How to automate workflows with Falcon Fusion and Real Time Response
Introduction
Security teams today are often overwhelmed by the number of security related tasks required to protect their environment. One avenue to alleviate this is to increase the level of automation provided by their security tools.
CrowdStrike’s Falcon Fusion is able to build out workflows to automate actions taken when specified conditions are met. In addition to performing built in actions, Falcon Fusion is also able to leverage customized scripts to execute almost any action on the endpoint.
Video
The ability to customize the optional input and output parameters allows us a lot of flexibility within the script to capture the specific data to be used in the workflow.
Here is an example script. We can see that this script is expecting a file_path input property which can be captured by the input schema.
To capture the input, we’ll go to the input schema tab where we can use json schema to define our properties.
To simplify its creation, Falcon also provides the ability to enter a json string and convert it to a formatted json schema.
When creating a workflow, you can now use the Real Time Response scripts that you have created.
After creating a script with an output schema, we can now choose one of the parameters as a condition for actions further down in the workflow.
Conclusion
Real time response with Falcon Fusion provides highly customizable workflows that can use scripts to capture inputs from other workflow stages and provide outputs to further hone the conditions for which actions are to be performed.
This capability will help automate security tasks, reducing the burden on security teams and help prevent breaches.
