NEW FEATURE: CrowdStirke Fusion - Automating Workflows

The new CrowdStrike workflows feature helps streamline analyst workflows by automating actions around specific and complex scenarios:

  • Create workflows using the new workflow builder to precisely define the actions you want Falcon to perform in response to incidents, detections, cloud security findings, and updates made by users.
  • The new workflow builder supports conditional branching logic (if, else if, else) with both sequential and parallel flows. 
  • Monitor workflow execution details, and review updates made to your workflows.



  • Subscriptions: Workflow triggers are available for these subscriptions:
    • Falcon Insight
    • Falcon Prevent
    • Falcon Firewall Management
    • Falcon Device Control 
    • Falcon Horizon
  • Sensor support: All supported Falcon sensors for Windows, macOS, and Linux
  • Roles: 
    • Falcon Administrator can create and edit workflows, and view the workflow Audit Log and Execution Log.
    • These roles can view the Workflows page:
      • Falcon Security Lead
      • Falcon Investigator
      • Falcon Analyst
      • Falcon Analyst - Read only
  • Clouds: US-1, US-2: Available by request now



Fusion Workflows (Configuration → Workflows) expands upon Falcon’s existing Notification Workflows, following its familiar trigger, condition, and action model.

Through a sophisticated new workflow building experience, you can more easily visualize triggers, and create multiple potential routes of automated actions depending on certain conditions. The new workflow builder supports conditional branching logic (ir, else if, else), and both sequential and parallel flows.


Workflow triggers and conditions

Each workflow begins with a trigger, which you should refine by adding one or more conditions. In Fusion, workflow triggers have been reorganized with user action triggers grouped under Audit events. A new kind of trigger, Workflow execution, lets you create workflows that trigger off of other workflows.

NOTE: The available triggers and conditions align with your subscriptions.

  • New incident: Trigger a workflow when Falcon reports an incident. 
  • New detection: Trigger a workflow when Falcon reports a detection. 
  • Cloud security assessment: Trigger a workflow when Falcon reports a new cloud security finding.
  • Workflow execution: Trigger a workflow off of a workflow. This option is useful if you want to set up notifications to let you know when workflows have run or have hit a failure point.
  • Audit event: Trigger a workflow when a user makes updates to attributes of incidents, detections, or policies in Falcon. Refine by these subcategories and types:
    • Incident
    • Assignment
    • Status
    • Comment
    • Tag
  • Detection 
    • Assignment 
    • Comment
    • Status
  • Policy (Prevention, Firewall, Sensor Update, Device Control, Response, Mobile, Identity Protection, and Airlock policies)
    • Deleted
    • Created
    • Enabled
    • Disabled
    • Updated


Workflow actions

In addition to supporting all of the same notification channels as Notification Workflows, the new Fusion workflows also support an expanded collection of potential actions.

  • Execute Real Time Response (RTR) commands.
    NOTE: The available commands align with your RTR role:
    • Get file (get)
    • Remove file (rm)
    • Retrieve active network connections (netstat)
    • Retrieve running processes (ps)
  • Contain hosts to isolate them from all network activity.
  • Update aspects of detections and incidents.
    • Change status
    • Assign to a user
    • Add comment
    • Add tags (incidents only)
  • Perform VirusTotal lookups (under Enrichment):
    • VirusTotal Hash Lookup
  • Deliver notifications through a number of channels.
    • Webhook
    • Email
    • Slack
    • PagerDuty
    • Microsoft Teams


Note about Notification Workflows vs. Fusion Workflows

The new Fusion Workflows and existing Notification Workflows will both be fully available, and you’ll be able to create and edit workflows through both areas of the console.

Notification Workflows will be seamlessly integrated into Fusion Workflows over the next few months.

Falcon Fusion Workflows documentation will be provided once the feature is enabled on your CID.


Contact us for more information!

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

FortiOS Flaw Exploited as Zero-Day in Attacks

On December 12, Fortinet reported on a heap-based buffer overflow...

תגובה לאירועי אבטחה – Incident Response

לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at [email protected]...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram