Hey experts,

wondering why nobody discusses the hunting for VS Code extensions?
Quite a few KQL Queries floating around, but mon CQL.

Do I miss a channel for this?

Thank you

Hey all,

Still learning the ins and outs of the Falcon platform. I've been grouping like detections into cases recently as a way of organizing and keeping everything central for tracking. I logged in today and went along my little process I've been using and I noticed today, I haven't been able to add detections to a case. I've tried to group add and I've also tried to add one at a time but no luck.

Is there a timing thing I haven't noticed before? Does this sometimes happen? Are there certain detection types I cannot link/associate to a case?

Hi everyone,

Can this be done using CrowdStrike SOAR or a similar platform?

Requirement is:

When a host gets a High or Critical detection, automatically look back at that host’s previous High/Critical detections and show:

• Detection time
• Detection type
• Severity
• Repeat occurrences/history

Main goal is to give analysts quick historical context during investigation.

Has anyone implemented this in CrowdStrike SOAR, SIEM, or XDR workflows? Would appreciate recommended approaches or playbook ideas.

Need some advice from people who create executive-level BPA/security assessment reports.

I’m working on a CrowdStrike BPA report that will be reviewed mainly by the CISO and higher management team, not by SOC analysts/admins.

The challenge is around presenting unassigned detections.

Current data after review:

Total detections: 281,159

False positives: 261,629 detections caused by one custom IOA rule flagging fsquirt.exe (legitimate Windows process)

Remaining detections after filtering false positives: 19,375

Unassigned detections (last 90 days): 18,425

Severity breakdown:
867 Critical

1,150 High

653 Medium

201 Low

15,554 Informational

The question from leadership is:

“Are these detections real threats/true positives or not?”

The problem is:

I have not individually investigated thousands of detections, so I cannot confidently classify them as true positives or false positives.

At the same time, doing detailed analysis for every alert would make the BPA report extremely large and too technical for executive readers.

So I’m trying to understand the best way to present this in a concise executive format.

Basically, how do you present large volumes of unassigned detections in a BPA report without making it a SOC investigation document or a long technical story that leadership won’t read?

Would appreciate examples or guidance from people who regularly build CISO-facing assessment reports.

A couple days ago I noticed that when I changed the time interval for a query, I would have to do it twice. The query would just run again for the previous time interval. I would have to choose the one I wanted again every time. Now, when I click in the query and start to type, it takes me to line 1 position 1 every time no matter where I clicked. It shows the cursor there where I clicked and even shows the first character I type for a split second. Then the cursor moves to the very beginning. The color formatting also briefly goes away and comes back.

This is more an annoyance than anything else. Just wondering if I'm the only one. I am using MS Edge.... But I've completely cleared my cache and relaunched/restarted and I'm still having this issue.

Thanks!

We're trying to decide between IOA and IOC rules for controlling a specific application in Falcon. IOC feels like the right call since it's hash-based, no path manipulation, no false positives from renamed executables. But the obvious problem is scale: every time the vendor ships a new version, the hash changes and we'd have to manually add it.

To make things worse, the vendor doesn't publish official hashes alongside their releases, so there's no authoritative source to pull from, we'd have to generate and verify them ourselves from each new installer, which obviously doesn't scale.

Does anyone have a workflow for keeping up with this automatically? A few options I've been considering:

• Scraping or monitoring the vendor's download page and auto-generating hashes from each new installer before deployment
• Using the Falcon API to bulk-upload hashes from an internally maintained list
• Building a pipeline where a test machine pulls the latest installer, hashes it, and pushes it to Falcon automatically
• Ditching IOC entirely and writing a custom IOA rule that keys on behavior/process name rather than hash

The IOA route is more resilient to version changes and doesn't require chasing hashes, but it feels less precise and easier to spoof. Curious how others are handling this, especially when the vendor gives you nothing to work with out of the box.

Welcome to our first Workflow Wednesday!

We’re starting with a simple but useful pattern: building an on-demand Fusion SOAR workflow that lets an analyst contain a host directly from the case workbench.

The idea is straightforward. If a host is already sitting in a case, the analyst shouldn’t have to bounce between consoles, hunt for the right device ID, or remember which tool owns which action. Containment should be right there.

What We’re Building

Today we’re building an on-demand Fusion SOAR workflow that appears inside the case workbench when a host entity is present.

When the analyst runs it, the host’s Agent ID, or AID in CrowdStrike lingo, gets pulled in automatically. The analyst adds a note, clicks execute, and Falcon contains the device.

Before building from scratch, it’s worth checking the content library. Fusion already ships with 120+ OOTB playbooks that use the On demand trigger. They’re useful for ideas, patterns, and seeing how others have wired these together.

You can find them here - US1, US2, EU1, GOV

One more note before we build: some containment actions are already available directly in the case workbench, but we’re not using those today.

Why? First, they can’t be customized. In this example, we want the analyst to add a note before containment, which the built-in action doesn’t support. Second, they can’t easily be extended across other tools, which matters now that Next-Gen SIEM supports Microsoft Defender and other connected response actions.

For this post, we’re starting with a blank canvas so you can see how the pieces fit together.

Step 1: Create a New Workflow

Navigate to Fusion SOAR → Workflows.

Click Create workflow, then select Create workflow from scratch.

The first thing you’ll configure is the trigger. Select On demand.

On-demand triggers are exactly what they sound like: an analyst runs them manually when they need to take action. We’ll get into other trigger types another time. For now, we’ll stick with on-demand.

Step 2: Define the Input Schema

The input schema defines what data gets passed into the workflow at execution time.

That data can come from the analyst manually, automatically from the case entity, or both.

Under root, click the plus button to add a new field.

Since we’re building host containment, the field we need is the machine identifier. In CrowdStrike terms, that’s the Agent ID, or AID.

Set the property name to aid

Click Apply, then select this new field.

Here’s the part that actually matters: the Format should have automatically been set to Sensor ID.

https://preview.redd.it/6v933d1tcx0h1.png?width=1624&format=png&auto=webp&s=14e1be4c75d8d0e7548ab51c5b723c59919cbb75

That format is what tells Falcon how to map this workflow to entities in the case workbench. Because aid is formatted as a Sensor ID, Falcon knows this workflow is relevant to host entities. That’s how it surfaces in the right place when an analyst is looking at a host inside a case.

Click Apply, then Next.

Step 3: Add the Containment Action

Click the green flag under the trigger for Actions.

Search for Contain device and select it.

You’ll see two inputs:

1. Device ID - required
2. Note - optional

For Device ID, click the dropdown and select Aid

Fusion should surface the relevant workflow fields automatically.

Leave Note alone for now. We’ll wire that up in the next step.

https://preview.redd.it/1mq9ff1tcx0h1.png?width=904&format=png&auto=webp&s=af633004e0e5b7f00b4d27f0572e2ad618be2f53

Click Next.

Step 4: Add an Analyst Note Field

Go back into the On demand trigger and add a second field under the input schema.

Name it Notes, click Apply, then select it.

If you want analysts to be required to fill this in before executing the workflow, check Required and click Apply.

That makes sense if your process requires business justification for response actions. It’s also useful for future-you, who may be wondering why a host was isolated at 2 AM.

Click Next.

Step 5: Map the Note Into the Action

Go back to the Contain device action.

From the workflow data pane on the right, click on the Notes field and paste it into the Note input.

https://preview.redd.it/tvw4oh1tcx0h1.png?width=1633&format=png&auto=webp&s=eb385e6bb7cf814207d88b4af7c167bc75c0cedb

Now, whatever the analyst types gets passed into the containment action as part of the execution. This note can be found within the workflow execution logs, as well as the fusion audit trail.

Click Next.

That’s the whole workflow.

Step 6: Save, Publish, and Enable

In the top-right corner, click Save Draft.

You’ll need to give it a name. This name shows up in the case workbench, so make it clear and action-oriented.

Something like ‘Isolate Host with Falcon Sensor’.

Then publish and enable the workflow.

Step 7: Let’s See it in Action

Open a case that has a host entity, go to the workbench and click on the host.

On the right side, look for Fusion SOAR workflows.

Your new workflow should be listed there.

https://preview.redd.it/hotauk1tcx0h1.png?width=1400&format=png&auto=webp&s=50b586aa0129325bbfa8598737bd866158b35749

Click the eye icon to view the workflow, or click the lightning bolt to open the execution pane.

Because aid was formatted as Sensor ID, the AID populates automatically from the host entity. The analyst reviews the pre-populated inputs, adds any required notes, and clicks Execute now to run the workflow.

https://preview.redd.it/11tk6c1tcx0h1.png?width=842&format=png&auto=webp&s=a8b2098f72a045025f9a8e75752204e0c52f0a54

Once executed, Falcon contains the host.

Why the Format Field Matters

The key concept tying all of this together is the Format field in the input schema.

The format of the input field determines where the workflow appears in the case workbench and what data gets passed into the workflow automatically.

For this workflow, aid mapped to Sensor ID, which made the workflow available on host entities.

That same idea applies to other entity types too.

Here’s the cheat sheet I’d keep nearby when building these:

Case workbench entity	Common input formats you can use
Host / hostname	aid, hostname, ipv4, ipv6, cloudInstanceID
IP address	ipv4, ipv6, aid, hostname, cloudInstanceID
Domain / DNS request	domain, url
User	userID, userSID, email, responseUserID
Process	aid, commandLine, localFilePath, userSID, sha256, investigatableID
File	sha256, md5, localFilePath
Hash	sha256, md5

Application in the Wild

Host containment is the obvious starting point, but the same pattern works across a ton of response scenarios.

For hosts, you could build workflows to:

• Run RTR actions
• Kill suspicious processes
• Capture memory dump
• Collect host details
• Isolate device via third-party EDR

For users, you could build workflows to:

• Reset MFA
• Disable an account
• Revoke sessions
• Force password reset
• Add to a watchlist

For indicators and network entities, you could build workflows to:

• Block an IP
• Submit a domain for enrichment
• Add an IOC
• Trigger a firewall or proxy action via third-party tooling

The same model applies beyond first-party CrowdStrike actions. If the tool is connected to Fusion and has actions available, you can start chaining together response steps across Falcon and third-party tools from the same case workflow.

Conclusion

That's it for our first Workflow Wednesday! The goal wasn’t to build the most advanced workflow possible. It was to show the basic pattern:

On-demand trigger → input schema → field format → action → Case Workbench

Once that pattern makes sense, the rest is just deciding what should be one click away for your analysts.

Drop any questions, or let us know what workflows you want to see covered next.

Morning,

Quick question on Access Scopes.

We have multiple teams in our environment and we want them to be able to manage thier own hosts and investigate alerts accordingly. We've switched to SCIM and scoped out their endpoints using dynamic host groups (endpoints are all domain jointed).

I've been looked at creating an access scope to restrict event searches etc to just their domain. I've checked the online guidance but it's not provided much insight.

Am I looking at this all wrong? Is it even possible to do what I'm asking (using Access Scopes or any other methods).

Appreciate any pointers.

Thanks!

Hi. A client submitted a document with a feature checklist to see if CrowdStrike is compliant with their requirements. One of the line items is alerting for their mobile device. We initially assumed that this can be covered by email alerts but apparently there's a separate line item for that. The line item refers to SMS alerts so tried to check on Fusion Workflow if there is an option but it seems that Twilio is the only option with messaging.

I tried to search for other options in the internet if there is a native SMS alert feature but so far, no good.

Does anyone here have setup SMS alerts for their CrowdStrike instance? Would love to see if it's possible without integrations or how it can be configured through supported integrations. Thank you!

We normally create scheduled searches that emails us if there is a detected event. But we were wondering if it's possible to turn it into a detection instead of sending an email?

This would also make it easier for us to ingest it in Splunk if we can convert a query into a real time detection.

Any advise is appreciated on this one.

Hi, is there someone here monitoring their Windows 10 hosts that have ESU.

How do you monitor it in CS?

A former colleague of mine has about ~100K endpoints (Windows, Linux, macOS) of workstations, servers running across the globe at their present employer and asked my opinion, since I run a large BigFix deploy of 80K endpoint. I am a former Ivanti, SCCM and Tanium admin. The EDR they use is Trellix. For IT operations, they use a combination of Intune and Tanium. They are evaluating CrowdStrike for EDR to replace Trellix. CrowdStrike by far is the leader in the EDR and an easy yes to recommend for EDR. CrowdStrike sales people are also pitching that they can replace Tanium with Falcon for IT. They use Tanium for OS Patching, App Deployment, Policy Enforcement and Asset Management. Has anyone replaced Tanium or other similar IT Operational tools (e.g., Ivanti, SCCM, BigFix) with Falcon for IT? Having trouble finding any information on sizable deployments of Falcon for IT doing IT Operational work at the level of a Tanium or BigFix. I ran into a former CrowdStrike employee, at a JAMF conference, who worked in their internal IT and she said, CrowdStrike internally uses JAMF, SCCM and Ansible to manage their macOS, Windows Servers and Linux systems. They showed me a CrowdStrike job posting from Jan 2026 that showed them looking for an SCCM admin. So I am suspicious if Falcon for IT is ready for prime time, since CrowdStrike is not even using it internally and they do not have any large customers using it. If you have any positive or negative experience in using Falcon for IT and have used it to displace incumbent tools, like SCCM, Tanium, BigFix for IT Operational work, would love to hear your feedback.

Hi everyone, i am trying to create a rule in NG-SIEM for usb exfiltration. For now i got the events, excluded our bot accounts, took the data in bytes, made it in MB.

What i am askins is if there is a way to check the Mass storage policy from endpoint protection, there we have an allow list and i wpuld like to exclude it from the rule being generated

I am not an ENG i am doing this as an analyst to develop myself further

Hey everyone, I feel like I'm a little cheated here and I'd love to hear back from the community on a few things, experiences, thoughts, etc. and please prove me absolutely wrong!

We were approached by a third party selling Crowdstrike EDR+MDR, we were iffy at the start until we realised that it checks off a lot of our internal audit issues (where our existing didn't quite). We've done our homework, I've been personally watching Crowdstrike for a few years and been to a few of their sumits, etc.

Now we have passed our first onboarding meeting where the company basically said, 'youll have access to reporting, but nothing else'. This was a hard line to me, I thought we were purchasing a product that we could manage ourselves, but they and Crowdstrike were in our back pocket if anything happened that we couldn't handle. I did not realise and was not told that it was basically a SaaS model where we didn't have access to even whitelist our own applications and the likes.

We are in-house IT, we have a team, we do everything from 'my Excel isnt loading' to 'theres a fire in the server room'. We are hands on, we don't like leaving this to MSP's or service providers. We do seek assistance where we need, and we have a great relationship with the service providers we have chosen to align with, but even with them we have come to agreements to access things like our FWaaS and ERPaaS in the back end for all of the nitty gritty we do.

Am I wrong that 'Crowdstrike for Service Providers' is basically an SaaS product and we don't/can't get access to manage it ourselves? Should this company be able to get licensing and still do the management on the side after it's configured, with us being fully capable of changes?

For the sake of the argument, lets ignore the 'what if you break something and claim it was them' rant, because yes, this could be a thing; no, it has never happened with our other vendors.

At the moment with this vendor it could take anywhere between 10mins to 4hrs for them to get back to email and calls, to the point where I've often called their Director's for assistance and issues where no support has been available, so I don't quite .. trust .. that they will be able to do 0day fixes for us as we need it (note: I have complete faith in Crowdstrike)

Hi,

Looking at the last April Patch Tuesday by Microsoft, there are 7 critical RCE vulnerabilities that were fixed on Windows, and I am trying to understand whether CrowdStrike Falcon prevents the exploitation of these vulnerabilities or not.

Am I exposed to the exploitation of these while I have the Falcon EDR?

The CVEs are:

* CVE-2026-32190
* CVE-2026-33115
* CVE-2026-33114
* CVE-2026-32157
* CVE-2026-33826
* CVE-2026-33824
* CVE-2026-33827

Curious what others are doing in production environments:

• Are you running scheduled scans at all?
• Quick scan vs full scan?
• Weekly, monthly, or only on-demand?
• Any noticeable performance impact on endpoints/VDI servers?
• Are you excluding servers or critical infrastructure?
• Have you found scheduled scans actually catching anything missed by real-time protection?