Skip to content
CrowdStrike Developer Center

Tutorial: Custom SOAR Action

Build a Foundry app that connects to an external API, exposes its operations as custom SOAR actions, and uses them in Fusion SOAR workflows. This tutorial demonstrates importing an OpenAPI spec, configuring autocomplete for workflow builders, and ingesting results into LogScale.

What you’ll build

Section titled “What you’ll build”

A Foundry app that:

  1. Imports an external API’s OpenAPI specification
  2. Exposes API operations as Fusion SOAR actions with autocomplete
  3. Creates a scheduled workflow that fetches data and writes it to LogScale
  4. Creates an on-demand workflow for ad-hoc operations

Prerequisites

Section titled “Prerequisites”
  • Falcon Foundry entitlement
  • Falcon Administrator or Foundry App Developer role
  • An OpenAPI/Swagger spec for the external API (JSON or YAML)
  • API credentials for the external service

Step 1: Create the app

Section titled “Step 1: Create the app”
  1. Go to Foundry > App manager.
  2. Click Create app > Start from scratch.
  3. Name the app and click Create.

Step 2: Import the API integration

Section titled “Step 2: Import the API integration”
  1. In the App Builder, go to API integrations.
  2. Click Create integration.
  3. Select Import OpenAPI spec.
  4. Upload your OpenAPI JSON or YAML file.
  5. Review the auto-generated operations.
  6. Configure authentication (API key, OAuth 2.0, etc.).
  7. Test each operation against the live API.

Step 3: Configure autocomplete

Section titled “Step 3: Configure autocomplete”

For each operation parameter that workflow builders will fill in:

  1. Open the operation’s advanced settings.
  2. Enable Autocomplete on the parameter.
  3. Choose the data source:
    • Static list for fixed values
    • Dynamic list referencing another operation
  4. Map the response fields to display label and value.

Step 4: Configure workflow share settings

Section titled “Step 4: Configure workflow share settings”
  1. In the App Builder, go to Workflow templates.
  2. Set Share settings to allow other users to use your custom SOAR actions in their workflows.

Step 5: Create a scheduled workflow

Section titled “Step 5: Create a scheduled workflow”
  1. Click Create workflow.
  2. Set the trigger to Scheduled (e.g., every hour).
  3. Add an action using your API integration operation.
  4. Add a Write to log repo action to ingest the results into a LogScale repository.
  5. Save and deploy.

Step 6: Create an on-demand workflow

Section titled “Step 6: Create an on-demand workflow”
  1. Create another workflow with an On-demand trigger.
  2. Add the API operation that performs an action (e.g., deactivate a user).
  3. Configure the trigger inputs so operators can provide the required parameters when executing.

Step 7: Deploy and release

Section titled “Step 7: Deploy and release”
  1. Click Deploy in the App Builder.
  2. After deployment succeeds, click Release.
  3. Install the app from the App Catalog.

Result

Section titled “Result”

Your custom SOAR actions are now available in the Fusion SOAR workflow builder for all users. The scheduled workflow automatically fetches data on your configured interval and ingests it into LogScale. The on-demand workflow allows operators to trigger actions when needed.

Next steps

Section titled “Next steps”
  • Add collections for persistent state management
  • Build a dashboard to visualize the ingested data
  • Publish your app to the App Catalog for other CrowdStrike customers
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use