Back to Tech Center

How to Operationalize Falcon Horizon

November 7, 2021

Tech Center
CrowdStrike Tech Center


Cloud Security Posture Management products help companies monitor for various human errors, misconfigurations and malicious behaviors across public cloud environments. To maximize the value of any CSPM solution, the findings need to be consumable, actionable and incorporated into daily operations.


Policy Assessments

CrowdStrike’s CSPM solution, Falcon Horizon, includes easy to read dashboards that deliver visibility and policy-based assessment of multi-cloud deployments. On the left side, the dashboard reports configuration based findings. On the right side, the findings are based on indicators of attack or behavioral policies.

cspm dashboard

For each cloud provider, CrowdStrike offers a comprehensive list of policies for various services along with supporting documentation to help companies define, measure and achieve security compliance. As an example, Falcon Horizon includes a number of policies for the AWS Identity Access Management service. In addition to compliance driven policies, CrowdSrike includes a few policies designed to enforce the use of complex passwords.

cspm workflows policies

For each policy, the supporting details include service subtype, description and steps for remediation.

cspm workflows policy details

Notification Workflows

In addition to assessments and documentation, CrowdStrike supports notification workflows to facilitate operationalized cloud security. From the Falcon menu, workflows are accessible under  “Configuration”.

cspm workflow menu

The “Create a workflow” option will present all of the available categories.

cspm workflows create

By choosing “Cloud Security”, the workflow is automatically associated with the assessment findings.

cspm workflows categories

The next step is to “Add conditions” that should trigger the workflow. 

cspm workflows add conditions

The menus include a number of variables and operations to ensure flexibility and satisfy any number of use cases. In this example, the cloud service should equal IAM. Then, additional conditions are added requiring each of the four password complexity policy statements including the use of symbols, upper case letters, lower case letters, and numbers. This workflow will trigger an alert for any IAM password policy that does not require any of these specifications.

cspm workflows conditions

With the conditions defined, the next step is to select a notification action. This workflow will send an email that includes the findings to the level one response team with the subject “Simple Password” anytime all of the conditions are met. Finally, the workflow can be named and assigned a detailed description. This is just one example of how notifications can be used to ensure action is taken to resolve specific CSPM findings.

cspm workflow action


The use of public cloud infrastructure increases an organization’s attack surface as well as risk around human error, misconfigurations and compliance issues. Falcon Horizon not only provides mutli-cloud visibility and assessment, but also helps organizations operationalize cloud security with dashboards, granular policy options, recommended remediation steps and notification workflows.

More resources

Related Content