Back to Tech Center

Create Automated Workflows with Pre-Built Playbooks

How to Create Automated Workflows with Pre-Built Fusion Playbooks

October 25, 2022

Tech Center


CrowdStrike Falcon Fusion is an extensible framework built on the Falcon Platform that allows the orchestration and automation of complex workflows. These workflows can be used to simplify tasks, accelerate response time, and save valuable time for security teams. Falcon Fusion is included in the Falcon platform and available to all customers.

Available in console now are Falcon Fusion automated playbooks. Playbooks are pre-built workflow templates centered around common use cases.


What Are Fusion Playbooks?

When creating a workflow, you have the option to create a workflow from scratch or to create a workflow using a playbook. Playbooks are pre-built workflow templates that are simple to enable and configure. Currently there are six playbooks available. Note that some playbooks require specific Falcon platform solutions (ex: Falcon Spotlight). Only playbooks that are applicable to you will be shown in console.

  1. The Machine Learning Detection Sandbox Analysis playbook is triggered on new endpoint detections with a “machine learning” tactic. The involved file is submitted to the sandbox (if the sample does not currently exist). If the sandbox analysis score is high, the endpoint is automatically contained, and the detection is tagged with a comment.


  1. The OverWatch Detection Remediation and Prioritization playbook triggers on new Falcon Overwatch detections. These Overwatch detections are high fidelity and critical in nature – this playbook automates remediation actions including containing the device, adding the endpoint and user to a watchlist, and sending a notification email to specified recipients. Automating these actions for high fidelity critical alerts reduces the blast radius and speeds up time to remediation/investigation.


  1. The Falcon Spotlight ServiceNow Integration playbook streamlines ServiceNow incident management by automatically creating a ServiceNow incident for Vulnerability, Host, and Remediation Falcon Spotlight actions. Fusion expands beyond just the Falcon Platform with actions that can be performed in Partner applications based on activity in Falcon.


  1. The Sensor Diagnostic File Collection playbook automatically gathers agent diagnostic files for sensor troubleshooting.


  1. The Workflow Execution Failure Notification playbook automatically notifies specified users of a workflow execution failure via email.


  1. The CrowdScore Incident Lateral Movement Remediation playbook automatically performs remediation and investigation actions when a new high scoring incident involving lateral movement occurs. Incidents involve multiple related detections; higher incident score represents greater confidence an attack has occurred. This playbook will retrieve running processes and active network connections to enhance investigation data, automatically contain the device, and update the incident with specified tag(s) and status.

Create a Workflow Using a Playbook

To create a new workflow from a playbook navigate to the Fusion Workflows page.

Create a new workflow and when presented with options select “Create a workflow using a playbook”.

Select a playbook, then click “View Playbook”. Fill out any missing variables by clicking “Customize Playbook” (ex: recipient email) and then click “Update Playbook”. Edit the workflow as needed to suit your use case by changing triggers, actions, and conditions.

When finished, edit the name, description, and status. Then save the workflow. Building a workflow using a playbook is a simple way to automate common actions in your environment.


Falcon Fusion playbooks are pre-built workflows that can quickly and easily be enabled to automate response, investigation, and troubleshooting actions. Traditionally manual tasks can be automated with Fusion to increase time to remediation and investigation – saving analyst time and speeding up response. CrowdStrike Fusion playbooks are available to all CrowdStrike customers in console.

More resources

Related Content