CrowdStrike IOC Hunt Across Fleet

Overview

Given a hash, IP, domain, or URL, this playbook searches every endpoint in your CrowdStrike Falcon deployment for matching activity. It parses the results, extracts the devices that have seen the IOC, and posts a structured Slack report to your SecOps channel, turning a manual threat hunt into a one-click automation.

Who this is for: Threat hunters and tier-1 SOC analysts running CrowdStrike Falcon

Why automate this

When a new IOC comes in (from a threat intel feed, a partner alert, or a vendor advisory), the first question is always 'have we seen this?'. Manually searching the EDR takes minutes and requires querying skills. This playbook lets any analyst get the answer in seconds.

How it works

1. 01

   Accept the IOC (hash, IP, domain, or URL) as an input parameter

2. 02

   Query the CrowdStrike Falcon IOC search API across the full fleet

3. 03

   Parse the response and extract matching device IDs and timestamps

4. 04

   Build a report showing affected hosts, observation times, and user context

5. 05

   Post the report to the #secops Slack channel with actionable next steps

Impact

• Reduces IOC hunt time from minutes to seconds

• Democratizes threat hunting, with no KQL or SPL knowledge required

• Standardizes the report format across the entire SOC

• Creates a searchable history of IOC hunts for audit