Workflow Templates
Workflow templates define automated sequences of actions in Falcon Fusion SOAR. They can be triggered by security events, run on a schedule, or executed on demand.
Creating a workflow template
Section titled “Creating a workflow template”In the Falcon console
Section titled “In the Falcon console”- In the App Builder, go to Workflow templates.
- Click Create workflow.
- Configure the trigger, add actions and conditions, and connect them in the visual workflow builder.
In the CLI
Section titled “In the CLI”Workflow templates can be created from YAML specification files using foundry workflows create --spec <path>. In practice, most developers build workflows visually in the Falcon console and export them, then use the CLI to include the exported spec in their app.
Triggers
Section titled “Triggers”| Trigger type | Description |
|---|---|
| On-demand | Manually executed by a user from the Falcon console. |
| Scheduled | Runs automatically on a defined schedule (e.g., every hour, daily). |
| Event-driven | Fires when a specific Falcon platform event occurs (detection, incident, etc.). |
Actions
Section titled “Actions”Workflow actions are the building blocks of automation. Available action types:
| Action | Description |
|---|---|
| Call function | Execute a Foundry function and use its response in subsequent steps. |
| API integration operation | Call an operation on a configured API integration. |
| HTTP Action | Make a direct REST API call (Cloud, CrowdStrike, or On-Premises). |
| Event query | Execute a LogScale query and use the results. |
| Send notification | Send an email, post to a webhook, or create a Falcon notification. |
| Charlotte AI | Use the LLM Completion action to summarize or analyze data. |
| Collection operations | Read, write, list, or search collection objects. |
| Write to log repo | Ingest data into a LogScale repository. |
| Conditional | Branch the workflow based on a condition (if/else). |
| Loop | Repeat a sequence of actions until a condition is met. |
Event queries: Schema vs. schemaless
Section titled “Event queries: Schema vs. schemaless”When using event query actions, you can choose between schema-validated and schemaless modes.
Schema-validated (default) — Foundry validates query results against a defined schema. Enables autocomplete and type checking in subsequent actions. Use when query results have a consistent structure.
Schemaless — Disables schema validation. Use when query results have variable structures (e.g., different detection types returning different fields). Access fields using CEL expressions:
data['eventQueryAction.field_name']For variable fields that may not exist on every result, use CEL’s has() function or provide defaults:
has(data['eventQueryAction.optional_field']) ? data['eventQueryAction.optional_field'] : "N/A"Share settings
Section titled “Share settings”Configure who can use your workflow template:
| Setting | Description |
|---|---|
| Private | Only the app developer can use the workflow. |
| Shared | All users with appropriate roles can view and execute the workflow. |
Shared workflows require the app to be deployed, released, and installed.
Debugging workflows
Section titled “Debugging workflows”See Workflow Debugging & Testing for troubleshooting execution failures.