The new CrowdStrike workflows feature helps streamline analyst workflows by automating actions around specific and complex scenarios:
- Create workflows using the new workflow builder to precisely define the actions you want Falcon to perform in response to incidents, detections, cloud security findings, and updates made by users.
- The new workflow builder supports conditional branching logic (if, else if, else) with both sequential and parallel flows.
- Monitor workflow execution details, and review updates made to your workflows.
Requirements
Availability:
- Subscriptions: Workflow triggers are available for these subscriptions:
- Falcon Insight
- Falcon Prevent
- Falcon Firewall Management
- Falcon Device Control
- Falcon Horizon
- Sensor support: All supported Falcon sensors for Windows, macOS, and Linux
- Roles:
- Falcon Administrator can create and edit workflows, and view the workflow Audit Log and Execution Log.
- These roles can view the Workflows page:
- Falcon Security Lead
- Falcon Investigator
- Falcon Analyst
- Falcon Analyst - Read only
- Clouds: US-1, US-2: Available by request now
Details
Fusion Workflows (Configuration → Workflows) expands upon Falcon’s existing Notification Workflows, following its familiar trigger, condition, and action model.
Through a sophisticated new workflow building experience, you can more easily visualize triggers, and create multiple potential routes of automated actions depending on certain conditions. The new workflow builder supports conditional branching logic (ir, else if, else), and both sequential and parallel flows.
Workflow triggers and conditions
Each workflow begins with a trigger, which you should refine by adding one or more conditions. In Fusion, workflow triggers have been reorganized with user action triggers grouped under Audit events. A new kind of trigger, Workflow execution, lets you create workflows that trigger off of other workflows.
NOTE: The available triggers and conditions align with your subscriptions.
- New incident: Trigger a workflow when Falcon reports an incident.
- New detection: Trigger a workflow when Falcon reports a detection.
- Cloud security assessment: Trigger a workflow when Falcon reports a new cloud security finding.
- Workflow execution: Trigger a workflow off of a workflow. This option is useful if you want to set up notifications to let you know when workflows have run or have hit a failure point.
- Audit event: Trigger a workflow when a user makes updates to attributes of incidents, detections, or policies in Falcon. Refine by these subcategories and types:
- Incident
- Assignment
- Status
- Comment
- Tag
- Detection
- Policy (Prevention, Firewall, Sensor Update, Device Control, Response, Mobile, Identity Protection, and Airlock policies)
- Deleted
- Created
- Enabled
- Disabled
- Updated
Workflow actions
In addition to supporting all of the same notification channels as Notification Workflows, the new Fusion workflows also support an expanded collection of potential actions.
- Execute Real Time Response (RTR) commands.
NOTE: The available commands align with your RTR role:- Get file (get)
- Remove file (rm)
- Retrieve active network connections (netstat)
- Retrieve running processes (ps)
- Contain hosts to isolate them from all network activity.
- Update aspects of detections and incidents.
- Change status
- Assign to a user
- Add comment
- Add tags (incidents only)
- Perform VirusTotal lookups (under Enrichment):
- Deliver notifications through a number of channels.
- Webhook
- Email
- Slack
- PagerDuty
- Microsoft Teams
Note about Notification Workflows vs. Fusion Workflows
The new Fusion Workflows and existing Notification Workflows will both be fully available, and you’ll be able to create and edit workflows through both areas of the console.
Notification Workflows will be seamlessly integrated into Fusion Workflows over the next few months.
Falcon Fusion Workflows documentation will be provided once the feature is enabled on your CID.
Contact us for more information!