Understanding Foundry
Falcon Foundry is CrowdStrike’s application development platform. Build custom apps that run natively inside the Falcon console — UI extensions that surface in detection panels, automated workflows that trigger on security events, serverless functions that call external APIs, and dashboards that visualize your security data. Apps built on Foundry have direct access to Falcon’s APIs, data, and user interface without managing external infrastructure.
Requirements
Section titled “Requirements”| Requirement | Detail |
|---|---|
| Subscription | Falcon Foundry entitlement. Contact your CrowdStrike representative for details. |
| Roles | Falcon Administrator or Foundry App Developer |
| Supported clouds | US-1, US-2, EU-1, US-GOV-1 |
Capabilities
Section titled “Capabilities”Foundry apps are composed of one or more of the following capabilities:
| Capability | Description |
|---|---|
| API Integration | Connect to external APIs and CrowdStrike APIs. Expose operations as SOAR actions with autocomplete configuration. |
| Collections | Store structured data natively on the Falcon platform. JSON Schema-based, FQL-queryable, accessible from functions and workflows. |
| Functions | Run serverless code in Python, or Go. Call APIs, process data, write to LogScale. |
| Queries | Embed LogScale (CQL) queries and saved searches in your app for dashboards and reports. |
| RTR Scripts | Include Real Time Response scripts that execute on endpoints. |
| Workflow Templates | Build Fusion SOAR workflow templates with triggers, conditions, and actions. |
| UI Extensions | Add panels, tabs, and cards to existing Falcon console pages (6 socket types). |
| UI Pages | Create custom full-page experiences with their own navigation entry in the Falcon console. |
| Dashboards | Build dashboard views with widgets that display query results. |
When to Use Foundry
Section titled “When to Use Foundry”Use Foundry when you need to:
- Add custom UI panels to detection, incident, or host detail pages
- Automate security workflows that call third-party APIs
- Build internal tooling that lives inside the Falcon console
- Ingest and query custom data sources in Next-Gen SIEM
- Create scheduled or event-driven integrations with external platforms
- Distribute reusable security apps through the CrowdStrike App Catalog
Developer Workflow
Section titled “Developer Workflow”Building a Foundry app follows six stages:
- Create — Start a new app in the Falcon console or with the Foundry CLI
- Develop — Add capabilities (functions, integrations, UI, workflows, etc.)
- Test — Use development mode, preview mode, and local testing
- Deploy — Push your app to the Falcon platform
- Release — Make the deployed version available for installation
- Install — Install the released app for users in your CID
Building in the Falcon Console vs. the CLI
Section titled “Building in the Falcon Console vs. the CLI”| Capability | Falcon Console | Foundry CLI |
|---|---|---|
| API Integrations | Yes | Yes |
| Collections | Yes | Yes |
| Functions | Yes (Python only, browser editor) | Yes (Python, Go) |
| Queries | Yes | Yes |
| RTR Scripts | No | Yes |
| UI Extensions | Yes (Extension Builder, no-code) | Yes (full framework access) |
| UI Pages | No | Yes |
| Dashboards | Yes | No |
| Workflow Templates | Yes | Yes |
The Falcon console provides a visual, no-code/low-code experience for building apps. The Foundry CLI provides full programmatic control and supports additional languages and capabilities.
App Templates
Section titled “App Templates”App templates are pre-built apps available in the Falcon console’s Content Library. You can deploy a template directly, or clone it as a starting point for your own app. Templates are editable — you can inspect and modify the source, unlike CrowdStrike Store apps which are closed-source.
Browse templates in Foundry > Templates in the Falcon console.