How to Automate Workflows with Falcon Spotlight
Falcon Spotlight leverages the existing Falcon Agent to assess the status of vulnerabilities across the environment. While visibility and filtering capabilities are part of the user interface, this article will document integration options to help customers effectively operationalize CrowdStrike’s vulnerability findings.
Using Falcon Fusion workflows, organizations can feed information from Spotlight into processes and tools that are leveraged by the application security and patching teams – like ServiceNow or Jira. From the main Falcon menu, “Workflows” is an option under the “Configuration” menu. The “Workflows” page presents a list of existing workflows, along with their trigger and status. From this page, there is also an option to “Create a workflow”.
This first step is to specify a trigger to begin the workflow. After choosing the “Spotlight user action” category, there are options to look at hosts, vulnerabilities and remediations. In this example, we will select “Vulnerability”.
Once the trigger is set, there are options to add actions or a conditions. Conditions help to refine the criteria for the workflow. Note that the list of conditions will vary based on the trigger. While there are a number of parameter options under vulnerability, this workflow will focus on the “ExPRT rating”.
For each parameter, there are different operators available to ensure the workflow only applies when the proper conditions are met. In this case, using options like severity and exploit status might help drive the urgency of the action to be taken. Using conditions also helps to ensure that the workflow is applied in the right situations. Here we will choose to execute the workflow only with the “ExPRT rating” is not equal to “Low”.
While there are options to exercise additional conditions, our next step will be to add an action. For notifications, there is a list of options, but here we will opt to “Create a ServiceNow incident”.
After entering descriptions for the action, the workflow also provides the ability to specify exactly what information needs to be passed from Spotlight to the chosen notification. Here we will elect to include the CVE ID and description as well as the custom priority and exploit status in the ServiceNow incident.
Like with conditions, these flexible workflows include the capability to include additional parallel and sequential actions. One option would be to add an attachment to the ServiceNow incident that details the hosts in need of remediation. Once the workflow is complete, there are prompts to name and enable the workflow for execution. More detailed documentation regarding this ServiceNow integration can be found in the Falcon UI.
Initiating a Workflow
The workflow can be initiated from the “Vulnerabilities” page of the Spotlight app using the “Create ticket” action.
The ticket can be named and assigned a priority and description.
From the Spotlight menu, the “Tickets” option will reflect a list of open tickets. From the ticket, actions include seeing the workflow execution and downloading the list of impacted hosts. This view also reports the status of the ServiceNow incident.
In ServiceNow, we see the new incident has been created. It includes a link to view the workflow as well as the CVE and rating information that we specified. In the ServiceNow incident, there is also a link back to the Spotlight ticket.
To get started, the initial configuration is quite simple. From the CrowdStrike Store, the filters can be used to quickly focus on plugins. In this example, by selecting ServiceNow, we can quickly see the prompts required to configure the integration.
With Falcon Fusion workflows, Spotlight customers can now automate the flow of vulnerability information directly into their existing ticketing tools. This orchestration enables smooth communication between both teams and tools to help ensure fast and effective remediation to prevent breaches.