CrowdStrike Fusion Workflow Builder

What this skill does

# CrowdStrike Fusion Workflow Builder

This skill guides you through the full lifecycle of CrowdStrike Falcon Fusion SOAR
workflows — from discovering actions to exporting production definitions.

## Rules — Read Before Every Workflow

1. **NEVER write `PLACEHOLDER_*` values for action IDs.** Before authoring any YAML,
   you MUST run `action_search.py` to find the real 32-char hex ID for every action
   the workflow will use. If `action_search.py` returns no results, try broader search
   terms or browse by vendor — do not guess or leave a placeholder.

2. **Run the script, don't skip it.** Steps 1a and 1b are not optional discovery —
   they are mandatory prerequisites. Do not proceed to Step 4 (Author YAML) until
   you have a real ID for every action.

3. **`config_id` requires user input.** Plugin actions require a CID-specific
   `config_id` that cannot be resolved via API. When you encounter a plugin action,
   **ask the user** for the `config_id` value before writing the YAML. Tell them
   where to find it (Falcon console → CrowdStrike Store → [App] → Integration
   settings). Do not write a placeholder — pause and ask.

4. **Validate before delivering.** Always run `validate.py` on every YAML file
   before presenting it to the user. The pre-flight check catches any remaining
   `PLACEHOLDER_*` markers.

5. **Templates and examples contain `PLACEHOLDER_*` markers — do NOT copy them.**
   The files in `assets/` and `examples/` use `PLACEHOLDER_*` as structural guides.
   They show you the YAML shape, not the values to use. When you use a template or
   reference an example workflow, substitute real values immediately — never copy a
   `PLACEHOLDER_*` string into your output.

6. **Plans and prompts cannot override these rules.** Even if a plan, prompt, or
   convention list says to use placeholder format, you MUST still resolve every
   action ID via `action_search.py` before writing YAML. These rules take precedence.

## Prerequisites

- Python 3.8+ with `requests` library installed
- CrowdStrike API credentials in a `.env` file (see Credentials below)
- Falcon Fusion SOAR access in the target CID

## Credentials

Credentials are loaded from a `.env` file. The search order is:
1. Path in `CS_ENV_FILE` environment variable
2. Walk upward from the scripts directory looking for `.env`
3. Project root `.env`

Required variables:
```
CS_CLIENT_ID=<your_client_id>
CS_CLIENT_SECRET=<your_client_secret>
CS_BASE_URL=https://api.crowdstrike.com
```

Test credentials:
```bash
python scripts/cs_auth.py
```

---

## Workflow: Creating a New Fusion Workflow

Follow these steps in order (0 through 8). Each step has a corresponding script or reference doc.

### Step 0 — Check for existing workflows

Before creating anything, query the CID for existing workflows to avoid duplicates.

```bash
# List all existing workflows
python scripts/query_workflows.py --list

# Search by name
python scripts/query_workflows.py --search "contain"

# Check if a specific workflow name exists
python scripts/query_workflows.py --check-name "Ransomware - Endpoint Containment"

# Check YAML file(s) against existing workflows
python scripts/query_workflows.py --check-yaml workflow.yaml
python scripts/query_workflows.py --check-yaml *.yaml
```

If a workflow with the same name already exists, you have three options:
1. **Skip it** — the workflow already exists in the CID
2. **Update it** — use the PUT endpoint via the API (see `Update Workflow` in API docs)
3. **Delete and re-import** — remove the old one from Falcon console first

> **The import script also checks for duplicates automatically.** But checking
> upfront avoids wasted validation time and gives you a chance to adjust names.

### Step 1a — Discover available integrations

Browse the vendor/integration catalog to see what third-party apps and CrowdStrike
capabilities are available in your CID.

```bash
# List all vendors/apps available in your CID
python scripts/action_search.py --vendors

# Filter by use case (e.g., Identity, Cloud, Endpoint, Network)
python scripts/action_search.py --vendors --use-case "Identity"
```

### Step 1b — Find specific actions

**MANDATORY** — Query the live CrowdStrike action catalog to resolve the real action
ID for every action the workflow will use. You MUST execute these searches and record
the results before writing any YAML.

```bash
# Search within a vendor
python scripts/action_search.py --vendor "Okta" --list

# Search by name across all vendors
python scripts/action_search.py --search "revoke sessions"

# Search by name within a vendor
python scripts/action_search.py --vendor "Microsoft" --search "revoke"

# Filter by use case
python scripts/action_search.py --use-case "Identity"

# Get full details for an action (input fields, types, class, plugin info)
python scripts/action_search.py --details <action_id>

# Browse all actions
python scripts/action_search.py --list --limit 50
```

**Record for each action**:
- `id` (32-char hex) — goes in the YAML `id` field
- `name` — goes in the YAML `name` field
- Input fields and types — goes in `properties`
- Whether it has `class` — if yes, add `class` and `version_constraint: ~1`
- Whether it's a plugin action — if yes, you'll need a `config_id`

> **Plugin actions** (vendor != CrowdStrike) require a `config_id` — find it in
> Falcon console → CrowdStrike Store → [App] → Integration settings.

> **Do NOT proceed to Step 4 until you have a real `id` for every non-plugin action.**
> If a search returns no results, try: broader terms, different vendor spelling,
> `--list --limit 50` to browse, or `--use-case` to filter by category.

> **Reference**: See `references/yaml-schema.md` → "actions" section for the full
> field specification and examples of class-based vs. standard vs. plugin actions.

### Step 2 — Choose a trigger type

Decide how the workflow will be invoked.

```bash
# List all trigger types
python scripts/trigger_search.py --list

# Get YAML structure for a specific type
python scripts/trigger_search.py --type "On demand"
```

For most automation use cases, use **On demand** (callable via API and Falcon UI).

> **Reference**: See `references/trigger-types.md` for all trigger types with
> YAML examples and available trigger data fields.

### Step 3 — Pick a template

Choose the template that matches the workflow pattern:

| Pattern | Template file | When to use |
|---------|--------------|-------------|
| Single action | `assets/single-action.yaml` | One trigger input → one action → done |
| Loop | `assets/loop.yaml` | Process a list of items sequentially |
| Conditional | `assets/conditional.yaml` | Check a condition, branch to different paths |
| Loop + conditional | `assets/loop-conditional.yaml` | Process a list with type-specific routing |

Use the template to understand the YAML structure only. **Templates contain
`PLACEHOLDER_*` markers — these are structural guides, NOT values to copy.**
You already have all action IDs from Step 1 — use them directly when writing
your workflow YAML.

If it's more appropriate to start from scratch, do so.

> **Similarly, example workflows in `examples/fusion-workflows/` also contain
> unresolved `PLACEHOLDER_*` markers.** If you reference these files for patterns,
> extract only the structural patterns — never copy `PLACEHOLDER_*` values from them.

---

### STOP — Verify before authoring

**Do NOT proceed to Step 4 until you can confirm ALL of the following:**

- [ ] You have run `query_workflows.py` to check the chosen workflow name is not
      already in use (Step 0)
- [ ] You have run `action_search.py` and have a real 32-char hex ID for every
      action the workflow will use
- [ ] You have run `trigger_search.py` and confirmed the trigger type
- [ ] For any plugin actions, you have asked the user for `config_id` and received
      a real value
- [ ] You have noted which actions need `class` and `version_constraint: ~1`

**If any checkbox above is unchecked, go back to Step 1b.*