Skip to content
CrowdStrike Developer Center

Fusion SOAR

Falcon Fusion SOAR provides workflow automation for security orchestration, automation, and response (SOAR). Create workflows that trigger on security events, run on schedules, or execute on demand to automate investigation, enrichment, and response actions.

Getting started

Section titled “Getting started”

Fusion SOAR workflows can be built in two ways:

  • Directly in the Falcon console — Use the visual workflow builder at Fusion SOAR > Workflows to create workflows with drag-and-drop actions, conditions, and loops.
  • Through Falcon Foundry — Build reusable workflow templates as part of a Foundry app, with API integrations, functions, and custom SOAR actions. See the Foundry Workflow Templates documentation.

Key capabilities

Section titled “Key capabilities”
CapabilityDescription
TriggersStart workflows on demand, on a schedule, or in response to platform events (detections, incidents).
ActionsCall CrowdStrike APIs, execute Foundry functions, run event queries, send notifications, write to LogScale.
HTTP ActionsCall external REST APIs directly from workflows without building a full Foundry integration. Supports Cloud, CrowdStrike, and On-Premises modes.
ConditionsBranch workflow logic based on data values using CEL expressions.
LoopsIterate over lists of data (sensor IDs, query results, etc.) with concurrent or sequential execution.

Developer resources

Section titled “Developer resources”

For developers building Fusion SOAR integrations and automation:

Limits

Section titled “Limits”
LimitDefault Value
Max size of Action results10 MB
Max data per Fusion ingestion action into Next-Gen SIEM950 KB
Max Fusion execution log retention90 days
Max Loop iterations within a workflow100,000
Max rows per search result from Next-Gen SIEM integration10,000
Minimum granularity for scheduled workflows1 hour
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use