Building CrowdStrike workflows with Claude Code skills
TLDR;
$ claude
/plugin marketplace add https://github.com/eth0izzle/security-skills.git
/plugin install fusion-workflows@security-skills
"generate a crowdstrike workflow to help contain endpoints after a ransomware attack"
It's 2am. You're knee deep in a ransomware incident. Endpoints are lighting up like a Christmas tree and the CISO is on the phone asking for a status update every 4 minutes. You know the playbook: contain the hosts, sweep for IOCs, lock down compromised identities, kill the malicious processes. You've done it a hundred times.
So you execute your IR workflows in CrowdStrike. You did build out those workflows, right? Using the workflow designer. With the drag-and-drop UI. Scrolling through thousands of actions to find the right node. Clicking into each one to configure its properties. Wiring up the connections. Adding a loop—wait, you need a variable node first. Testing it. It doesn't work. Back to the canvas. Rinse and repeat for each workflow in the playbook.
By the time you've finished building the containment workflow, the attacker has moved laterally to three more hosts.
What if you could just... describe what you want?
From UI to YAML to AI
Don't get me wrong, CrowdStrike's Fusion workflow editor is genuinely powerful. The building blocks are all there. But I find the workflow UI editor slow, cumbersome, and limited when writing complex queries. So I found myself writing workflows directly in YAML and importing via the UI, which worked pretty great.
Documentation is sparse at best though. So I started collecting hundreds of different workflows and built my own internal YAML documentation. Perfect to feed to an LLM. And of course the next logical step was to create a Claude Code skill that can one-shot my most complex workflows.
The skill teaches Claude Code how to create raw YAML workflows and interacts with the CrowdStrike Fusion API end-to-end. You describe a workflow such as the one in the video above; "Create a scheduled workflow that searches for logins of AD admins that are outside of our IP space (84.23.145.X)" and the Skill will:
- Query the live action catalogue (5,000+ actions across 100+ vendors) to find the right action IDs and input schemas based on your infrastructure setup (in this case, we use AD in Azure)
- Ask you relevant questions such as workflow schedule, how to identify admins, and alerting preferences.
- Choose the correct trigger type and workflow pattern (loop, conditional, loop+conditional)
- Author the YAML with proper data references, CEL expressions, and variable management
- Validate against the CrowdStrike API before import
- Import directly into your CID
No dragging nodes around a canvas. Fully validated workflows in minutes.
How it works
Behind the scenes, Claude searches your CrowdStrike tenant's action catalogue to find the right containment action for your infrastructure. Use Okta instead of Entra? Claude know's this and tailors the workflow to your environment. It then generates the full workflow definition: trigger, loop, actions, data references, output fields. Everything wired up correctly.
Before anything touches your tenant, the workflow is validated; first locally for structural correctness, then against the CrowdStrike API as a dry-run. If something's off, you get specific error messages and Claude's agenetic loop will automatically fix it.
Once it passes, Claude can import the workflow directly into your environment ready for use.
But what about more complex scenarios?
The skill handles the common workflow patterns you'd build in the UI:
- Single action -- Trigger, do one thing, done. Contain a device, revoke a session, block an IOC.
- Loop -- Process an array of items. Contain 50 devices, block a list of IPs, sweep endpoints for indicators.
- Conditional branching -- Route logic based on severity, action output, or data checks. Escalate critical detections, skip informational ones.
- Loop with routing -- Handle different item types differently within the same loop. IPs get blocked, domains get checked, hashes get quarantined.
And because the skill talks directly to the API rather than the UI, it also gives you things the workflow builder can't:
- Complex expressions -- CEL is quite powerful, but the CrowdStrike UI is limited in terms of its flexibility.
- Bulk creation -- Need 6 workflows for a ransomware playbook? Drop your IR policy in and Claude builds, validates, and imports the lot.
- Reverse-engineering -- Already have workflows you've built in the UI? Export them as code, iterate on them outside the Falcon console.
- Cross-tenant portability -- Export from one environment, tweak the tenant-specific config, import into another.
Third-party integrations
This isn't limited to native CrowdStrike actions. The skill can search across your installed integrations -- Okta, Entra ID, ServiceNow, Mimecast, Netskope, Zscaler, and dozens more. Need a workflow that detects a compromised identity, suspends the user in Okta, and raises a ServiceNow ticket? Describe it. Claude finds the right actions from each vendor and wires them together.
Feed it entire playbooks
Where it gets really interesting is feeding in entire incident response playbooks. Take the CISA Incident Response and Vulnerability Response playbook (44 pages) or PwC's BEC Playbook (50 pages) and Claude will create highly capable workflows based on them -- IOC management, threat hunting across O365, analysing login events and inbox rules, identity controls, notification and reporting schedules, host isolation, forensics capture, user lockout, scheduled vulnerability scans, risk assessments, patch tracking, and more.
Try it out
The Skill is part of a broader Security Skills open-source repo I'm building that hosts a collection of Claude Code skills to help security teams automate their operations.
A collection of Claude Code skills that help security teams stay secure.
/plugin marketplace add https://github.com/eth0izzle/security-skills.git
/plugin install fusion-workflows@security-skills
P.S. don't blame me if you end up automating yourself out of a job.