preloader

NEW FEATURE: CrowdStirke Fusion - Automating Workflows

The new CrowdStrike workflows feature helps streamline analyst workflows by automating actions around specific and complex scenarios:

  • Create workflows using the new workflow builder to precisely define the actions you want Falcon to perform in response to incidents, detections, cloud security findings, and updates made by users.
  • The new workflow builder supports conditional branching logic (if, else if, else) with both sequential and parallel flows. 
  • Monitor workflow execution details, and review updates made to your workflows.

Requirements

Availability:

  • Subscriptions: Workflow triggers are available for these subscriptions:
    • Falcon Insight
    • Falcon Prevent
    • Falcon Firewall Management
    • Falcon Device Control 
    • Falcon Horizon
  • Sensor support: All supported Falcon sensors for Windows, macOS, and Linux
  • Roles: 
    • Falcon Administrator can create and edit workflows, and view the workflow Audit Log and Execution Log.
    • These roles can view the Workflows page:
      • Falcon Security Lead
      • Falcon Investigator
      • Falcon Analyst
      • Falcon Analyst - Read only
  • Clouds: US-1, US-2: Available by request now

 

Details

Fusion Workflows (Configuration → Workflows) expands upon Falcon’s existing Notification Workflows, following its familiar trigger, condition, and action model.

Through a sophisticated new workflow building experience, you can more easily visualize triggers, and create multiple potential routes of automated actions depending on certain conditions. The new workflow builder supports conditional branching logic (ir, else if, else), and both sequential and parallel flows.

 

Workflow triggers and conditions

Each workflow begins with a trigger, which you should refine by adding one or more conditions. In Fusion, workflow triggers have been reorganized with user action triggers grouped under Audit events. A new kind of trigger, Workflow execution, lets you create workflows that trigger off of other workflows.

NOTE: The available triggers and conditions align with your subscriptions.

  • New incident: Trigger a workflow when Falcon reports an incident. 
  • New detection: Trigger a workflow when Falcon reports a detection. 
  • Cloud security assessment: Trigger a workflow when Falcon reports a new cloud security finding.
  • Workflow execution: Trigger a workflow off of a workflow. This option is useful if you want to set up notifications to let you know when workflows have run or have hit a failure point.
  • Audit event: Trigger a workflow when a user makes updates to attributes of incidents, detections, or policies in Falcon. Refine by these subcategories and types:
    • Incident
    • Assignment
    • Status
    • Comment
    • Tag
  • Detection 
    • Assignment 
    • Comment
    • Status
  • Policy (Prevention, Firewall, Sensor Update, Device Control, Response, Mobile, Identity Protection, and Airlock policies)
    • Deleted
    • Created
    • Enabled
    • Disabled
    • Updated

 

Workflow actions

In addition to supporting all of the same notification channels as Notification Workflows, the new Fusion workflows also support an expanded collection of potential actions.

  • Execute Real Time Response (RTR) commands.
    NOTE: The available commands align with your RTR role:
    • Get file (get)
    • Remove file (rm)
    • Retrieve active network connections (netstat)
    • Retrieve running processes (ps)
  • Contain hosts to isolate them from all network activity.
  • Update aspects of detections and incidents.
    • Change status
    • Assign to a user
    • Add comment
    • Add tags (incidents only)
  • Perform VirusTotal lookups (under Enrichment):
    • VirusTotal Hash Lookup
  • Deliver notifications through a number of channels.
    • Webhook
    • Email
    • Slack
    • PagerDuty
    • Microsoft Teams

 

Note about Notification Workflows vs. Fusion Workflows

The new Fusion Workflows and existing Notification Workflows will both be fully available, and you’ll be able to create and edit workflows through both areas of the console.

Notification Workflows will be seamlessly integrated into Fusion Workflows over the next few months.

Falcon Fusion Workflows documentation will be provided once the feature is enabled on your CID.

 

Contact us for more information!

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

Understanding UBA (IBM QRadar)

We recently held an exclusive roundtable at IBM's Israel HQ...

COMING SOON: Vulnerability Management - Carbon Black Cloud

In today’s threat landscape, security teams are facing an influx...

Carbon Black App Control Vulnerability

Impacted Products This vulnerability affects versions 8.0, 8.1, 8.5, and...

Case Study: Insurance Company

“We got a real incident and we were able to...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s


    linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram