How to Create Workflows with Falcon Fusion
Introduction
As organizations adopt new technologies, security teams face an overwhelming increase in complexity as they attempt to defend their ever-expanding attack surface. They are often burdened with manual workflows and chasing down events without context across multiple security tools, leading to inefficient security operations and the potential for a breach.
Falcon Fusion will help solve this complexity problem by providing a framework that is extensible with enriched falcon data together with partner apps and can automate security workflows. By leveraging the power of the extensive security cloud that CrowdStrike has built, it allows for machine guided remediation options and accelerates response time by intelligently collecting artifacts in real time from the endpoint.
Creating a workflow with the interactive interface is easy while still providing robust features such as conditional branching and advanced actions.
Video
Creating workflows to automate security operations
Triggers utilize CrowdStrike’s security cloud to provide the context behind the action, allowing us to use data identified by the Falcon Threat Graph to initiate the workflow.
Customized condition can be provided to define when actions will be taken.
Conditions can be further refined by adding additional criteria that must be met before the workflow will continue on this path.
When a condition is met, an Action can automatically be taken so that the analyst doesn’t need to manually act on identified activity. These actions include specific Real Time Response commands, updating detection and incident information, containing devices, and activities provided by third parties.
Falcon Fusion can also add parallel conditions to provide multiple actions based on the activity path.
In addition to creating parallel paths, we can also use “else if” conditions to create conditional branching logic and perform actions based on separate criteria that we can define.
Falcon Fusion also has the ability to leverage third party applications, such as VirusTotal, provided by the CrowdStrike Store.
Falcon Fusion provides an execution log and executed workflow visualization to help identify the best way to build out your workflows. Included in this view are any actions that have failed and data captured during the workflow, such as the VirusTotal data.
Conclusion
Falcon Fusion is a unified framework that allows you to build and automate complex workflows using contextual insights provided by CrowdStrike’s security cloud and partner apps.
This helps to reduce response times and provides flexible actions to stop breaches.
