Falcon Fusion SOAR provides workflow automation capabilities to orchestrate security operations. Create, manage, and execute workflows that integrate Falcon capabilities with third-party tools for automated incident response and threat remediation.
Workflow Management
Get-FalconWorkflow
Search for Falcon Fusion SOAR workflows.
# Get all workflows
Get-FalconWorkflow -All
# Get workflow executions
Get-FalconWorkflow -Execution -Filter "status:'failed'" -Detailed
Parameters
Workflow execution identifier(s)
Falcon Query Language expression to limit results
Property and direction to sort results
Maximum number of results per request (1-500)
Position to begin retrieving results
Retrieve information about workflow executions
Repeat requests until all available results are retrieved
Display total result count instead of results
Export-FalconWorkflow
Export a Falcon Fusion SOAR workflow to YAML.
Export-FalconWorkflow -Id <workflow_id> -Path "C:\Workflows\myworkflow.yaml"
Parameters
Remove potentially identifiable information before export
Destination path. If not provided, file created in local directory using workflow identifier
Overwrite an existing file when present
Import-FalconWorkflow
Import a Falcon Fusion SOAR workflow from YAML.
Import-FalconWorkflow -Path "C:\Workflows\incident_response.yaml" -Name "Incident Response Workflow"
Parameters
Validate workflow without creating it
Path to Falcon Fusion SOAR workflow YAML file
Invoke-FalconWorkflow
Execute an on-demand Falcon Fusion SOAR workflow.
# Execute workflow by ID with trigger data
$TriggerData = @{
detection_id = "ldt:abc123..."
severity = "critical"
} | ConvertTo-Json
Invoke-FalconWorkflow -Id <workflow_id> -Json $TriggerData
Parameters
Target CID. Child CIDs supported in Flight Control environments
Optional UUID to help de-duplicate executions
Execution depth limit to prevent loops (1-4)
Optional source URL for auditing
JSON string defining workflow trigger key/value pairs
Workflow name (alternative to Id)
Redo-FalconWorkflow
Resume or retry a failed Falcon Fusion SOAR workflow execution.
Redo-FalconWorkflow -Id <execution_id>
Parameters
Workflow execution identifier(s)
Workflow Actions
Get-FalconWorkflowAction
Search for Falcon Fusion SOAR workflow actions.
# Get all available workflow actions
Get-FalconWorkflowAction -All
# Get actions from library
Get-FalconWorkflowAction -Library -Filter "category:'crowdstrike'" -All
Parameters
Falcon Query Language expression to limit results
Property and direction to sort results
Maximum number of results per request (1-500)
Position to begin retrieving results
Retrieve actions from the library
Repeat requests until all available results are retrieved
Display total result count instead of results
Workflow Triggers
Get-FalconWorkflowTrigger
Search for Falcon Fusion SOAR workflow triggers.
Get-FalconWorkflowTrigger -Filter "trigger_type:'detection'"
Parameters
Falcon Query Language expression to limit results
Get-FalconWorkflowInput -Id <input_id>
Parameters
Human input identifier(s)
Use Cases
Automated Detection Response
# Create workflow trigger data for a detection
$Detection = Get-FalconDetection -Id "ldt:abc123..." | Select-Object -First 1
$TriggerData = @{
detection_id = $Detection.detection_id
severity = $Detection.severity
hostname = $Detection.device.hostname
username = $Detection.behaviors[0].user_name
} | ConvertTo-Json
# Execute incident response workflow
Invoke-FalconWorkflow -Name "Automated Incident Response" -Json $TriggerData
Export and Backup Workflows
# Export all workflows for backup
$Workflows = Get-FalconWorkflow -All
$BackupPath = "C:\Workflow_Backups\$(Get-Date -Format 'yyyyMMdd')"
New-Item -Path $BackupPath -ItemType Directory -Force | Out-Null
foreach ($Workflow in $Workflows) {
$FileName = "$($Workflow.name -replace '[^a-zA-Z0-9_-]','_').yaml"
Export-FalconWorkflow -Id $Workflow.id -Path "$BackupPath\$FileName" -Sanitize $true
Write-Host "Exported: $($Workflow.name)"
}
Workflow Execution Monitoring
# Monitor workflow executions
$Today = (Get-Date).Date.ToString('yyyy-MM-ddTHH:mm:ssZ')
$Executions = Get-FalconWorkflow -Execution -Filter "start_timestamp:>'$Today'" -Detailed -All
# Analyze execution status
$Summary = $Executions | Group-Object -Property status | Select-Object Name, Count
Write-Host "Workflow Execution Summary:"
$Summary | Format-Table -AutoSize
# Retry failed executions
$FailedExecutions = $Executions | Where-Object { $_.status -eq 'failed' }
if ($FailedExecutions) {
Write-Host "Found $($FailedExecutions.Count) failed executions"
$FailedExecutions | Redo-FalconWorkflow
}
Import Custom Workflows
# Validate workflow before import
$ValidationResult = Import-FalconWorkflow -Path "C:\Workflows\custom_workflow.yaml" -ValidateOnly $true
if ($ValidationResult.valid) {
Write-Host "Workflow is valid" -ForegroundColor Green
# Import workflow
$NewWorkflow = Import-FalconWorkflow -Path "C:\Workflows\custom_workflow.yaml" `
-Name "Custom Security Workflow"
Write-Host "Imported workflow: $($NewWorkflow.id)"
} else {
Write-Warning "Workflow validation failed: $($ValidationResult.errors)"
}
Automated Containment Workflow
# Execute containment workflow for critical detections
$CriticalDetections = Get-FalconDetection -Filter "severity:'critical'+status:'new'" -Detailed
foreach ($Detection in $CriticalDetections) {
$TriggerData = @{
detection_id = $Detection.detection_id
device_id = $Detection.device.device_id
hostname = $Detection.device.hostname
action = "contain"
} | ConvertTo-Json
Write-Host "Executing containment workflow for $($Detection.device.hostname)"
Invoke-FalconWorkflow -Name "Host Containment" -Json $TriggerData -Key ([guid]::NewGuid().ToString())
}
Workflow Library Management
# List available workflow actions by category
$Actions = Get-FalconWorkflowAction -Library -All
$ActionsByCategory = $Actions | Group-Object -Property category | ForEach-Object {
[PSCustomObject]@{
Category = $_.Name
Count = $_.Count
Actions = ($_.Group | Select-Object -ExpandProperty name) -join ', '
}
}
$ActionsByCategory | Format-Table -AutoSize -Wrap
Multi-Tenant Workflow Execution
# Execute workflow across multiple child CIDs (Flight Control)
$ChildCIDs = @('cid1', 'cid2', 'cid3')
$TriggerData = @{
task = "security_scan"
timestamp = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
} | ConvertTo-Json
# Execute workflow in each child tenant
Invoke-FalconWorkflow -Id <workflow_id> -Cid $ChildCIDs -Json $TriggerData
Workflow Execution History
# Generate execution report for specific workflow
$WorkflowId = "abc123..."
$Executions = Get-FalconWorkflow -Execution -Filter "definition_id:'$WorkflowId'" -All
$Report = $Executions | Select-Object @{
Name = 'ExecutionID'
Expression = { $_.execution_id }
}, @{
Name = 'Status'
Expression = { $_.status }
}, @{
Name = 'StartTime'
Expression = { $_.start_timestamp }
}, @{
Name = 'Duration'
Expression = {
if ($_.end_timestamp) {
([datetime]$_.end_timestamp - [datetime]$_.start_timestamp).TotalSeconds
} else { 'Running' }
}
}
$Report | Export-Csv -Path "workflow_execution_report.csv" -NoTypeInformation
Requires Workflow: Read scope for read operations and Workflow: Write scope for executing, importing, and modifying workflows.
Use the ValidateOnly parameter when importing workflows to test YAML syntax and structure before creating the workflow.
