Home
Play books
CrowdStrike: User account validation

CrowdStrike: User account validation

Log type: CrowdStrike Falcon

In this page

Playbook Description

This playbook investigates a user account in CrowdStrike by retrieving user details via UUID lookup and checking the account creation time to determine whether the account is newly created, and helps identify suspicious or unauthorized accounts.

MITRE D3FEND mapping

Tactics	Techniques	Sub-techniques
Detect(D3-Detect)	D3-UBA(User Behavior Analysis)	-

Playbook input type

Log

Playbook creation input

CrowdStrike connection - OAuth2 connection with clientId and client secret along with region.

Dependencies

Extensions - CrowdStrike:

crowdstrike_createioc
crowdstrike_retrieveUserUuid
crowdstrike_retrieveUserInfo

Utility functions:

utility_isEntityNew

Connections

CrowdStrike connection - OAuth2 connection with clientId and client secret along with region.

Execution workflow

Investigation:

Builds an FQL filter to query user details from CrowdStrike.
Retrieves the user UUID based on the filter criteria.
Fetches user information using the retrieved UUID.
Checks the account creation time to determine whether the account is newly created.

Execution Workflow — Figure: Execution workflow of the playbook

Awards & recognition

ManageEngine named in 2025 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

Editor's choice

8th time in the MQ in 2025

Major player in 2024

Integrated cloud security Innovator

Technical excellence in SIEM

Market leader most innovative