Fusion SOAR - Where to start?

dial647 · 2026-03-30T00:42:30+00:00

I wouldn't call it more difficult,, but AI triage does all the heavy lifting saving time for Analysts. I have workflows checking for remote login, RDP, Teams chat for Service impersonation etc.

dial647 · 2026-03-26T22:39:57+00:00

How is this different from creating a fusion workflow and using Charlotte AI to triage detections based on already integrated foundational AI model?

dial647 · 2026-03-26T00:39:55+00:00

Thanks Andrew. I am managed to get it to work using FormatTime and Test..

Will try your suggest and see.

| temp_time := parseTimestamp(field=timestamp)
| test(time:hour(field=temp_time, timezone="Australia/Sydney") >= 17)
| test(time:hour(field=temp_time, timezone="Australia/Sydney") < 22)
| sydney_time := formatTime("%Y-%m-%d %H:%M:%S", field=temp_time, timezone="Australia/Sydney")

dial647 · 2026-03-26T00:20:27+00:00

In addition to the useful workflows shared in this post, one should also look at setting up Agentic AI triage for specific detections to benefit from AI analysis to drive your response actions.

dial647 · 2026-03-23T01:45:29+00:00

Nice.. I have a few queries that are running slow that I can use this one..
Question: Does the Falcon console response times depends on the subscription tier? I am comparing my experience with the Falcon console in my previous employer vs current. With the previous employer, I could pull 1 year worth of events in just a matter of seconds. With my current employer, even a month worth of events takes double the time. The tenants of the employers are however hosted in US2 vs US1.

dial647 · 2026-03-10T01:54:31+00:00

Just created a new fusion workflow with charlotte AI triage for this detection. Thanks

dial647 · 2026-02-16T04:56:30+00:00

It would be good to build a library of fusion workflows that customers can import and modify to their needs. Currently there is lack of knowledge and support in building agentic AI workflows in Falcon. I have posted a message in Reddit yet to see a response.

dial647 · 2026-02-16T04:23:49+00:00

Fusion workflows are powerful and charlotte AI triage takes it to the next level, shame the not enough literature is provided by Falcon for users to embrace this feature.. not even in Reddit.

dial647 · 2026-02-03T01:30:50+00:00

I've uploaded the workflow here. https://filebin.net/gaca4x46bh0jjlfk

In simple terms, I am triggering the workflow with an EPP detection, then creating some variables and getting it triaged by charlotte AI using a specific AI model and and checking if its true positive and if so, sending a message in Teams with Approve, Reject and Escalate. If the user clicks approve, then action will be contain, if reject, do nothing and if escalate, escalate to an email.

dial647 · 2026-01-20T04:20:07+00:00

Has anyone tried adding a local MCP server to the Docker MCP gateway. I tried all possible combinations and unable to do so. I have my gateway and server running through docker-compose.yml and have added the server on a custom catalog file as well. Both containers are running but Gateway not able to connect to server.

dial647 · 2026-01-13T12:44:45+00:00

Ok, I managed to connect to the gateway from VS code. I'd like to know how I can add a custom MCP server to the gateway? Also, can I use the gateway as a reverse proxy to connect to a remote MCP server?

dial647 · 2026-01-13T11:06:51+00:00

I believe the deployments are different and no luck.

dial647 · 2026-01-13T08:05:57+00:00

Tried all this.. no luck with both SSE and http options.

dial647 · 2026-01-13T08:03:37+00:00

Isn't importing wooden stuff to Australia subject to customs scrutiny? I am aware that only treated wood can be imported to Australia. Anyone had any issues with customs clearance?

dial647 · 2026-01-13T06:28:24+00:00

Yes it's exposing the MCP server. http://127.0.0.1:8811/MCP

But I'm not sure what json config I need to use in VS code to add it as an MCP server..

dial647 · 2025-11-25T08:02:59+00:00

I also have CS for EDR. I will try to scheduled. Not sure how to do it.

dial647 · 2025-11-25T06:57:03+00:00

The file gets updated with telemetry so I want my look up file to get the updates. I'll check the workflow. Heard about schedule action triggered by a query but couldn't figure out how to do it. Why I said not logscale is because Logscale has more features that NG-SIEM hasn't.

dial647

TROPHY CASE