirroring Webhook Outbox Lock: Internal Queue Handling
Mirroring Webhook Outbox: Maintains sync status and audit trail for mirrored cases
Security & Access Control
New Roles
x_crowd_crowdstrik.falcon_integration_user: Role for Falcon integration service accounts. Enables remote webhook integration configuration, incident creation/updates, and read access to tables required for Falcon Case Mirroring field mapping.
Technical Components
New Scripts
Background synchronization scripts for automated case updates
Business rules for triggering mirroring events
Scheduled jobs for periodic sync validation
Error handling and retry logic for failed synchronization attempts
Getting Started
Please see the documentation in the Falcon Console.
ITSM - Incident, Configuration Management