Creating BMC Helix Business Workflows cases from CrowdStrike cases by using Jitterbit Harmony

BMC Helix iPaaS, powered by Jitterbit provides a prebuilt integration template that enables you to create a case (security incident) in BMC Helix Business Workflows from a CrowdStrike case created for asset vulnerabilities.

For more information about the BMC Helix Business Workflows cases, see Creating and managing security cases Open link in the official BMC Helix Business Workflows documentation.

To use the integration template with the values defined out of the box, update the project variables with details of your systems and deploy the integration template. 

The template provides the following capabilities

Use caseCrowdStrike to BMC Helix Business WorkflowsBMC Helix Business Workflows to CrowdStrike
Create cases (security incidents)

Creates a BMC Helix Business Workflows case (security incident) from a new CrowdStrike case that was created from an alert.

The asset section of the BMC Helix Business Workflows case (security incident) shows the details of the asset for which the CrowdStrike case is created.

NA
Update cases (security incidents)Updates a BMC Helix Business Workflows case (security incident) when a CrowdStrike case status or description is updated.NA
Synchronize activity notes or attachments

Synchronizes an activity note and an attachment from a CrowdStrike case to the corresponding BMC Helix Business Workflows case (security incident).

Important: Only the attachments that are added directly to a CrowdStrike case are added to the corresponding BMC Helix Business Workflows case (security incident). 

Adds an activity note in a CrowdStrike case when the corresponding BMC Helix Business Workflows case (security incident) is closed
Synchronize statusesSynchronizes the status of a CrowdStrike case with the status of a BMC Helix Business Workflows case (security incident).

NA

CrowdStrike to BMC Helix Business Workflows data flows

The following image shows an overview of the data flow for creating a BMC Helix Business Workflows case (security incident) from a CrowdStrike case:

The following image shows an overview of the data flow for updating a BMC Helix Business Workflows security incident from a CrowdStrike case:

The following image shows an overview of the data flow for adding an activity note or an attachment in a BMC Helix Business Workflows security incident from a CrowdStrike case:

BMC Helix Business Workflows to CrowdStrike data flow

The following image shows an overview of the data flow for adding an activity note in a CrowdStrike case when a BMC Helix Business Workflows case (security incident) is closed:

Before you begin

You require the following items to successfully set up and use this integration: 

Required versions
  • BMC Helix Business Workflows 23.3 and later
  • CrowdStrike Raptor
Authentication and permissions
  • BMC Helix Business Workflows
    • Administrator permission to enable the integration
    • Case agent, case manager, or case business analyst permission after the integration is enabled
  • CrowdStrike
    • Message Center scope—Read or Write permission
    • Alerts scope—Read permission
    • Incidents scope—Read permission
    • User Management—Read permission
Subscription

 A valid  BMC Helix iPaaS Open link subscription

Application registration

Generate the client ID and client secret values for CrowdStrike

Others

Add the asset information added in BMC Helix CMDB.

For steps to add the asset information, see Importing data into BMC Helix CMDB using discovery tools and Atrium Integrator Open link in the online BMC Helix CMDB documentation.

Out-of-the-box status mappings

The following table lists the out-of-the-box status mappings between a CrowdStrike case and a BMC Helix Business Workflows case (security incident):

BMC Helix Business Workflows case (security incident) statusCrowdStrike case statusCrowdStrike ID
PendingWaiting for response (your organization)1
PendingWaiting for review (CrowdStrike)2
ClosedClosed (resolved)3
ClosedClosed (unresolved)4

Task 1: To download and import the integration template project file

  1. Download the Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case 2023-11-01 Open link  file to your system.
    This file contains the BMC Helix iPaaS
     Cloud Studio project Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case.

    Important

    Your ability to access product pages on the EPD website is determined by the license your company purchased.

  2. As a developer, log in to BMC Helix iPaaS and navigate to the Cloud Studio.
  3. On the projects page, click Import.
  4. Click Browse and then select the Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case 2023-11-01 file you downloaded. 
    The Project Name and Organization fields are automatically populated depending on the values defined. 
  5. From the Environment list, select the environment to which you want to import this integration template, and click Import.
    The project opens after the integration template is imported. 
  6. To open the project file at a later time, select the environment where the integration templates are available, select the Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case project and click View/Edit.

Task 2: To update the project variables for the integration template

  1. Next to the Environment name, click the ellipses ... and select Project Variables.
  2. Update the following project variables:

    Project variableAction

    BMC Helix iPaaS, powered by Jitterbit

    (Mandatory) BHIP_API_Name

    The integration template creates an API for BMC Helix iPaaS in the BMC Helix iPaaS API Manager to handle requests from these applications. 

    Enter a prefix for the name of the APIs created in the BMC Helix iPaaS API Manager; for example, enter CSToBWF as the prefix for the API name.

    (Optional) BHIP_API_User_Roles

    Enter comma-separated values of the user roles assigned for the BMC Helix iPaaS API.

    Only a user with these roles can access the APIs. Leave this value blank to restrict access only to administrators.

    (Mandatory) BHIP_URL

    Enter the URL to access BMC Helix iPaaS; for example, https://bmchelix.apps.na-east.jitterbit.com/.

    (Mandatory) BHIP_User_Name

    Enter the user ID to access BMC Helix iPaaS.

    (Mandatory) BHIP_User_Password

    Enter the password of the user to access BMC Helix iPaaS.

    BMC Helix Business Workflows
    (Mandatory) BHIP_BWF_API_Profile_User_NameFor security profile type BASIC, enter the user name to be used to create the security profile.
    The Jitterbit API and the Webhook API use this user name for authentication while accessing BMC Helix Business Workflows.
    (Mandatory) BHIP_BWF_API_Profile_User_PasswordFor security profile type BASIC, enter the password for the security profile created. 
    The Jitterbit API and the Webhook API use this password for authentication while accessing BMC Helix Business Workflows.
    (Mandatory) BWF_Business_UnitEnter the BMC Helix Business Workflows support organization for which a case (security incident) should be created.
    (Mandatory) BWF_Assigned_CompanyEnter the BMC Helix Business Workflows company for which a case (security incident) should be created.
    (Mandatory) BWF_RequesterEnter the name of the requester who requested to create a BMC Helix Business Workflows case (security incident).
    (Mandatory) BWF_URLEnter the URL to access BMC Helix Business Workflows; for example, https://koko-is-dev.aus-ranchpdvm.bmc.com.
    (Mandatory) BWF_UserNameEnter the user name to access BMC Helix Business Workflows.

    (Mandatory) BWF_User_Password

    Enter the password for the user name to access BMC Helix Business Workflows.
    CrowdStrike
    (Mandatory) CrowdStrike_API_URL

    Enter the URL for the CrowdStrike instance that you are using; for example, https://api.us-2.crowdstrike.com.

    (Mandatory) CrowdStrike_Client_IDEnter the client ID that generated as a prerequisite step.
    (Mandatory) CrowdStrike_Client_SecretEnter the client secret that generated as a prerequisite step.
    (Mandatory) CrowdStrike_User_MailEnter the email address of a CrowdStrike user who adds activity notes.

Task 3: To deploy and enable the project

Deployment is a one-time activity that initializes the integration configurations. The UI displays a message for the deployment status.

To deploy the project and then enable the integration:

  1. To deploy the project, next to the project name, click the ellipsis ..., and select Deploy Project.
  2. To enable the integration, next to the Enable Integrations workflow, click the ellipsis ... for the Enable Integration operation, and select Run

The following image shows the steps to deploy the project and enable it by running the operation:

Task 4: To get the API URL for CrowdStrike

Get the CrowdStrike API URL from the integration template and use it to configure your CrowdStrike environment. 

To get the URL, perform the following steps:

  1. Log in to BMC Helix iPaaS and navigate to Cloud Studio.
  2. Open the integration template.
  3. Next to the project name, click the ellipsis ..., and then click View Logs.
  4. Expand Enable Integrations and click BHIP Publish API.
    The API URL is displayed.

(Optional) Task 5: To set the time for API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the time for the debug mode, perform the following steps:

  1. In BMC Helix iPaaS, select API Manager > My APIs.
  2. Open the API created for the integration. 
    The API name is the value defined in the BHIP_API_Name project variable.
  3. Select Enable Debug Mode Until: and set it for the required date and time.
  4. Save and publish the API.

Workflows included in the integration template

The following workflows are defined as a part of the integration template. Refer to the following details for an overview of the tasks defined in the workflow operations and configurations defined within each workflow.

1.0 Common

This workflow defines the basic operations.

Operation nameActions performed
1.0 Parse JSONConverts a JSON object in text format to a Javascript object
1.1 Status MappingMaps the status of a CrowdStrike case with a BMC Helix Business Workflows case (security incident)
1.2 Validate HTTP Status CodeValidates the webhook operations

2.0 Enable Disable Integration

This workflow defines the operations for enabling and disabling the integration.

Operation nameActions performed
2.0 Enable IntegrationsSets up variables required for the integration
2.1 Disable Integrations

Deletes all the APIs and webhooks.

Run this operation when you want to use the upgraded version of this integration template without deleting the APIs and webhooks manually.

3.0 BHIP operations

This workflow defines the operations required to enable the integration after all the required project configurations are completed. 

Operation nameActions performed
3.0 BHIP OperationsInitiates the operations in the workflow
3.1 BHIP Login

Logs in to BMC Helix iPaaS by using the BMC Helix iPaaS credentials provided in the project variables

3.2 BHIP Get API DetailsLists all the API details in the environment
3.3 BHIP Delete APIDeletes existing APIs or security profiles, if required
3.4 BHIP Delete API ProfileDeletes existing security profiles, if required
3.5 BHIP Create API Profile

Creates the security profiles and Rest APIs in BMC Helix iPaaS

3.6 BHIP Get Operation IDVerifies if an operation ID exists for the integration
3.7 BHIP Get User Roles

Verifies the roles of the users accessing BMC Helix iPaaS

3.8 BHIP Create API

Creates the API configuration in BMC Helix iPaaS

3.9 BHIP Publish API

Publishes the API configuration to BMC Helix iPaaS

4.0 BWF webhook

This workflow defines the operations for BMC Helix Business Workflows webhook.

Operation nameActions performed
4.0 BWF Webhook OperationsInitiates the webhook operations based on the operations performed
4.1 BWF - Get Existing WebhooksGets the existing BMC Helix Business Workflows webhooks
4.2 BWF Delete WebhookIf a duplicate webhook exists, deletes that webhook
4.3 BWF Register WebhookRegisters the webhook with BMC Helix Business Workflows

5.0 BWF Workflows

This workflow defines the operations for BMC Helix Business Workflows a case (security incident).

Operation nameActions performed
5.0 BWF DriverEnables the required BMC Helix Business Workflows drivers for the integration
5.1 BWF LoginLogs in to BMC Helix Business Workflows by using the credentials provided in the project variables
5.2 Attach to a BWF caseAdds an attachment from a CrowdStrike case to a BMC Helix Business Workflows case (security incident)
5.4 Create a BWF caseCreates a case (security incident) in BMC Helix Business Workflows
5.5 Update BWF case statusUpdates the status of a BMC Helix Business Workflows case (security incident) when the status of the corresponding CrowdStrike case is updated
5.6 Get BWF case Using crowd Strike IDGets the BMC Helix Business Workflows case (security incident) by using the CrowdStrike case ID
5.7 BWF Case - Add Activity NotesAdds an activity note to a BMC Helix Business Workflows case (security incident) when an activity note is added to the corresponding CrowdStrike case
5.8 Update BWF CaseUpdates a BMC Helix Business Workflows case (security incident) when the corresponding CrowdStrike case status or description is updated

6.0 CrowdStrike Workflows

This workflow defines the operations for a CrowdStrike case.

Operation nameActions performed
6.0 CrowdStrike ControllerEnables all the API entry points by using the details provided in the project variables for CrowdStrike
6.1 CrowdStrike Login - Get Bearer TokenLogs in to CrowdStrike by using the bearer token
6.2 CrowdStrike Get UUID by MailGets the unique user ID of a CrowdStrike user
6.3 CrowdStrike Post ActivityAdds an activity note to a CrowdStrike case

6.4 CrowdStrike Get Alert By Id

Gets the CrowdStrike alert by using the detections
6.5 CrowdStrike Get Case By IDGets the CrowdStrike case by using the case ID
6.6 CrowdStrike Get Detection By IDGets the asset vulnerability details by using the CrowdStrike case ID
6.7 CrowdStrike Get Incident By IDGets the BMC Helix Business Workflows case (security incident) details by using the incident ID
6.8 CrowdStrike - Process AttachmentsProcesses attachments added to a CrowdStrike case
6.9 CrowdStrike Get Attachments by IDGets an attachment by its ID, if multiple attachments are added to a CrowdStrike case

Was this page helpful? Yes No Submitting... Thank you

Comments