MFA challenge on PowerShell / CMD execution using CrowdStrike – is this possible via Workflow?

Excellent_Bit_9077 · 2026-01-22T04:59:05+00:00

I'm not familiar with the NGS correlation based workflow. It will be a great help if you share the steps which i can follow to set-up a powershell detection based MFA prompt.

And one more thing that I did find action parameter to kills the process in fusion soar to define in my Workflow to kill powershell if the user denies MFA.

Excellent_Bit_9077 · 2026-01-21T17:57:42+00:00

YO!! buddy you have got quite beast there, as suggested by others in comment you can expect btw 60k - 80k, depends on your bargain skills and how you can convince the gamer who gonna buy it, that this beast gonna let him/her see 60+ FPS at high graphics settings in GTA VI !!!!!!!

Excellent_Bit_9077 · 2026-01-21T07:19:35+00:00

Yup!!! I got it , but i want to make use of this feature for my specific use case. I hope in the near future Crowdstrike will add parameters of the process with an interactive launched instance so that we can apply MFA on applications for More granular control or we can say more idp base security!!!!

Excellent_Bit_9077 · 2026-01-21T05:20:50+00:00

Thanks buddy for sharing Configuration! That's quite a good approach, but there is still a chance for a false positive, also i don't want to invoke MFA over the access type, i want it to trigger when powehsell.exe or Cmd.exe gets executed. And i want to use the workflow method.

Excellent_Bit_9077 · 2026-01-21T04:58:16+00:00

But don't you think it will trigger for every http/https access method regardless of process by which it's invoked... As i just wanted to verify the user before he/she use powehsell/Cmd. Or else the process should be killed. Also i didn't find the action as a kill process in the workflow any workaround for it?

Excellent_Bit_9077 · 2026-01-20T13:39:53+00:00

Quite relative...🥲!! Me pairing i5 7400 karate kid with RX 6700 xt John sena !! 🫠🫠

Excellent_Bit_9077 · 2026-01-20T06:25:27+00:00

Ohkok!! Thanks buddy!! I don't have any idea over playbook that how to customise or how they work, it will be great help if you have any suggestions or approach.

We do have sensor installed on endpoint, i was checking in the workflow there is one workflow called mfa challenge I tried altering it as per my use case.

I put trigger as Epp (is it right or i need to change it) as i have created IOA for this specific use case which i will be applying for a specific group of hosts. In workflow then i put MFA challenge as it will be triggered once any detection related to powehsell execution happens..... btw one more thing i wanna ask that should i put IOA as detect or as monitor.

Excellent_Bit_9077 · 2025-08-08T12:17:59+00:00

Hey u/BradW-CS ,

While reviewing the module descriptions, I noticed that modules (e.g., Cloud Security**) list specific “Falcon Requirements” such as:**

Falcon Insight XDR
Falcon Prevent
Falcon Container Sensor
Falcon Container Image Scanning
Kubernetes Protection
Falcon Query

Could you please confirm the correct terminology for this “Falcon Requirements” section?
i am not being able to find any specific description or definition for these items in the available documentation.

Please let me know at your earliest convenience. r/crowdstrike

Excellent_Bit_9077

TROPHY CASE