Skip to main content

Hello Team,

when I'm executing the action Crowdstrike update detection  im getting the failure message.
Error executing action 'CrowdStrikeFalcon - Update Detection'. Reason: Failed to update detection 342703c303344c35a3530b2a1f78cbd7: Failed to validate resource. could you please help me with the exact detection id in crowdstrike instance.

could you please share the detection id place holder in SecOps SOAR.

Thank you!

 





Hi @Nagarjuna11 ! The error "Failed to validate resource" usually means that the Detection ID you're sending is incorrect or not found in the CrowdStrike environment.

try this:

  1. Detection ID placeholder in SOAR – It should be the exact value from the detection artifact. You can usually find it using a previous step like Search Detections or from an artifact linked to the case.

  2. Make sure the Detection ID format is correct (no extra spaces, quotes, or formatting issues).

  3. Confirm that your CrowdStrike integration account has permissions to update detections.

If possible, try logging the Detection ID right before the update action to verify its value.


yes crowdstrike integration has permissions to update detections. in previous version this action was working as expected. currently we are using version v59.o now action is getting failed.


yes crowdstrike integration has permissions to update detections. in previous version this action was working as expected. currently we are using version v59.o now action is getting failed.


Since this action was working in a previous version and now fails in v59.0, it could be a regression or a breaking change in the integration. Try this

  1. Double-check the Detection ID format — confirm it’s being passed exactly as expected (no encoding or structure changes in v59).

  2. Review the CrowdStrike Falcon connector release notes for v59 — check if any updates changed required fields or payload format.

  3. As a test, try calling the same action manually (outside the playbook) with a known-good Detection ID and see if it still fails.

If all else fails, consider rolling back to the last known working version or raising it as a support issue with Google if this is a managed connector.


Hey @Nagarjuna11,


Were you using "Detections" Connector or "Alerts" Connector?


From Crowdstrike to google siem and then to SOAR. In soar instance under ingestion  i couldnt see crowdstike connector 

 


From Crowdstrike to google siem and then to SOAR. In soar instance under ingestion  i couldnt see crowdstike connector 

 


@Nagarjuna11 Based on the structure of the ID that you pushed to the action, you need to use "Update Alert" action. Detections as a concept and API associated with it has been deprecated (or will be soon) by Crowdstrike and everything has been replaced by "Alert" object. Update Alert action uses this new API.


I've tried it on my side and it worked, so let me know, if it will work for you.



 


Thanks may i know the crowdstrike version


Thanks may i know the crowdstrike version


I am using version 61 of Crowdstrike integration, but the needed action was added in version 48.


Thanks it is working as expected. for IDP alerts how to update through SOAR. there is out of the box action called update identity protection detection in crowdstrike. but there is no update alert specific to IDP. is there any work around for this?


Thanks it is working as expected. for IDP alerts how to update through SOAR. there is out of the box action called update identity protection detection in crowdstrike. but there is no update alert specific to IDP. is there any work around for this?


IDP is at its core still an Alert object. Same action should work for that workflow as well.


I have used update alert action in playbook for EDP alerts  it has created a loop after changing the status to in progress state again it is changing to in progress state. Is there any wrong in the code. Attaching the screenshot for your reference.

 





@ylandovskyy  could you please assist on this.


@ylandovskyy  could you please assist on this.


Hey @Nagarjuna11 !


Please contact support and open a ticket!


Reply