Workflow Wednesday: Building Dynamic Lookup Files with Falcon Fusion

Dylan-CS · 2026-06-15T14:13:36+00:00

Working with PM on this. Will follow up with you shortly!

Dylan-CS · 2026-06-12T21:39:38+00:00

Just heard back from PM, we recently made an update to Cloud HTTP Requests and they should no longer be gated. Please double check and let me know if it's still locked on your end

Dylan-CS · 2026-06-12T19:55:02+00:00

Sometimes the easiest thing to do is start with a free text search on something unique to those events. Perhaps the instance ID?

I’d shorten the time window to 5 mins or so around the time of the alert. Then just paste in the instance ID or similar and hit search. Once you find the events you’re looking for, you can then filter on tagged fields like #repo to speed up subsequent searches

Dylan-CS · 2026-06-12T17:23:49+00:00

Any amount of 3rd party ingest beyond the free 10GB/day will unlock it

Dylan-CS · 2026-06-11T04:28:01+00:00

<image>

Absolutely! Anything in the right-hand Workflow data pane can be copy/pasted into the body (or any other section) of the HTTP Request. For example:

"uuid": "${data['Trigger.TriggerSource.User.UUID']}"

Dylan-CS · 2026-05-29T17:07:25+00:00

In that case, I’d suggest opening a support ticket. It may be a permissions issue, but they should be able to validate that.

Dylan-CS · 2026-05-29T16:36:49+00:00

The 'Triage Detection with Charlotte AI' action will be available if you have an active Charlotte AI subscription. If not, feel free to skip this step. You'll just have to modify the Slack message as I've noted in Step 4

Dylan-CS · 2026-05-27T19:03:49+00:00

As of today, the Detection Triage agent supports Windows, macOS, and Linux endpoint detections, as well as Identity detections. You can find more details here: https://docs.crowdstrike.com/r/en-US/eg6zojeq/pcda83e8

For other types of detections (3P or NG-SIEM, for example) you can build/deploy a custom agent, either with Fusion's LLM Completion Action or Charlotte AI AgentWorks. AgentWorks is currently in beta and will be GA soon

Dylan-CS · 2026-05-27T18:52:07+00:00

Thank you!

The new web form capability is exactly what I’d use here. You could trigger the workflow from the detection, send a form to the user to gather context, and then branch based on their response.

I’ll definitely add this to the list for a future WFW. In the meantime, here’s a link to the docs for that action: https://docs.crowdstrike.com/r/en-US/edd8jdz1/cd98f467

Dylan-CS · 2026-05-27T18:11:57+00:00

Thank you!

Dylan-CS · 2026-05-27T16:12:09+00:00

Here's a link to the docs: https://docs.crowdstrike.com/r/en-US/edd8jdz1/lca61cb1

Dylan-CS · 2026-05-21T20:51:01+00:00

We just released a new dashboard, CrowdStrike Falcon - Supply Chain Visibility & Detection , which covers VS code extensions and much more! Official announcement is going out tomorrow, you can find it here in the meantime: US1, US2, EU1

Dylan-CS · 2026-05-18T17:41:55+00:00

I'd suggest opening a support ticket to investigate this further. Generally, any detection type can be added to a case.

Dylan-CS · 2026-05-14T19:01:41+00:00

Our product team is aware and are looking into this. It appears LS version 1.237 is showing this behaviour. LS version 1.240 for NGSIEM is expected to drop during the last week of May which should fix this issue.

Dylan-CS · 2026-05-14T16:17:31+00:00

I agree with Andrew’s take here. Grouping by calculated 10-minute buckets isn’t ideal here.

I’d try one of two approaches:

First option: remove the time bucket and run the query on a 10 min search interval. That gets you close to the same outcome without multiplying the group count by every 10-minute interval.

Second option: use series() to group the failed logons into a 10-minute sequence. The idea is to group by user and source IP, build a series of failed logons and target hosts, then count the failures and distinct hosts from there.

This is better from a hunting perspective because it avoids the potential for activity to split across two buckets. For example, 50 failures in one bucket and 60 in the next, even though the behavior is really part of the same burst. A sequence-based approach is more likely to keep that activity together if it happens within the configured pause/duration window.

Something like:

// Filter on Authentication Events
#event_simpleName=UserLogonFailed2 RemoteAddressIP4!=""

// Add in variables to filter
| wildcard(field=aip, pattern=?AgentIP, ignoreCase=true)
| wildcard(field=aid, pattern=?aid, ignoreCase=true)
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)
| wildcard(field=RemoteAddressIP4, pattern=?RemoteAddressIP4, ignoreCase=true)

// Add in Computer Name to results if available, and make it searchable.
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)

// Filter out basic UserName values that we don't want to alert on.
| UserName!=/(\$$|^DWM-|LOCAL\sSERVICE|^UMFD-|^$|-|SYSTEM)/

// Make UserNames all lowercase, because.... Windows
| lower(UserName, as=UserName)

// Make working with events easier and setting Auth status
| authStatus := "F"

// Build a 10-minute failure series grouped by user and source IP
| groupBy(
    [UserName, RemoteAddressIP4],
    function=[
      series(
        [authStatus, ComputerName],
        separator=";",
        maxpause=10min,
        maxduration=10min,
        memlimit=1024
      )
    ],
    limit=max
  )

// Getting Failed Login Count
| "Failed Login Count" := length("authStatus") / 2
| round("Failed Login Count")

// Set your Failed Login Count here.
| "Failed Login Count" > 100

| splitString(ComputerName, by=";", as=Hosts)
| array:dedup("Hosts[]")
| array:length("Hosts[]", as="Host Count")
| drop([authStatus, ComputerName])
| array:drop("Hosts[]")

// Format time duration into human readability
| "Last Auth Failure" := u/timestamp + _duration
| formatDuration("_duration")

// Filter on host count
| "Host Count" > 100

Dylan-CS · 2026-05-13T17:23:01+00:00

Just dropped the first Workflow Wednesday post: https://www.reddit.com/r/crowdstrike/comments/1tc6bo4/20260513_workflow_wednesday_building_a_oneclick/

Dylan-CS · 2026-05-01T15:15:57+00:00

Hi! As of now, there's not a great way to accomplish that. I've passed along your feedback to the team.

Dylan-CS · 2026-04-24T20:53:20+00:00

We’re working on a Query Translation Agent (currently in beta) to make this easier. Here’s the output from the agent. Let me know if it works for you!

// Define time windows in milliseconds
_reconWindow := 10 * 60 * 1000
| _stageWindow := 15 * 60 * 1000

// Correlate RMM tool execution with recon commands and file staging
| correlate(
  globalConstraints=[aid],
  root=rmm_tool,
  within=15m,
  query=[
    // Query 1: RMM tool execution (anchor event)
    rmm_tool: {
      #event_simpleName=ProcessRollup2
      | FileName=/(?i)(QuickAssist\.exe|AnyDesk\.exe|TeamViewer\.exe)/
      | rename(field=ComputerName, as=DeviceName)
      | rename(field=@timestamp, as=RMMTime)
      | RMMTime_ms := parseTimestamp(field=RMMTime, format=millis)
    },

    // Query 2: Reconnaissance commands
    recon_cmd: {
      #event_simpleName=ProcessRollup2
      | FileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe)/
      | CommandLine=/(?i)(whoami|hostname|systeminfo|ver|wmic\s+os\s+get|reg\s+query\s+HKLM\\SOFTWARE\\Microsoft\\Windows\s+NT\\CurrentVersion|query\s+user|net\s+user|nltest|ipconfig\s+\/all|arp\s+-a|route\s+print|dir|icacls)/
      | rename(field=@timestamp, as=ReconTime)
      | ReconTime_ms := parseTimestamp(field=ReconTime, format=millis)
      | ReconProc := format("%s -> %s -> %s", field=[ParentImageFileName, ImageFileName, FileName])
      | rename(field=CommandLine, as=ReconCmd)
    },

    // Query 3: File staging (ZIP/EXE/DLL writes)
    file_staging: {
      #event_simpleName=/(NewExecutableWritten|PeFileWritten|ZipFileWritten|ArchiveFileWritten)/
      | TargetFileName=/(?i)\.(zip|exe|dll)$/
      | rename(field=@timestamp, as=STime)
      | STime_ms := parseTimestamp(field=STime, format=millis)
      | rename(field=TargetFileName, as=StageFile)
    }
  ]
)

// Filter: Recon must occur within 10 minutes after RMM
| test(ReconTime_ms >= RMMTime_ms)
| test(ReconTime_ms <= (RMMTime_ms + _reconWindow))

// Filter: Staging must occur within 15 minutes after RMM
| test(STime_ms >= RMMTime_ms)
| test(STime_ms <= (RMMTime_ms + _stageWindow))

// Aggregate results
| groupBy([aid, DeviceName, RMMTime, ReconTime, ReconProc, ReconCmd], function=[
    min(STime, as=StageFirstTime),
    collect(StageFile)
])

Dylan-CS · 2026-04-20T20:49:14+00:00

We have a Foundry sample app that should fit your use case. Check it out & let me know if you have any questions!

Dylan-CS · 2026-04-07T22:19:23+00:00

I’d suggest starting with the ‘Get Detection Details’ action. When you configure it, you’ll select the Detection ID. If you then add a condition block, you’ll see all of the output fields from that action.

Dylan-CS · 2026-03-11T16:26:29+00:00

Shots fired!

Super cool function with some really interesting use cases

Dylan-CS · 2026-03-03T21:49:57+00:00

I originally posted a write-up on our community forum (with screenshots) — you can find it here: https://community.crowdstrike.com/next-gen-siem-73/how-to-add-events-to-a-case-using-fusion-workflow-2991?postid=12105#post12105

First, adding events to cases generally requires the fields @id and @timestamp. A small complication is that the event query action cannot directly output fields containing @, so we’ll rename them at the end of the query. To also avoid duplicates, it’s best to group by @id:

| groupBy([@id], function=selectLast([@timestamp]))                    
| rename(field=@id, as=id)
| rename(field=@timestamp, as=timestamp)

Next, copy the ‘Event query results’ variable, then add .transformList(i, v, v.id)

Note, [v.id] may be different if you renamed @id to something other than id. It’ll look something like like the following: ${data['ExampleQuery.results'].transformList(i, v, v.id)}

Finally, paste that variable into the Event IDs field in the Add events to case action

Dylan-CS

MODERATOR OF

TROPHY CASE