Creating BMC Helix Business Workflows cases from CrowdStrike cases by using Jitterbit Harmony

BMC Helix iPaaS, powered by Jitterbit provides a prebuilt integration template that enables you to create a case (security incident) in BMC Helix Business Workflows from a CrowdStrike case created for asset vulnerabilities.

For more information about the BMC Helix Business Workflows cases, see Creating and managing cases in the official BMC Helix Business Workflows documentation.

To use the integration template with the values defined out of the box, update the project variables with details of your systems and deploy the integration template.

The template provides the following capabilities:

Use case	CrowdStrike to BMC Helix Business Workflows	BMC Helix Business Workflows to CrowdStrike
Create cases (security incidents)	Creates a BMC Helix Business Workflows case (security incident) from a new CrowdStrike case that was created from an alert. The asset section of the BMC Helix Business Workflows case (security incident) shows the details of the asset for which the CrowdStrike case is created.	NA
Update cases (security incidents)	Updates a BMC Helix Business Workflows case (security incident) when a CrowdStrike case status or description is updated.	NA
Synchronize activity notes or attachments	Synchronizes an activity note and an attachment from a CrowdStrike case to the corresponding BMC Helix Business Workflows case (security incident). Important: Only the attachments that are added directly to a CrowdStrike case are added to the corresponding BMC Helix Business Workflows case (security incident).	Adds an activity note in a CrowdStrike case when the corresponding BMC Helix Business Workflows case (security incident) is closed
Synchronize statuses	Synchronizes the status of a CrowdStrike case with the status of a BMC Helix Business Workflows case (security incident).	NA

CrowdStrike to BMC Helix Business Workflows data flows

The following image shows an overview of the data flow for creating a BMC Helix Business Workflows case (security incident) from a CrowdStrike case:

The following image shows an overview of the data flow for updating a BMC Helix Business Workflows security incident from a CrowdStrike case:

The following image shows an overview of the data flow for adding an activity note or an attachment in a BMC Helix Business Workflows security incident from a CrowdStrike case:

BMC Helix Business Workflows to CrowdStrike data flow

The following image shows an overview of the data flow for adding an activity note in a CrowdStrike case when a BMC Helix Business Workflows case (security incident) is closed:

Before you begin

You require the following items to successfully set up and use this integration:

Required versions	BMC Helix Business Workflows 23.3 and later CrowdStrike Raptor
Authentication and permissions	BMC Helix Business Workflows Administrator permission to enable the integration Case agent, case manager, or case business analyst permission after the integration is enabled CrowdStrike Message Center scope—Read or Write permission Alerts scope—Read permission Incidents scope—Read permission User Management—Read permission
Subscription	A valid BMC Helix iPaaS subscription
Application registration	Generate the client ID and client secret values for CrowdStrike
Others	Add the asset information added in BMC Helix CMDB. For steps to add the asset information, see Importing data into BMC Helix CMDB using discovery tools and Atrium Integrator in the online BMC Helix CMDB documentation.

Out-of-the-box status mappings

The following table lists the out-of-the-box status mappings between a CrowdStrike case and a BMC Helix Business Workflows case (security incident):

BMC Helix Business Workflows case (security incident) status	CrowdStrike case status	CrowdStrike ID
Pending	Waiting for response (your organization)	1
Pending	Waiting for review (CrowdStrike)	2
Closed	Closed (resolved)	3
Closed	Closed (unresolved)	4

Task 1: To download and import the integration template project file

Download the Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case 2023-11-01 file to your system.
This file contains the BMC Helix iPaaS Cloud Studio project Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case.
Important
Your ability to access product pages on the EPD website is determined by the license your company purchased.
As a developer, log in to BMC Helix iPaaS and navigate to the Cloud Studio.
On the projects page, click Import.
Click Browse and then select the Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case 2023-11-01 file you downloaded.
The Project Name and Organization fields are automatically populated depending on the values defined.
From the Environment list, select the environment to which you want to import this integration template, and click Import.
The project opens after the integration template is imported.
To open the project file at a later time, select the environment where the integration templates are available, select the Sync CrowdStrike Case in Helix Business WorkFlows Security Incident Case project and click View/Edit.

Task 2: To update the project variables for the integration template

Next to the Environment name, click the ellipses ... and select Project Variables.

Update the following project variables:

Project variable	Action
BMC Helix iPaaS, powered by Jitterbit
(Mandatory) BHIP_API_Name	The integration template creates an API for BMC Helix iPaaS in the BMC Helix iPaaS API Manager to handle requests from these applications. Enter a prefix for the name of the APIs created in the BMC Helix iPaaS API Manager; for example, enter CSToBWF as the prefix for the API name.
(Optional) BHIP_API_User_Roles	Enter comma-separated values of the user roles assigned for the BMC Helix iPaaS API. Only a user with these roles can access the APIs. Leave this value blank to restrict access only to administrators.
(Mandatory) BHIP_URL	Enter the URL to access BMC Helix iPaaS; for example, https://bmchelix.apps.na-east.jitterbit.com/.
(Mandatory) BHIP_User_Name	Enter the user ID to access BMC Helix iPaaS.
(Mandatory) BHIP_User_Password	Enter the password of the user to access BMC Helix iPaaS.
BMC Helix Business Workflows
(Mandatory) BHIP_BWF_API_Profile_User_Name	For security profile type BASIC, enter the user name to be used to create the security profile. The Jitterbit API and the Webhook API use this user name for authentication while accessing BMC Helix Business Workflows.
(Mandatory) BHIP_BWF_API_Profile_User_Password	For security profile type BASIC, enter the password for the security profile created. The Jitterbit API and the Webhook API use this password for authentication while accessing BMC Helix Business Workflows.
(Mandatory) BWF_Business_Unit	Enter the BMC Helix Business Workflows support organization for which a case (security incident) should be created.
(Mandatory) BWF_Assigned_Company	Enter the BMC Helix Business Workflows company for which a case (security incident) should be created.
(Mandatory) BWF_Requester	Enter the name of the requester who requested to create a BMC Helix Business Workflows case (security incident).
(Mandatory) BWF_URL	Enter the URL to access BMC Helix Business Workflows; for example, https://koko-is-dev.aus-ranchpdvm.bmc.com.
(Mandatory) BWF_UserName	Enter the user name to access BMC Helix Business Workflows.
(Mandatory) BWF_User_Password	Enter the password for the user name to access BMC Helix Business Workflows.
CrowdStrike
(Mandatory) CrowdStrike_API_URL	Enter the URL for the CrowdStrike instance that you are using; for example, https://api.us-2.crowdstrike.com.
(Mandatory) CrowdStrike_Client_ID	Enter the client ID that generated as a prerequisite step.
(Mandatory) CrowdStrike_Client_Secret	Enter the client secret that generated as a prerequisite step.
(Mandatory) CrowdStrike_User_Mail	Enter the email address of a CrowdStrike user who adds activity notes.

Task 3: To deploy and enable the project

Task 4: To get the API URL for CrowdStrike

Get the CrowdStrike API URL from the integration template and use it to configure your CrowdStrike environment.

To get the URL, perform the following steps:

Log in to BMC Helix iPaaS and navigate to Cloud Studio.
Open the integration template.
Next to the project name, click the ellipsis ..., and then click View Logs.
Expand Enable Integrations and click BHIP Publish API.
The API URL is displayed.

(Optional) Task 5: To set the time for API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the time for the debug mode, perform the following steps:

In BMC Helix iPaaS, select API Manager > My APIs.
Open the API created for the integration.
The API name is the value defined in the BHIP_API_Name project variable.
Select Enable Debug Mode Until: and set it for the required date and time.
Save and publish the API.

Workflows included in the integration template

The following workflows are defined as a part of the integration template. Refer to the following details for an overview of the tasks defined in the workflow operations and configurations defined within each workflow.

1.0 Common

This workflow defines the basic operations.

Operation name	Actions performed
1.0 Parse JSON	Converts a JSON object in text format to a Javascript object
1.1 Status Mapping	Maps the status of a CrowdStrike case with a BMC Helix Business Workflows case (security incident)
1.2 Validate HTTP Status Code	Validates the webhook operations

2.0 Enable Disable Integration

This workflow defines the operations for enabling and disabling the integration.

Operation name	Actions performed
2.0 Enable Integrations	Sets up variables required for the integration
2.1 Disable Integrations	Deletes all the APIs and webhooks. Run this operation when you want to use the upgraded version of this integration template without deleting the APIs and webhooks manually.

3.0 BHIP operations

This workflow defines the operations required to enable the integration after all the required project configurations are completed.

Operation name	Actions performed
3.0 BHIP Operations	Initiates the operations in the workflow
3.1 BHIP Login	Logs in to BMC Helix iPaaS by using the BMC Helix iPaaS credentials provided in the project variables
3.2 BHIP Get API Details	Lists all the API details in the environment
3.3 BHIP Delete API	Deletes existing APIs or security profiles, if required
3.4 BHIP Delete API Profile	Deletes existing security profiles, if required
3.5 BHIP Create API Profile	Creates the security profiles and Rest APIs in BMC Helix iPaaS
3.6 BHIP Get Operation ID	Verifies if an operation ID exists for the integration
3.7 BHIP Get User Roles	Verifies the roles of the users accessing BMC Helix iPaaS
3.8 BHIP Create API	Creates the API configuration in BMC Helix iPaaS
3.9 BHIP Publish API	Publishes the API configuration to BMC Helix iPaaS

4.0 BWF webhook

This workflow defines the operations for BMC Helix Business Workflows webhook.

Operation name	Actions performed
4.0 BWF Webhook Operations	Initiates the webhook operations based on the operations performed
4.1 BWF - Get Existing Webhooks	Gets the existing BMC Helix Business Workflows webhooks
4.2 BWF Delete Webhook	If a duplicate webhook exists, deletes that webhook
4.3 BWF Register Webhook	Registers the webhook with BMC Helix Business Workflows

5.0 BWF Workflows

This workflow defines the operations for BMC Helix Business Workflows a case (security incident).

Operation name	Actions performed
5.0 BWF Driver	Enables the required BMC Helix Business Workflows drivers for the integration
5.1 BWF Login	Logs in to BMC Helix Business Workflows by using the credentials provided in the project variables
5.2 Attach to a BWF case	Adds an attachment from a CrowdStrike case to a BMC Helix Business Workflows case (security incident)
5.4 Create a BWF case	Creates a case (security incident) in BMC Helix Business Workflows
5.5 Update BWF case status	Updates the status of a BMC Helix Business Workflows case (security incident) when the status of the corresponding CrowdStrike case is updated
5.6 Get BWF case Using crowd Strike ID	Gets the BMC Helix Business Workflows case (security incident) by using the CrowdStrike case ID
5.7 BWF Case - Add Activity Notes	Adds an activity note to a BMC Helix Business Workflows case (security incident) when an activity note is added to the corresponding CrowdStrike case
5.8 Update BWF Case	Updates a BMC Helix Business Workflows case (security incident) when the corresponding CrowdStrike case status or description is updated

6.0 CrowdStrike Workflows

This workflow defines the operations for a CrowdStrike case.

Operation name	Actions performed
6.0 CrowdStrike Controller	Enables all the API entry points by using the details provided in the project variables for CrowdStrike
6.1 CrowdStrike Login - Get Bearer Token	Logs in to CrowdStrike by using the bearer token
6.2 CrowdStrike Get UUID by Mail	Gets the unique user ID of a CrowdStrike user
6.3 CrowdStrike Post Activity	Adds an activity note to a CrowdStrike case
6.4 CrowdStrike Get Alert By Id	Gets the CrowdStrike alert by using the detections
6.5 CrowdStrike Get Case By ID	Gets the CrowdStrike case by using the case ID
6.6 CrowdStrike Get Detection By ID	Gets the asset vulnerability details by using the CrowdStrike case ID
6.7 CrowdStrike Get Incident By ID	Gets the BMC Helix Business Workflows case (security incident) details by using the incident ID
6.8 CrowdStrike - Process Attachments	Processes attachments added to a CrowdStrike case
6.9 CrowdStrike Get Attachments by ID	Gets an attachment by its ID, if multiple attachments are added to a CrowdStrike case