Crowdstrike Capabilities
Naftiko 0.5 capability definitions for Crowdstrike - 100 capabilities showing integration workflows and service orchestrations.
Sort
Expand
Adversary Intel Report to Confluence
▼
security threat-intelligence crowdstrike-falcon confluence reporting
Retrieves a CrowdStrike Falcon Intelligence adversary profile by actor name and publishes a structured threat briefing to Confluence for the security team's knowledge base.
naftiko: "0.5"
info:
label: "Adversary Intel Report to Confluence"
description: "Retrieves a CrowdStrike Falcon Intelligence adversary profile by actor name and publishes a structured threat briefing to Confluence for the security team's knowledge base."
tags:
- security
- threat-intelligence
- crowdstrike-falcon
- confluence
- reporting
capability:
exposes:
- type: mcp
namespace: threat-briefing
port: 8080
tools:
- name: publish-adversary-briefing
description: "Given a threat actor name (e.g., 'FANCY BEAR'), retrieve the full adversary profile from Falcon Intelligence and publish a formatted briefing page to Confluence. Use for team threat awareness and security awareness training materials."
inputParameters:
- name: actor_name
in: body
type: string
description: "CrowdStrike adversary actor name (e.g., 'FANCY BEAR', 'CARBON SPIDER')."
- name: confluence_space_key
in: body
type: string
description: "Confluence space key where the briefing page should be created."
steps:
- name: get-actor-profile
type: call
call: falcon-actors.get-actor
with:
name: "{{actor_name}}"
- name: create-briefing-page
type: call
call: confluence-briefing.create-page
with:
space_key: "{{confluence_space_key}}"
title: "Threat Briefing: {{actor_name}} ({{get-actor-profile.short_description}})"
body: "Actor: {{actor_name}}\nOrigin: {{get-actor-profile.origins}}\nTargeted Industries: {{get-actor-profile.target_industries}}\nCapabilities: {{get-actor-profile.capabilities}}\nLast Active: {{get-actor-profile.last_activity_date}}"
consumes:
- type: http
namespace: falcon-actors
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: actors
path: "/intel/combined/actors/v1"
inputParameters:
- name: name
in: query
operations:
- name: get-actor
method: GET
- type: http
namespace: confluence-briefing
baseUri: "https://crowdstrike.atlassian.net/wiki/rest/api"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: pages
path: "/content"
operations:
- name: create-page
method: POST
Annual Security Compliance Report Generation
▼
compliance security snowflake confluence reporting
Aggregates CrowdStrike Falcon endpoint coverage, detection resolution rates, and vulnerability remediation SLA data from Snowflake to generate an annual compliance report in Confluence.
naftiko: "0.5"
info:
label: "Annual Security Compliance Report Generation"
description: "Aggregates CrowdStrike Falcon endpoint coverage, detection resolution rates, and vulnerability remediation SLA data from Snowflake to generate an annual compliance report in Confluence."
tags:
- compliance
- security
- snowflake
- confluence
- reporting
capability:
exposes:
- type: mcp
namespace: compliance-reporting
port: 8080
tools:
- name: generate-annual-compliance-report
description: "Query Snowflake for full-year Falcon metrics including endpoint coverage percentage, mean time to detect, mean time to remediate, and vulnerability SLA compliance, then publish the report to Confluence. Use for SOC 2, FedRAMP, and board-level security reporting."
inputParameters:
- name: report_year
in: body
type: integer
description: "The calendar year for the compliance report (e.g., 2024)."
- name: confluence_space_key
in: body
type: string
description: "Confluence space key for the compliance report page."
steps:
- name: query-annual-metrics
type: call
call: snowflake-compliance.run-query
with:
statement: "SELECT year, avg_endpoint_coverage, mean_ttd_hours, mean_ttr_hours, vuln_sla_compliance_pct FROM security_metrics.annual_summary WHERE year = {{report_year}}"
- name: publish-report
type: call
call: confluence-compliance.create-page
with:
space_key: "{{confluence_space_key}}"
title: "{{report_year}} Annual Security Compliance Report"
body: "Year: {{report_year}}\nEndpoint Coverage: {{query-annual-metrics.avg_endpoint_coverage}}%\nMean TTD: {{query-annual-metrics.mean_ttd_hours}}h\nMean TTR: {{query-annual-metrics.mean_ttr_hours}}h\nVuln SLA Compliance: {{query-annual-metrics.vuln_sla_compliance_pct}}%"
consumes:
- type: http
namespace: snowflake-compliance
baseUri: "https://crowdstrike.snowflakecomputing.com/api/v2"
authentication:
type: bearer
token: "$secrets.snowflake_token"
resources:
- name: statements
path: "/statements"
operations:
- name: run-query
method: POST
- type: http
namespace: confluence-compliance
baseUri: "https://crowdstrike.atlassian.net/wiki/rest/api"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: pages
path: "/content"
operations:
- name: create-page
method: POST
AWS CloudTrail Anomaly to Falcon Investigation
▼
cloud security aws crowdstrike-falcon jira
When an AWS CloudTrail anomaly is detected, enriches the finding with CrowdStrike Falcon device context for the source IP and creates a Jira cloud security investigation task.
naftiko: "0.5"
info:
label: "AWS CloudTrail Anomaly to Falcon Investigation"
description: "When an AWS CloudTrail anomaly is detected, enriches the finding with CrowdStrike Falcon device context for the source IP and creates a Jira cloud security investigation task."
tags:
- cloud
- security
- aws
- crowdstrike-falcon
- jira
capability:
exposes:
- type: mcp
namespace: cloud-threat-ops
port: 8080
tools:
- name: investigate-cloudtrail-anomaly
description: "Given an AWS CloudTrail anomaly finding with a source IP, look up the IP in Falcon Intelligence, retrieve any associated device context, and open a Jira cloud security investigation task. Use when AWS GuardDuty or CloudTrail raises suspicious API activity."
inputParameters:
- name: source_ip
in: body
type: string
description: "Source IP address associated with the CloudTrail anomaly."
- name: aws_account_id
in: body
type: string
description: "AWS account ID where the anomaly was detected."
- name: event_name
in: body
type: string
description: "The AWS CloudTrail event name (API call) that triggered the anomaly."
steps:
- name: lookup-ip
type: call
call: falcon-intel-aws.get-indicator
with:
value: "{{source_ip}}"
type: "ip"
- name: create-investigation
type: call
call: jira-aws.create-issue
with:
project_key: "CLOUDSEC"
issuetype: "Investigation"
summary: "CloudTrail Anomaly: {{event_name}} from {{source_ip}} in {{aws_account_id}}"
description: "Source IP: {{source_ip}}\nEvent: {{event_name}}\nAWS Account: {{aws_account_id}}\nFalcon Verdict: {{lookup-ip.verdict}}\nThreat Actor: {{lookup-ip.threat_actors}}\nMalware Family: {{lookup-ip.malware_families}}"
consumes:
- type: http
namespace: falcon-intel-aws
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: indicators
path: "/intel/combined/indicators/v1"
inputParameters:
- name: value
in: query
- name: type
in: query
operations:
- name: get-indicator
method: GET
- type: http
namespace: jira-aws
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
Cloud Security Misconfiguration Alert
▼
security cloud cspm crowdstrike-falcon jira
When Falcon Horizon (CSPM) detects a cloud misconfiguration, retrieves the finding details and creates a Jira security task assigned to the cloud infrastructure team.
naftiko: "0.5"
info:
label: "Cloud Security Misconfiguration Alert"
description: "When Falcon Horizon (CSPM) detects a cloud misconfiguration, retrieves the finding details and creates a Jira security task assigned to the cloud infrastructure team."
tags:
- security
- cloud
- cspm
- crowdstrike-falcon
- jira
capability:
exposes:
- type: mcp
namespace: cloud-security
port: 8080
tools:
- name: handle-cspm-finding
description: "Given a Falcon Horizon CSPM finding ID, retrieve the misconfiguration details and open a Jira task for the cloud team to remediate. Use when cloud compliance violations need tracked remediation."
inputParameters:
- name: finding_id
in: body
type: string
description: "The Falcon Horizon CSPM finding ID."
- name: cloud_provider
in: body
type: string
description: "Cloud provider: aws, azure, or gcp."
steps:
- name: get-finding
type: call
call: cspm.get-finding
with:
id: "{{finding_id}}"
- name: create-remediation
type: call
call: jira-cloud.create-issue
with:
project_key: "CLOUDSEC"
issuetype: "Task"
summary: "CSPM: {{get-finding.policy_id}} on {{cloud_provider}} — {{get-finding.resource_id}}"
description: "Finding ID: {{finding_id}}\nProvider: {{cloud_provider}}\nResource: {{get-finding.resource_id}}\nPolicy: {{get-finding.policy_id}}\nSeverity: {{get-finding.severity}}\nRemediation: {{get-finding.remediation_summary}}"
consumes:
- type: http
namespace: cspm
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: findings
path: "/cspm-registration/entities/findings/v2"
inputParameters:
- name: id
in: query
operations:
- name: get-finding
method: GET
- type: http
namespace: jira-cloud
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
Datadog Infrastructure Alert to Falcon Investigation
▼
observability security datadog crowdstrike-falcon incident-response
When Datadog raises a critical infrastructure alert on a host, correlates it with CrowdStrike Falcon sensor data for the same host to determine if the anomaly is security-related.
naftiko: "0.5"
info:
label: "Datadog Infrastructure Alert to Falcon Investigation"
description: "When Datadog raises a critical infrastructure alert on a host, correlates it with CrowdStrike Falcon sensor data for the same host to determine if the anomaly is security-related."
tags:
- observability
- security
- datadog
- crowdstrike-falcon
- incident-response
capability:
exposes:
- type: mcp
namespace: infra-security-ops
port: 8080
tools:
- name: correlate-infra-alert-with-falcon
description: "Given a Datadog monitor alert ID and host name, fetch the alert details from Datadog and query Falcon for recent detections on the same host to determine if the infrastructure anomaly has a security component. Use during critical infrastructure incidents."
inputParameters:
- name: datadog_alert_id
in: body
type: string
description: "Datadog monitor alert ID."
- name: host_name
in: body
type: string
description: "Hostname of the affected infrastructure host."
steps:
- name: get-dd-alert
type: call
call: datadog.get-monitor
with:
monitor_id: "{{datadog_alert_id}}"
- name: get-falcon-detections
type: call
call: falcon-correlate.list-detections-for-host
with:
filter: "device.hostname:'{{host_name}}'+status:'new'"
- name: open-snow-incident
type: call
call: servicenow-infra.create-incident
with:
short_description: "Infra+Security Correlation: {{host_name}} — Datadog {{get-dd-alert.name}}"
category: "Infrastructure"
description: "Datadog Alert: {{datadog_alert_id}} — {{get-dd-alert.name}}\nHost: {{host_name}}\nFalcon Detections: {{get-falcon-detections.count}}\nTop Detection: {{get-falcon-detections.top_scenario}}"
consumes:
- type: http
namespace: datadog
baseUri: "https://api.datadoghq.com/api/v1"
authentication:
type: apikey
key: "DD-API-KEY"
value: "$secrets.datadog_api_key"
placement: header
resources:
- name: monitors
path: "/monitor/{{monitor_id}}"
inputParameters:
- name: monitor_id
in: path
operations:
- name: get-monitor
method: GET
- type: http
namespace: falcon-correlate
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/combined/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: list-detections-for-host
method: GET
- type: http
namespace: servicenow-infra
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: create-incident
method: POST
Employee Offboarding Security Deprovision
▼
hr offboarding security workday okta crowdstrike-falcon
When an employee termination is processed in Workday, revokes Okta access, disables the user in Microsoft Graph, and isolates the employee's endpoint in CrowdStrike Falcon.
naftiko: "0.5"
info:
label: "Employee Offboarding Security Deprovision"
description: "When an employee termination is processed in Workday, revokes Okta access, disables the user in Microsoft Graph, and isolates the employee's endpoint in CrowdStrike Falcon."
tags:
- hr
- offboarding
- security
- workday
- okta
- crowdstrike-falcon
capability:
exposes:
- type: mcp
namespace: hr-offboarding
port: 8080
tools:
- name: deprovision-terminated-employee
description: "Given a Workday worker ID for a terminated employee, deactivate the Okta account, disable the Microsoft 365 user, and network-isolate the Falcon-protected endpoint. Use immediately upon confirmed termination to prevent unauthorized access."
inputParameters:
- name: worker_id
in: body
type: string
description: "Workday worker ID of the terminated employee."
- name: device_id
in: body
type: string
description: "CrowdStrike Falcon device ID of the employee's primary endpoint."
steps:
- name: get-worker
type: call
call: workday-offboard.get-worker
with:
worker_id: "{{worker_id}}"
- name: deactivate-okta-user
type: call
call: okta-offboard.deactivate-user
with:
login: "{{get-worker.work_email}}"
- name: disable-m365-user
type: call
call: msgraph.disable-user
with:
user_principal_name: "{{get-worker.work_email}}"
account_enabled: "false"
- name: isolate-endpoint
type: call
call: falcon-isolate.isolate-host
with:
device_id: "{{device_id}}"
comment: "Employee terminated: {{get-worker.full_name}} ({{worker_id}})"
consumes:
- type: http
namespace: workday-offboard
baseUri: "https://wd2-impl-services1.workday.com/ccx/api/v1"
authentication:
type: bearer
token: "$secrets.workday_token"
resources:
- name: workers
path: "/crowdstrike/workers/{{worker_id}}"
inputParameters:
- name: worker_id
in: path
operations:
- name: get-worker
method: GET
- type: http
namespace: okta-offboard
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.okta_ssws_token"
placement: header
resources:
- name: users
path: "/users/{{user_id}}/lifecycle/deactivate"
inputParameters:
- name: user_id
in: path
operations:
- name: deactivate-user
method: POST
- type: http
namespace: msgraph
baseUri: "https://graph.microsoft.com/v1.0"
authentication:
type: bearer
token: "$secrets.msgraph_token"
resources:
- name: users
path: "/users/{{user_principal_name}}"
inputParameters:
- name: user_principal_name
in: path
operations:
- name: disable-user
method: PATCH
- type: http
namespace: falcon-isolate
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: network-containment
path: "/devices/entities/devices-actions/v2"
operations:
- name: isolate-host
method: POST
Employee Onboarding Security Provisioning
▼
hr onboarding security workday okta crowdstrike-falcon
When a new employee is created in Workday, provisions Okta user account with appropriate group memberships and enrolls the device in CrowdStrike Falcon via the host management API.
naftiko: "0.5"
info:
label: "Employee Onboarding Security Provisioning"
description: "When a new employee is created in Workday, provisions Okta user account with appropriate group memberships and enrolls the device in CrowdStrike Falcon via the host management API."
tags:
- hr
- onboarding
- security
- workday
- okta
- crowdstrike-falcon
capability:
exposes:
- type: mcp
namespace: hr-security-onboarding
port: 8080
tools:
- name: provision-new-employee
description: "Given a Workday employee ID and role, retrieve worker profile, create an Okta user in the correct groups, and register the device with CrowdStrike Falcon for endpoint protection. Use when onboarding new hires to ensure day-one security coverage."
inputParameters:
- name: worker_id
in: body
type: string
description: "Workday worker ID for the new hire."
- name: start_date
in: body
type: string
description: "Employee start date in ISO 8601 format (YYYY-MM-DD)."
steps:
- name: get-worker
type: call
call: workday.get-worker
with:
worker_id: "{{worker_id}}"
- name: create-okta-user
type: call
call: okta-provision.create-user
with:
login: "{{get-worker.work_email}}"
first_name: "{{get-worker.first_name}}"
last_name: "{{get-worker.last_name}}"
department: "{{get-worker.department}}"
- name: enroll-device
type: call
call: falcon-enroll.create-device-enrollment-token
with:
comment: "New hire: {{get-worker.full_name}} ({{worker_id}}) — Start: {{start_date}}"
consumes:
- type: http
namespace: workday
baseUri: "https://wd2-impl-services1.workday.com/ccx/api/v1"
authentication:
type: bearer
token: "$secrets.workday_token"
resources:
- name: workers
path: "/crowdstrike/workers/{{worker_id}}"
inputParameters:
- name: worker_id
in: path
operations:
- name: get-worker
method: GET
- type: http
namespace: okta-provision
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.okta_ssws_token"
placement: header
resources:
- name: users
path: "/users"
operations:
- name: create-user
method: POST
- type: http
namespace: falcon-enroll
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: enrollment-tokens
path: "/devices/entities/deviceregistration-tokens/v1"
operations:
- name: create-device-enrollment-token
method: POST
Endpoint Vulnerability Assessment
▼
security vulnerability-management crowdstrike-falcon jira
Queries CrowdStrike Spotlight for critical CVEs affecting a specified host and creates a Jira remediation ticket with affected software details.
naftiko: "0.5"
info:
label: "Endpoint Vulnerability Assessment"
description: "Queries CrowdStrike Spotlight for critical CVEs affecting a specified host and creates a Jira remediation ticket with affected software details."
tags:
- security
- vulnerability-management
- crowdstrike-falcon
- jira
capability:
exposes:
- type: mcp
namespace: vuln-management
port: 8080
tools:
- name: assess-host-vulnerabilities
description: "Given a hostname or device ID, query CrowdStrike Spotlight for critical and high CVEs on that endpoint and open a Jira remediation ticket with all findings. Use during vulnerability triage or patch cycle planning."
inputParameters:
- name: device_id
in: body
type: string
description: "The CrowdStrike device/host ID for the endpoint to assess."
- name: jira_project_key
in: body
type: string
description: "Jira project key where the remediation ticket should be created (e.g., 'SEC')."
steps:
- name: get-vulns
type: call
call: spotlight.list-vulnerabilities
with:
device_id: "{{device_id}}"
filter: "status:'open'+cve.severity:'CRITICAL'"
- name: create-ticket
type: call
call: jira.create-issue
with:
project_key: "{{jira_project_key}}"
issuetype: "Task"
summary: "Vulnerability Remediation: {{device_id}} — {{get-vulns.cve_count}} critical CVEs"
description: "Device: {{device_id}}\nCritical CVEs: {{get-vulns.cve_ids}}\nTop CVE: {{get-vulns.top_cve_id}} (CVSS: {{get-vulns.top_cvss_score}})\nAffected Software: {{get-vulns.affected_software}}"
consumes:
- type: http
namespace: spotlight
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vulnerabilities
path: "/spotlight/combined/vulnerabilities/v1"
inputParameters:
- name: device_id
in: query
- name: filter
in: query
operations:
- name: list-vulnerabilities
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
Falcon AI-Assisted Detection Triage
▼
security ai crowdstrike-falcon anthropic slack
Uses AI to analyze a Falcon detection, determine likelihood of true positive, recommend response actions, and post findings to SOC channel.
naftiko: "0.5"
info:
label: "Falcon AI-Assisted Detection Triage"
description: "Uses AI to analyze a Falcon detection, determine likelihood of true positive, recommend response actions, and post findings to SOC channel."
tags:
- security
- ai
- crowdstrike-falcon
- anthropic
- slack
capability:
exposes:
- type: mcp
namespace: ai-triage
port: 8080
tools:
- name: ai-triage-detection
description: "Given a detection ID, fetch details, use AI to assess severity and recommend actions, and post to SOC."
inputParameters:
- name: detection_id
in: body
type: string
description: "Falcon detection ID."
steps:
- name: get-detection
type: call
call: "falcon.get-detection"
with:
ids: "{{detection_id}}"
- name: ai-analyze
type: call
call: "anthropic.create-message"
with:
model: "claude-sonnet-4-20250514"
max_tokens: 512
system: "You are a SOC analyst. Assess the detection and recommend response actions."
content: "Detection: {{get-detection.tactic}} / {{get-detection.technique}} on {{get-detection.hostname}} | Severity: {{get-detection.severity}} | File: {{get-detection.filename}}"
- name: post-triage
type: call
call: "slack.post-message"
with:
channel: "soc-triage"
text: "AI Triage for {{detection_id}}:\n{{ai-analyze.content}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/summaries/GET/v1"
operations:
- name: get-detection
method: POST
- type: http
namespace: anthropic
baseUri: "https://api.anthropic.com/v1"
authentication:
type: apikey
key: "x-api-key"
value: "$secrets.anthropic_api_key"
placement: header
resources:
- name: messages
path: "/messages"
operations:
- name: create-message
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon API Client Lookup
▼
security api-management crowdstrike-falcon lookup
Retrieves Falcon API client details by client ID, returning scopes, creation date, and last used time.
naftiko: "0.5"
info:
label: "Falcon API Client Lookup"
description: "Retrieves Falcon API client details by client ID, returning scopes, creation date, and last used time."
tags:
- security
- api-management
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-api-client
port: 8080
tools:
- name: get-api-client
description: "Given a Falcon API client ID, return its scopes, creation date, and last authentication time."
inputParameters:
- name: client_id
in: body
type: string
description: "Falcon API client ID."
call: "falcon.get-api-client"
with:
ids: "{{client_id}}"
outputParameters:
- name: name
type: string
mapping: "$.resources[0].name"
- name: scopes
type: string
mapping: "$.resources[0].scope"
- name: created
type: string
mapping: "$.resources[0].created_at"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: api-clients
path: "/oauth2/entities/clients/v1"
inputParameters:
- name: ids
in: query
operations:
- name: get-api-client
method: GET
Falcon AWS GuardDuty Correlation
▼
security cloud-security crowdstrike-falcon aws slack
Correlates AWS GuardDuty findings with CrowdStrike Falcon detections on the same hosts, creating a unified security incident.
naftiko: "0.5"
info:
label: "Falcon AWS GuardDuty Correlation"
description: "Correlates AWS GuardDuty findings with CrowdStrike Falcon detections on the same hosts, creating a unified security incident."
tags:
- security
- cloud-security
- crowdstrike-falcon
- aws
- slack
capability:
exposes:
- type: mcp
namespace: guardduty-falcon
port: 8080
tools:
- name: correlate-guardduty-falcon
description: "Given an AWS instance ID from a GuardDuty finding, check for related Falcon detections and post a correlated alert."
inputParameters:
- name: instance_id
in: body
type: string
description: "AWS EC2 instance ID from GuardDuty."
- name: finding_type
in: body
type: string
description: "GuardDuty finding type."
steps:
- name: query-falcon-detections
type: call
call: "falcon.query-detections"
with:
filter: "device.instance_id:\"{{instance_id}}\""
- name: post-correlation
type: call
call: "slack.post-message"
with:
channel: "cloud-security"
text: "GuardDuty-Falcon Correlation: Instance {{instance_id}} | GuardDuty: {{finding_type}} | Falcon detections: {{query-falcon-detections.total_count}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-detections
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Cloud Account Registration Check
▼
security cloud-security crowdstrike-falcon lookup
Retrieves cloud account registration status from Falcon Cloud Security for a given provider.
naftiko: "0.5"
info:
label: "Falcon Cloud Account Registration Check"
description: "Retrieves cloud account registration status from Falcon Cloud Security for a given provider."
tags:
- security
- cloud-security
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-cloud-reg
port: 8080
tools:
- name: check-cloud-registration
description: "Given a cloud account ID, return its registration status, provider, and last scan time."
inputParameters:
- name: account_id
in: body
type: string
description: "Cloud account ID."
call: "falcon.get-cloud-account"
with:
ids: "{{account_id}}"
outputParameters:
- name: status
type: string
mapping: "$.resources[0].status"
- name: provider
type: string
mapping: "$.resources[0].cloud_provider"
- name: last_scan
type: string
mapping: "$.resources[0].last_scanned"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: cloud-accounts
path: "/cloud-connect/entities/accounts/v1"
inputParameters:
- name: ids
in: query
operations:
- name: get-cloud-account
method: GET
Falcon Cloud IOA Lookup
▼
security cloud-security crowdstrike-falcon lookup
Retrieves Indicators of Attack from CrowdStrike Falcon Cloud Security for a given cloud account.
naftiko: "0.5"
info:
label: "Falcon Cloud IOA Lookup"
description: "Retrieves Indicators of Attack from CrowdStrike Falcon Cloud Security for a given cloud account."
tags:
- security
- cloud-security
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-cloud-ioa
port: 8080
tools:
- name: get-cloud-ioas
description: "Given a cloud account ID, return active Indicators of Attack including severity and affected resources."
inputParameters:
- name: cloud_account_id
in: body
type: string
description: "Cloud account ID to query."
call: "falcon.get-ioas"
with:
filter: "cloud_account_id:\"{{cloud_account_id}}\""
outputParameters:
- name: ioa_count
type: string
mapping: "$.meta.pagination.total"
- name: top_severity
type: string
mapping: "$.resources[0].severity"
- name: attack_type
type: string
mapping: "$.resources[0].attack_type"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: cloud-ioas
path: "/detects/combined/ioa/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-ioas
method: GET
Falcon Cloud Misconfiguration to Terraform Fix
▼
security cloud-security crowdstrike-falcon github slack
Detects cloud misconfigurations from Falcon Horizon, creates a GitHub issue with Terraform remediation, and notifies the cloud security team.
naftiko: "0.5"
info:
label: "Falcon Cloud Misconfiguration to Terraform Fix"
description: "Detects cloud misconfigurations from Falcon Horizon, creates a GitHub issue with Terraform remediation, and notifies the cloud security team."
tags:
- security
- cloud-security
- crowdstrike-falcon
- github
- slack
capability:
exposes:
- type: mcp
namespace: misconfig-fix
port: 8080
tools:
- name: create-terraform-fix
description: "Given a Falcon Horizon finding ID, fetch details, create a GitHub issue with remediation steps, and alert the team."
inputParameters:
- name: finding_id
in: body
type: string
description: "Falcon Horizon misconfiguration finding ID."
steps:
- name: get-finding
type: call
call: "falcon.get-finding"
with:
ids: "{{finding_id}}"
- name: create-gh-issue
type: call
call: "github.create-issue"
with:
repo: "crowdstrike/infrastructure"
title: "Cloud misconfig: {{get-finding.policy_description}}"
body: "Resource: {{get-finding.resource_id}}\nAccount: {{get-finding.cloud_account}}\nSeverity: {{get-finding.severity}}\nRemediation: {{get-finding.remediation}}"
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "cloud-security"
text: "Cloud misconfiguration: {{get-finding.policy_description}} | Severity: {{get-finding.severity}} | GitHub: {{create-gh-issue.html_url}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: findings
path: "/detects/entities/ioa/v1"
operations:
- name: get-finding
method: GET
- type: http
namespace: github
baseUri: "https://api.github.com"
authentication:
type: bearer
token: "$secrets.github_token"
resources:
- name: issues
path: "/repos/{{repo}}/issues"
inputParameters:
- name: repo
in: path
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Cloud Workload Inventory
▼
security cloud-security crowdstrike-falcon lookup
Retrieves cloud workload inventory from Falcon Cloud Security for a given cloud provider.
naftiko: "0.5"
info:
label: "Falcon Cloud Workload Inventory"
description: "Retrieves cloud workload inventory from Falcon Cloud Security for a given cloud provider."
tags:
- security
- cloud-security
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-cloud-inv
port: 8080
tools:
- name: get-cloud-inventory
description: "Given a cloud provider name, return the workload inventory count and unprotected instance count."
inputParameters:
- name: cloud_provider
in: body
type: string
description: "Cloud provider: AWS, Azure, or GCP."
call: "falcon.get-cloud-inventory"
with:
filter: "cloud_provider:\"{{cloud_provider}}\""
outputParameters:
- name: total_workloads
type: string
mapping: "$.meta.pagination.total"
- name: unprotected
type: string
mapping: "$.resources[0].unprotected_count"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: cloud-workloads
path: "/cloud-connect/combined/workloads/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-cloud-inventory
method: GET
Falcon Compliance Benchmark Lookup
▼
security compliance crowdstrike-falcon lookup
Retrieves compliance benchmark scores from Falcon Horizon for a given framework.
naftiko: "0.5"
info:
label: "Falcon Compliance Benchmark Lookup"
description: "Retrieves compliance benchmark scores from Falcon Horizon for a given framework."
tags:
- security
- compliance
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-benchmark
port: 8080
tools:
- name: get-benchmark-score
description: "Given a compliance framework name, return the overall score, passing controls, and failing controls."
inputParameters:
- name: framework
in: body
type: string
description: "Compliance framework name, e.g. CIS, NIST, SOC2."
call: "falcon.get-benchmark"
with:
filter: "framework:\"{{framework}}\""
outputParameters:
- name: overall_score
type: string
mapping: "$.resources[0].score"
- name: passing
type: string
mapping: "$.resources[0].passing_count"
- name: failing
type: string
mapping: "$.resources[0].failing_count"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: benchmarks
path: "/compliance/combined/benchmarks/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-benchmark
method: GET
Falcon Container Image Scan
▼
security container-security crowdstrike-falcon slack
Triggers a container image scan in CrowdStrike Falcon, checks for vulnerabilities, and blocks deployment if critical issues found.
naftiko: "0.5"
info:
label: "Falcon Container Image Scan"
description: "Triggers a container image scan in CrowdStrike Falcon, checks for vulnerabilities, and blocks deployment if critical issues found."
tags:
- security
- container-security
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: container-scan
port: 8080
tools:
- name: scan-container-image
description: "Given a container image tag, trigger a Falcon scan, check results, and post findings to Slack."
inputParameters:
- name: image_tag
in: body
type: string
description: "Container image tag to scan."
steps:
- name: submit-scan
type: call
call: "falcon.submit-image-scan"
with:
image: "{{image_tag}}"
- name: get-results
type: call
call: "falcon.get-scan-results"
with:
scan_id: "{{submit-scan.scan_id}}"
- name: post-results
type: call
call: "slack.post-message"
with:
channel: "container-security"
text: "Container Scan: {{image_tag}} | Vulnerabilities: {{get-results.vuln_count}} | Critical: {{get-results.critical_count}} | Verdict: {{get-results.verdict}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: image-scans
path: "/scanner/entities/scans/v1"
operations:
- name: submit-image-scan
method: POST
- name: scan-results
path: "/scanner/entities/scan-results/v1"
inputParameters:
- name: scan_id
in: query
operations:
- name: get-scan-results
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Credential Theft Detector
▼
security credential-theft crowdstrike-falcon okta slack
Detects credential theft attempts via Falcon telemetry, forces password reset in Okta, and escalates to the identity security team.
naftiko: "0.5"
info:
label: "Falcon Credential Theft Detector"
description: "Detects credential theft attempts via Falcon telemetry, forces password reset in Okta, and escalates to the identity security team."
tags:
- security
- credential-theft
- crowdstrike-falcon
- okta
- slack
capability:
exposes:
- type: mcp
namespace: cred-theft
port: 8080
tools:
- name: respond-to-credential-theft
description: "Given a detection ID indicating credential theft, identify the user, reset their Okta password, and alert the team."
inputParameters:
- name: detection_id
in: body
type: string
description: "Falcon detection ID for credential theft."
steps:
- name: get-detection
type: call
call: "falcon.get-detection"
with:
ids: "{{detection_id}}"
- name: reset-password
type: call
call: "okta.reset-password"
with:
user_id: "{{get-detection.username}}"
- name: alert-team
type: call
call: "slack.post-message"
with:
channel: "identity-security"
text: "CREDENTIAL THEFT: {{get-detection.username}} on {{get-detection.hostname}} | Password reset forced | Detection: {{detection_id}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/summaries/GET/v1"
operations:
- name: get-detection
method: POST
- type: http
namespace: okta
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: bearer
token: "$secrets.okta_api_token"
resources:
- name: users
path: "/users/{{user_id}}/lifecycle/reset_password"
inputParameters:
- name: user_id
in: path
operations:
- name: reset-password
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Customer Security Assessment
▼
security assessment crowdstrike-falcon salesforce slack
Generates a security assessment for a customer account by pulling Falcon Spotlight scores, detection metrics, and policy compliance, then shares via Salesforce.
naftiko: "0.5"
info:
label: "Falcon Customer Security Assessment"
description: "Generates a security assessment for a customer account by pulling Falcon Spotlight scores, detection metrics, and policy compliance, then shares via Salesforce."
tags:
- security
- assessment
- crowdstrike-falcon
- salesforce
- slack
capability:
exposes:
- type: mcp
namespace: customer-assessment
port: 8080
tools:
- name: generate-customer-assessment
description: "Given a customer account ID, compile security metrics from Falcon and update the Salesforce opportunity."
inputParameters:
- name: account_name
in: body
type: string
description: "Customer account name."
- name: salesforce_opportunity_id
in: body
type: string
description: "Salesforce opportunity ID to update."
steps:
- name: get-spotlight-scores
type: call
call: "falcon.get-scores"
with:
filter: "account:\"{{account_name}}\""
- name: update-salesforce
type: call
call: "salesforce.update-opportunity"
with:
opportunity_id: "{{salesforce_opportunity_id}}"
security_score: "{{get-spotlight-scores.overall_score}}"
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "customer-success"
text: "Security assessment for {{account_name}}: Score {{get-spotlight-scores.overall_score}} | Salesforce updated."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: scores
path: "/scores/entities/scores/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-scores
method: GET
- type: http
namespace: salesforce
baseUri: "https://crowdstrike.my.salesforce.com/services/data/v58.0"
authentication:
type: bearer
token: "$secrets.salesforce_token"
resources:
- name: opportunities
path: "/sobjects/Opportunity/{{opportunity_id}}"
inputParameters:
- name: opportunity_id
in: path
operations:
- name: update-opportunity
method: PATCH
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Datadog Security Metric Sync
▼
security observability crowdstrike-falcon datadog slack
Pushes CrowdStrike detection and vulnerability metrics to Datadog for unified security dashboarding.
naftiko: "0.5"
info:
label: "Falcon Datadog Security Metric Sync"
description: "Pushes CrowdStrike detection and vulnerability metrics to Datadog for unified security dashboarding."
tags:
- security
- observability
- crowdstrike-falcon
- datadog
- slack
capability:
exposes:
- type: mcp
namespace: falcon-dd-sync
port: 8080
tools:
- name: sync-security-metrics
description: "Pull detection and vulnerability counts from Falcon and push as custom metrics to Datadog."
inputParameters:
- name: hours
in: body
type: string
description: "Hours of data to aggregate."
steps:
- name: count-detections
type: call
call: "falcon.count-detections"
with:
filter: "created_timestamp:>\"{{hours}}h\""
- name: push-to-datadog
type: call
call: "datadog.submit-metrics"
with:
series: "crowdstrike.detections.count"
points: "{{count-detections.total}}"
tags: "source:crowdstrike"
- name: confirm-sync
type: call
call: "slack.post-message"
with:
channel: "security-dashboards"
text: "Falcon metrics synced to Datadog: {{count-detections.total}} detections in last {{hours}} hours."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: count-detections
method: GET
- type: http
namespace: datadog
baseUri: "https://api.datadoghq.com/api/v2"
authentication:
type: apikey
key: "DD-API-KEY"
value: "$secrets.datadog_api_key"
placement: header
resources:
- name: metrics
path: "/series"
operations:
- name: submit-metrics
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Detection Count Lookup
▼
security threat-detection crowdstrike-falcon lookup
Returns the count of active detections in CrowdStrike Falcon filtered by severity level.
naftiko: "0.5"
info:
label: "Falcon Detection Count Lookup"
description: "Returns the count of active detections in CrowdStrike Falcon filtered by severity level."
tags:
- security
- threat-detection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-detect-count
port: 8080
tools:
- name: get-detection-count
description: "Given a severity filter, return the number of active detections in Falcon."
inputParameters:
- name: min_severity
in: body
type: string
description: "Minimum severity level (1-5)."
call: "falcon.count-detections"
with:
filter: "status:\"new\"+max_severity_displayname:>\"{{min_severity}}\""
outputParameters:
- name: total_count
type: string
mapping: "$.meta.pagination.total"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: count-detections
method: GET
Falcon Detection False Positive Feedback
▼
security detection-tuning crowdstrike-falcon jira slack
Processes false positive feedback for a Falcon detection, updates the detection status, creates an exclusion, and logs in Jira.
naftiko: "0.5"
info:
label: "Falcon Detection False Positive Feedback"
description: "Processes false positive feedback for a Falcon detection, updates the detection status, creates an exclusion, and logs in Jira."
tags:
- security
- detection-tuning
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: fp-feedback
port: 8080
tools:
- name: process-false-positive
description: "Given a detection ID and justification, mark as false positive, create an exclusion, and log in Jira."
inputParameters:
- name: detection_id
in: body
type: string
description: "Falcon detection ID."
- name: justification
in: body
type: string
description: "Reason for marking as false positive."
steps:
- name: update-detection
type: call
call: "falcon.update-detection-status"
with:
ids: "{{detection_id}}"
status: "false_positive"
- name: create-jira
type: call
call: "jira.create-issue"
with:
project_key: "SEC"
issuetype: "Task"
summary: "FP Review: Detection {{detection_id}}"
description: "Justification: {{justification}}\nDetection marked as false positive. Review exclusion request."
- name: notify-tuning
type: call
call: "slack.post-message"
with:
channel: "detection-tuning"
text: "False positive reported: {{detection_id}} | Jira: {{create-jira.key}} | Reason: {{justification}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/detects/v2"
operations:
- name: update-detection-status
method: PATCH
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Detection Severity Lookup
▼
security threat-detection crowdstrike-falcon lookup
Retrieves detection details by ID from CrowdStrike Falcon, returning severity, tactic, technique, and affected hostname.
naftiko: "0.5"
info:
label: "Falcon Detection Severity Lookup"
description: "Retrieves detection details by ID from CrowdStrike Falcon, returning severity, tactic, technique, and affected hostname."
tags:
- security
- threat-detection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-detect-detail
port: 8080
tools:
- name: get-detection-detail
description: "Given a detection ID, return the severity, MITRE tactic, technique, and affected hostname."
inputParameters:
- name: detection_id
in: body
type: string
description: "Falcon detection ID."
call: "falcon.get-detection-detail"
with:
ids: "{{detection_id}}"
outputParameters:
- name: severity
type: string
mapping: "$.resources[0].max_severity_displayname"
- name: tactic
type: string
mapping: "$.resources[0].behaviors[0].tactic"
- name: technique
type: string
mapping: "$.resources[0].behaviors[0].technique"
- name: hostname
type: string
mapping: "$.resources[0].device.hostname"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/summaries/GET/v1"
operations:
- name: get-detection-detail
method: POST
Falcon Detection to Jira Security Issue
▼
security threat-detection crowdstrike-falcon jira slack
Converts a CrowdStrike Falcon detection into a Jira security issue, enriches with threat intel, and notifies the security team via Slack.
naftiko: "0.5"
info:
label: "Falcon Detection to Jira Security Issue"
description: "Converts a CrowdStrike Falcon detection into a Jira security issue, enriches with threat intel, and notifies the security team via Slack."
tags:
- security
- threat-detection
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: detect-to-jira
port: 8080
tools:
- name: create-jira-from-detection
description: "Given a Falcon detection ID, fetch details, create a Jira security issue, and notify the team."
inputParameters:
- name: detection_id
in: body
type: string
description: "CrowdStrike Falcon detection ID."
steps:
- name: get-detection
type: call
call: "falcon.get-detection"
with:
ids: "{{detection_id}}"
- name: create-jira-issue
type: call
call: "jira.create-issue"
with:
project_key: "SEC"
issuetype: "Security Issue"
summary: "Falcon Detection: {{get-detection.tactic}} — {{get-detection.technique}}"
description: "Detection ID: {{detection_id}}\nHost: {{get-detection.hostname}}\nSeverity: {{get-detection.severity}}\nTactic: {{get-detection.tactic}}\nTechnique: {{get-detection.technique}}"
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "security-ops"
text: "Detection {{detection_id}} tracked in Jira {{create-jira-issue.key}}: {{get-detection.tactic}} on {{get-detection.hostname}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/summaries/GET/v1"
operations:
- name: get-detection
method: POST
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Device Group Lookup
▼
security endpoint-protection crowdstrike-falcon lookup
Retrieves a Falcon host group by name, returning member count, group type, and assignment rule.
naftiko: "0.5"
info:
label: "Falcon Device Group Lookup"
description: "Retrieves a Falcon host group by name, returning member count, group type, and assignment rule."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-groups
port: 8080
tools:
- name: get-host-group
description: "Given a host group name, return the group type, member count, and dynamic assignment rule."
inputParameters:
- name: group_name
in: body
type: string
description: "Falcon host group name."
call: "falcon.get-group"
with:
filter: "name:\"{{group_name}}\""
outputParameters:
- name: group_id
type: string
mapping: "$.resources[0].id"
- name: group_type
type: string
mapping: "$.resources[0].group_type"
- name: member_count
type: string
mapping: "$.resources[0].member_count"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: host-groups
path: "/devices/combined/host-groups/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-group
method: GET
Falcon Discover Application Inventory
▼
security asset-discovery crowdstrike-falcon lookup
Retrieves application inventory from CrowdStrike Falcon Discover for a given host or network segment.
naftiko: "0.5"
info:
label: "Falcon Discover Application Inventory"
description: "Retrieves application inventory from CrowdStrike Falcon Discover for a given host or network segment."
tags:
- security
- asset-discovery
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-discover-apps
port: 8080
tools:
- name: get-application-inventory
description: "Given a hostname, return the installed applications discovered by Falcon."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname to query."
call: "falcon.get-applications"
with:
filter: "host.hostname:\"{{hostname}}\""
outputParameters:
- name: app_count
type: string
mapping: "$.meta.pagination.total"
- name: first_app
type: string
mapping: "$.resources[0].name"
- name: first_version
type: string
mapping: "$.resources[0].version"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: applications
path: "/discover/combined/applications/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-applications
method: GET
Falcon Email Threat Analysis
▼
security email-security crowdstrike-falcon slack
Analyzes email-borne threats by checking attachments in Falcon Sandbox, URLs in Falcon Intelligence, and posting findings to the email security team.
naftiko: "0.5"
info:
label: "Falcon Email Threat Analysis"
description: "Analyzes email-borne threats by checking attachments in Falcon Sandbox, URLs in Falcon Intelligence, and posting findings to the email security team."
tags:
- security
- email-security
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: email-threat
port: 8080
tools:
- name: analyze-email-threat
description: "Given a suspicious file hash and URL from an email, check both in Falcon and post the analysis to Slack."
inputParameters:
- name: file_hash
in: body
type: string
description: "SHA256 hash of the email attachment."
- name: url
in: body
type: string
description: "Suspicious URL from the email."
steps:
- name: check-hash
type: call
call: "falcon-intel.get-indicator"
with:
value: "{{file_hash}}"
type: "hash"
- name: check-url
type: call
call: "falcon-intel.get-indicator"
with:
value: "{{url}}"
type: "domain"
- name: post-analysis
type: call
call: "slack.post-message"
with:
channel: "email-security"
text: "Email Threat Analysis:\n- Hash {{file_hash}}: {{check-hash.verdict}}\n- URL {{url}}: {{check-url.verdict}}"
consumes:
- type: http
namespace: falcon-intel
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: indicators
path: "/intel/combined/indicators/v1"
inputParameters:
- name: value
in: query
- name: type
in: query
operations:
- name: get-indicator
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Endpoint Compliance Report
▼
security compliance crowdstrike-falcon slack reporting
Generates an endpoint compliance report from Falcon, checking sensor versions and policy compliance, and distributes via Slack.
naftiko: "0.5"
info:
label: "Falcon Endpoint Compliance Report"
description: "Generates an endpoint compliance report from Falcon, checking sensor versions and policy compliance, and distributes via Slack."
tags:
- security
- compliance
- crowdstrike-falcon
- slack
- reporting
capability:
exposes:
- type: mcp
namespace: endpoint-compliance
port: 8080
tools:
- name: generate-compliance-report
description: "Query Falcon for endpoints with outdated sensors or non-compliant policies and post a summary to Slack."
inputParameters:
- name: min_agent_version
in: body
type: string
description: "Minimum acceptable Falcon agent version."
steps:
- name: query-outdated
type: call
call: "falcon.query-hosts"
with:
filter: "agent_version:<\"{{min_agent_version}}\""
- name: post-report
type: call
call: "slack.post-message"
with:
channel: "endpoint-security"
text: "Endpoint Compliance Report: {{query-outdated.total_count}} hosts running Falcon agent below {{min_agent_version}}. Update required."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/queries/devices/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-hosts
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Endpoint Detection Alert Triage
▼
security incident-response crowdstrike-falcon servicenow slack
When CrowdStrike Falcon raises a high-severity detection alert, retrieves alert details, creates a ServiceNow incident, and posts a summary to the security-alerts Slack channel.
naftiko: "0.5"
info:
label: "Falcon Endpoint Detection Alert Triage"
description: "When CrowdStrike Falcon raises a high-severity detection alert, retrieves alert details, creates a ServiceNow incident, and posts a summary to the security-alerts Slack channel."
tags:
- security
- incident-response
- crowdstrike-falcon
- servicenow
- slack
capability:
exposes:
- type: mcp
namespace: security-ops
port: 8080
tools:
- name: handle-falcon-alert
description: "Given a CrowdStrike Falcon detection alert ID, retrieve full alert details, open a ServiceNow security incident, and notify the security team via Slack. Use when a high-severity Falcon detection needs structured triage."
inputParameters:
- name: alert_id
in: body
type: string
description: "The CrowdStrike Falcon detection alert ID (e.g., 'ldt:abc123:456')."
- name: severity
in: body
type: string
description: "Alert severity level: critical, high, medium, or low."
steps:
- name: get-alert
type: call
call: falcon.get-detection
with:
detection_id: "{{alert_id}}"
- name: create-incident
type: call
call: servicenow.create-incident
with:
short_description: "CrowdStrike Falcon Alert: {{get-alert.scenario}} on {{get-alert.hostname}}"
category: "Security"
urgency: "1"
description: "Detection ID: {{alert_id}}\nHost: {{get-alert.hostname}}\nTactic: {{get-alert.tactic}}\nTechnique: {{get-alert.technique}}\nSeverity: {{severity}}"
- name: notify-slack
type: call
call: slack.post-message
with:
channel: "security-alerts"
text: "FALCON ALERT [{{severity}}]: {{get-alert.scenario}} on {{get-alert.hostname}} | SNOW: {{create-incident.number}} | Alert: {{alert_id}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/detect/v2"
inputParameters:
- name: detection_id
in: query
operations:
- name: get-detection
method: GET
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: create-incident
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_bot_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Executive Threat Briefing
▼
security threat-intelligence crowdstrike-falcon anthropic slack
Compiles a weekly threat briefing from Falcon Intelligence adversary reports, summarizes with AI, and distributes to executives via Slack and email.
naftiko: "0.5"
info:
label: "Falcon Executive Threat Briefing"
description: "Compiles a weekly threat briefing from Falcon Intelligence adversary reports, summarizes with AI, and distributes to executives via Slack and email."
tags:
- security
- threat-intelligence
- crowdstrike-falcon
- anthropic
- slack
capability:
exposes:
- type: mcp
namespace: exec-briefing
port: 8080
tools:
- name: generate-threat-briefing
description: "Pull recent adversary reports from Falcon Intel, summarize with AI, and distribute the briefing."
inputParameters:
- name: days
in: body
type: string
description: "Number of days of threat intelligence to include."
steps:
- name: get-adversary-reports
type: call
call: "falcon-intel.get-reports"
with:
filter: "created_date:>{{days}}"
- name: summarize
type: call
call: "anthropic.create-message"
with:
model: "claude-sonnet-4-20250514"
max_tokens: 1024
system: "You are a cybersecurity analyst. Create a concise executive threat briefing."
content: "Summarize these threat intelligence reports for executives: {{get-adversary-reports.summaries}}"
- name: post-briefing
type: call
call: "slack.post-message"
with:
channel: "executive-security"
text: "Weekly Threat Briefing:\n{{summarize.content}}"
consumes:
- type: http
namespace: falcon-intel
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: reports
path: "/intel/combined/reports/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-reports
method: GET
- type: http
namespace: anthropic
baseUri: "https://api.anthropic.com/v1"
authentication:
type: apikey
key: "x-api-key"
value: "$secrets.anthropic_api_key"
placement: header
resources:
- name: messages
path: "/messages"
operations:
- name: create-message
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Exposure Management Report
▼
security exposure-management crowdstrike-falcon slack reporting
Generates a Falcon Exposure Management report showing internet-facing assets and their risk levels, posts summary to Slack.
naftiko: "0.5"
info:
label: "Falcon Exposure Management Report"
description: "Generates a Falcon Exposure Management report showing internet-facing assets and their risk levels, posts summary to Slack."
tags:
- security
- exposure-management
- crowdstrike-falcon
- slack
- reporting
capability:
exposes:
- type: mcp
namespace: exposure-report
port: 8080
tools:
- name: generate-exposure-report
description: "Query Falcon for internet-facing assets and their risk scores, and post an exposure summary to Slack."
inputParameters:
- name: min_risk_score
in: body
type: string
description: "Minimum risk score threshold."
steps:
- name: query-exposures
type: call
call: "falcon.query-exposures"
with:
filter: "risk_score:>{{min_risk_score}}"
- name: post-report
type: call
call: "slack.post-message"
with:
channel: "security-posture"
text: "Exposure Report: {{query-exposures.total_count}} internet-facing assets with risk score > {{min_risk_score}}. Review at Falcon console."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: exposures
path: "/fem/queries/external-assets/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-exposures
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Firewall Rule Lookup
▼
security firewall-management crowdstrike-falcon lookup
Retrieves firewall management rules from CrowdStrike Falcon by rule group name.
naftiko: "0.5"
info:
label: "Falcon Firewall Rule Lookup"
description: "Retrieves firewall management rules from CrowdStrike Falcon by rule group name."
tags:
- security
- firewall-management
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-fw
port: 8080
tools:
- name: get-firewall-rules
description: "Given a rule group name, return the firewall rules including action, direction, and protocol."
inputParameters:
- name: group_name
in: body
type: string
description: "Falcon firewall rule group name."
call: "falcon.get-fw-rules"
with:
filter: "name:\"{{group_name}}\""
outputParameters:
- name: rule_count
type: string
mapping: "$.meta.pagination.total"
- name: enabled
type: string
mapping: "$.resources[0].enabled"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: fw-rules
path: "/fwmgr/combined/rule-groups/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-fw-rules
method: GET
Falcon Horizon Compliance Benchmark Report
▼
cloud compliance cspm crowdstrike-falcon microsoft-teams
Generates a CIS benchmark compliance summary from Falcon Horizon (CSPM) across all cloud accounts and posts a pass/fail scorecard to the security governance Microsoft Teams channel.
naftiko: "0.5"
info:
label: "Falcon Horizon Compliance Benchmark Report"
description: "Generates a CIS benchmark compliance summary from Falcon Horizon (CSPM) across all cloud accounts and posts a pass/fail scorecard to the security governance Microsoft Teams channel."
tags:
- cloud
- compliance
- cspm
- crowdstrike-falcon
- microsoft-teams
capability:
exposes:
- type: mcp
namespace: cloud-compliance
port: 8080
tools:
- name: report-cloud-benchmark-compliance
description: "Query Falcon Horizon for CIS benchmark assessment results across all registered cloud accounts, then post a pass rate scorecard to the security governance Teams channel. Use for monthly cloud compliance reviews."
inputParameters:
- name: benchmark_framework
in: body
type: string
description: "Benchmark framework to report on: CIS, NIST, or PCI."
- name: teams_channel_id
in: body
type: string
description: "Microsoft Teams channel ID to post the compliance scorecard to."
steps:
- name: get-benchmark-results
type: call
call: cspm-benchmark.get-assessment-summary
with:
framework: "{{benchmark_framework}}"
- name: post-scorecard
type: call
call: msteams-compliance.send-message
with:
channel_id: "{{teams_channel_id}}"
message: "Cloud Compliance ({{benchmark_framework}}): Pass Rate {{get-benchmark-results.pass_rate}}% | Passing: {{get-benchmark-results.passing_controls}} | Failing: {{get-benchmark-results.failing_controls}} | Cloud Accounts Assessed: {{get-benchmark-results.account_count}}"
consumes:
- type: http
namespace: cspm-benchmark
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: assessments
path: "/cspm-registration/entities/benchmark/v1"
inputParameters:
- name: framework
in: query
operations:
- name: get-assessment-summary
method: GET
- type: http
namespace: msteams-compliance
baseUri: "https://graph.microsoft.com/v1.0"
authentication:
type: bearer
token: "$secrets.msgraph_token"
resources:
- name: channel-messages
path: "/teams/{{team_id}}/channels/{{channel_id}}/messages"
inputParameters:
- name: team_id
in: path
- name: channel_id
in: path
operations:
- name: send-message
method: POST
Falcon Host Detail Lookup
▼
security endpoint-protection crowdstrike-falcon lookup
Retrieves detailed host information from CrowdStrike Falcon by hostname, returning OS, agent version, and containment status.
naftiko: "0.5"
info:
label: "Falcon Host Detail Lookup"
description: "Retrieves detailed host information from CrowdStrike Falcon by hostname, returning OS, agent version, and containment status."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-hosts
port: 8080
tools:
- name: get-host-details
description: "Given a hostname, return the host's OS, Falcon agent version, last seen time, and containment status."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname to look up in Falcon."
call: "falcon.get-host"
with:
filter: "hostname:\"{{hostname}}\""
outputParameters:
- name: device_id
type: string
mapping: "$.resources[0].device_id"
- name: os_version
type: string
mapping: "$.resources[0].os_version"
- name: agent_version
type: string
mapping: "$.resources[0].agent_version"
- name: status
type: string
mapping: "$.resources[0].status"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/combined/host-search/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-host
method: GET
Falcon Host Group Policy Audit
▼
security compliance crowdstrike-falcon jira slack
Audits host group policy assignments in Falcon, identifies unprotected groups, and creates a Jira compliance ticket.
naftiko: "0.5"
info:
label: "Falcon Host Group Policy Audit"
description: "Audits host group policy assignments in Falcon, identifies unprotected groups, and creates a Jira compliance ticket."
tags:
- security
- compliance
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: policy-audit
port: 8080
tools:
- name: audit-group-policies
description: "Query Falcon host groups, check for groups without prevention policies, and create a compliance ticket."
inputParameters:
- name: platform
in: body
type: string
description: "Platform to audit: Windows, Mac, or Linux."
steps:
- name: query-groups
type: call
call: "falcon.query-groups"
with:
filter: "platform_name:\"{{platform}}\""
- name: create-jira
type: call
call: "jira.create-issue"
with:
project_key: "SEC"
issuetype: "Task"
summary: "Policy audit: {{platform}} host groups — {{query-groups.unprotected_count}} without prevention policies"
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "endpoint-security"
text: "Policy Audit: {{query-groups.unprotected_count}} {{platform}} host groups lack prevention policies. Jira: {{create-jira.key}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: groups
path: "/devices/combined/host-groups/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-groups
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Host Migration Tracker
▼
security endpoint-protection crowdstrike-falcon slack
Tracks hosts being migrated between Falcon CIDs, verifies sensor connectivity post-migration, and reports status to Slack.
naftiko: "0.5"
info:
label: "Falcon Host Migration Tracker"
description: "Tracks hosts being migrated between Falcon CIDs, verifies sensor connectivity post-migration, and reports status to Slack."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: host-migration
port: 8080
tools:
- name: track-host-migration
description: "Given a hostname, verify its sensor status in the new CID and report migration success to Slack."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname being migrated."
steps:
- name: check-host
type: call
call: "falcon.get-host"
with:
filter: "hostname:\"{{hostname}}\""
- name: post-status
type: call
call: "slack.post-message"
with:
channel: "endpoint-migration"
text: "Migration status: {{hostname}} | Agent: {{check-host.agent_version}} | Status: {{check-host.status}} | Last seen: {{check-host.last_seen}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/combined/host-search/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-host
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Identity Risk Score Lookup
▼
security identity-protection crowdstrike-falcon lookup
Retrieves identity risk score from CrowdStrike Falcon Identity Protection for a given user.
naftiko: "0.5"
info:
label: "Falcon Identity Risk Score Lookup"
description: "Retrieves identity risk score from CrowdStrike Falcon Identity Protection for a given user."
tags:
- security
- identity-protection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-id-risk
port: 8080
tools:
- name: get-identity-risk
description: "Given a username, return their identity risk score, risk factors, and recommended actions."
inputParameters:
- name: username
in: body
type: string
description: "Username to check."
call: "falcon.get-identity-risk"
with:
filter: "username:\"{{username}}\""
outputParameters:
- name: risk_score
type: string
mapping: "$.resources[0].risk_score"
- name: risk_level
type: string
mapping: "$.resources[0].risk_level"
- name: top_risk_factor
type: string
mapping: "$.resources[0].risk_factors[0].description"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: identities
path: "/identity-protection/combined/identities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-identity-risk
method: GET
Falcon Incident Response Automation
▼
security incident-response crowdstrike-falcon pagerduty jira slack
When a critical Falcon detection occurs, contains the host, creates a PagerDuty alert, opens a Jira incident, and posts a war room link to Slack.
naftiko: "0.5"
info:
label: "Falcon Incident Response Automation"
description: "When a critical Falcon detection occurs, contains the host, creates a PagerDuty alert, opens a Jira incident, and posts a war room link to Slack."
tags:
- security
- incident-response
- crowdstrike-falcon
- pagerduty
- jira
- slack
capability:
exposes:
- type: mcp
namespace: falcon-ir
port: 8080
tools:
- name: automate-incident-response
description: "Given a detection ID, contain the host, create PagerDuty and Jira incidents, and open a Slack war room."
inputParameters:
- name: detection_id
in: body
type: string
description: "CrowdStrike Falcon detection ID."
steps:
- name: get-detection
type: call
call: "falcon.get-detection"
with:
ids: "{{detection_id}}"
- name: contain-host
type: call
call: "falcon.contain-host"
with:
device_id: "{{get-detection.device_id}}"
- name: page-oncall
type: call
call: "pagerduty.create-incident"
with:
title: "Critical detection: {{get-detection.tactic}} on {{get-detection.hostname}}"
service_id: "$secrets.pagerduty_security_service_id"
urgency: "high"
- name: create-jira
type: call
call: "jira.create-issue"
with:
project_key: "IR"
issuetype: "Incident"
summary: "Security Incident: {{get-detection.tactic}} — {{get-detection.hostname}}"
description: "Detection: {{detection_id}}\nHost contained: {{get-detection.hostname}}\nPD: {{page-oncall.incident_url}}"
- name: post-war-room
type: call
call: "slack.post-message"
with:
channel: "security-incidents"
text: "SECURITY INCIDENT: {{get-detection.tactic}} on {{get-detection.hostname}} | Host contained | Jira: {{create-jira.key}} | PD: {{page-oncall.incident_url}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/summaries/GET/v1"
operations:
- name: get-detection
method: POST
- name: host-actions
path: "/devices/entities/host-actions/v2"
operations:
- name: contain-host
method: POST
- type: http
namespace: pagerduty
baseUri: "https://api.pagerduty.com"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.pagerduty_token"
placement: header
resources:
- name: incidents
path: "/incidents"
operations:
- name: create-incident
method: POST
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Incident Severity Lookup
▼
security incident-management crowdstrike-falcon lookup
Retrieves a Falcon incident by ID, returning severity, status, host count, and detection count.
naftiko: "0.5"
info:
label: "Falcon Incident Severity Lookup"
description: "Retrieves a Falcon incident by ID, returning severity, status, host count, and detection count."
tags:
- security
- incident-management
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-incident
port: 8080
tools:
- name: get-incident-details
description: "Given a Falcon incident ID, return its severity, status, involved hosts, and detection count."
inputParameters:
- name: incident_id
in: body
type: string
description: "Falcon incident ID."
call: "falcon.get-incident"
with:
ids: "{{incident_id}}"
outputParameters:
- name: severity
type: string
mapping: "$.resources[0].fine_score"
- name: status
type: string
mapping: "$.resources[0].status"
- name: host_count
type: string
mapping: "$.resources[0].host_ids.length"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: incidents
path: "/incidents/entities/incidents/GET/v1"
operations:
- name: get-incident
method: POST
Falcon Incident Timeline Builder
▼
security incident-response crowdstrike-falcon confluence slack
Builds a chronological incident timeline from Falcon detections and process events, documents it in Confluence, and shares via Slack.
naftiko: "0.5"
info:
label: "Falcon Incident Timeline Builder"
description: "Builds a chronological incident timeline from Falcon detections and process events, documents it in Confluence, and shares via Slack."
tags:
- security
- incident-response
- crowdstrike-falcon
- confluence
- slack
capability:
exposes:
- type: mcp
namespace: timeline-builder
port: 8080
tools:
- name: build-incident-timeline
description: "Given a Falcon incident ID, compile a timeline of related events and document in Confluence."
inputParameters:
- name: incident_id
in: body
type: string
description: "Falcon incident ID."
steps:
- name: get-incident
type: call
call: "falcon.get-incident"
with:
ids: "{{incident_id}}"
- name: document-timeline
type: call
call: "confluence.create-page"
with:
space_key: "IR"
title: "Incident Timeline: {{incident_id}}"
body: "Hosts: {{get-incident.hosts}}\nDetections: {{get-incident.detection_ids}}\nFirst activity: {{get-incident.first_behavior}}\nLast activity: {{get-incident.last_behavior}}"
- name: share-timeline
type: call
call: "slack.post-message"
with:
channel: "security-incidents"
text: "Incident timeline documented: {{incident_id}} | {{document-timeline.url}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: incidents
path: "/incidents/entities/incidents/GET/v1"
operations:
- name: get-incident
method: POST
- type: http
namespace: confluence
baseUri: "https://crowdstrike.atlassian.net/wiki/rest/api"
authentication:
type: basic
username: "$secrets.confluence_user"
password: "$secrets.confluence_api_token"
resources:
- name: pages
path: "/content"
operations:
- name: create-page
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Intelligence YARA Rule Publication
▼
security threat-hunting crowdstrike-falcon slack
Publishes a new CrowdStrike Falcon custom YARA rule submission to the Custom IOA repository and notifies the threat hunting team in Slack.
naftiko: "0.5"
info:
label: "Falcon Intelligence YARA Rule Publication"
description: "Publishes a new CrowdStrike Falcon custom YARA rule submission to the Custom IOA repository and notifies the threat hunting team in Slack."
tags:
- security
- threat-hunting
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: threat-hunting
port: 8080
tools:
- name: publish-yara-rule
description: "Given a YARA rule name, pattern, and description, create a new custom YARA rule in CrowdStrike Falcon and announce it to the threat hunting Slack channel. Use when analysts develop new detection signatures from threat research."
inputParameters:
- name: rule_name
in: body
type: string
description: "Name for the new YARA rule (kebab-case, max 64 chars)."
- name: rule_description
in: body
type: string
description: "Description of what threat this rule detects."
- name: rule_body
in: body
type: string
description: "Full YARA rule body text."
steps:
- name: create-yara-rule
type: call
call: falcon-ioa.create-rule
with:
name: "{{rule_name}}"
description: "{{rule_description}}"
pattern: "{{rule_body}}"
- name: announce-rule
type: call
call: slack-hunting.post-message
with:
channel: "threat-hunting"
text: "New YARA rule published: {{rule_name}} | ID: {{create-yara-rule.rule_id}} | {{rule_description}}"
consumes:
- type: http
namespace: falcon-ioa
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: custom-ioa-rules
path: "/ioarules/entities/rules/v1"
operations:
- name: create-rule
method: POST
- type: http
namespace: slack-hunting
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_bot_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon IOA Exclusion Manager
▼
security policy-management crowdstrike-falcon slack
Reviews and manages IOA exclusions in Falcon, audits for overly broad rules, and reports findings.
naftiko: "0.5"
info:
label: "Falcon IOA Exclusion Manager"
description: "Reviews and manages IOA exclusions in Falcon, audits for overly broad rules, and reports findings."
tags:
- security
- policy-management
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: ioa-exclusions
port: 8080
tools:
- name: audit-ioa-exclusions
description: "Query Falcon for active IOA exclusions and identify overly broad or expired rules."
inputParameters:
- name: platform
in: body
type: string
description: "Platform filter: Windows, Mac, or Linux."
steps:
- name: get-exclusions
type: call
call: "falcon.get-ioa-exclusions"
with:
filter: "applied_globally:true+platform:\"{{platform}}\""
- name: post-audit
type: call
call: "slack.post-message"
with:
channel: "security-policy"
text: "IOA Exclusion Audit ({{platform}}): {{get-exclusions.total_count}} global exclusions found. Review for overly broad rules."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: exclusions
path: "/policy/queries/ioa-exclusions/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-ioa-exclusions
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon IOC Batch Import
▼
security threat-intelligence crowdstrike-falcon slack
Imports a batch of IOCs from a threat intelligence feed into CrowdStrike custom IOCs with appropriate actions and expiration dates.
naftiko: "0.5"
info:
label: "Falcon IOC Batch Import"
description: "Imports a batch of IOCs from a threat intelligence feed into CrowdStrike custom IOCs with appropriate actions and expiration dates."
tags:
- security
- threat-intelligence
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: ioc-import
port: 8080
tools:
- name: import-ioc-batch
description: "Given a list of indicators and action type, import them as custom IOCs in Falcon and confirm via Slack."
inputParameters:
- name: indicators
in: body
type: string
description: "Comma-separated list of IOC values."
- name: ioc_type
in: body
type: string
description: "Type of IOC: sha256, ipv4, domain."
- name: action
in: body
type: string
description: "Action to take: detect, prevent, or allow."
steps:
- name: create-iocs
type: call
call: "falcon.create-iocs"
with:
indicators: "{{indicators}}"
type: "{{ioc_type}}"
action: "{{action}}"
expiration: "30d"
- name: confirm-import
type: call
call: "slack.post-message"
with:
channel: "threat-intel"
text: "IOC Import: {{create-iocs.created_count}} {{ioc_type}} indicators imported with action '{{action}}'. Expires in 30 days."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: custom-iocs
path: "/iocs/entities/indicators/v1"
operations:
- name: create-iocs
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon IOC Search
▼
security threat-intelligence crowdstrike-falcon lookup
Searches CrowdStrike custom IOC management for a given indicator, returning action, severity, and expiration.
naftiko: "0.5"
info:
label: "Falcon IOC Search"
description: "Searches CrowdStrike custom IOC management for a given indicator, returning action, severity, and expiration."
tags:
- security
- threat-intelligence
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-ioc
port: 8080
tools:
- name: search-custom-ioc
description: "Given an indicator value (hash, IP, domain), return its custom IOC entry including action, severity, and expiration date."
inputParameters:
- name: indicator_value
in: body
type: string
description: "IOC value to search for."
call: "falcon.get-ioc"
with:
filter: "value:\"{{indicator_value}}\""
outputParameters:
- name: action
type: string
mapping: "$.resources[0].action"
- name: severity
type: string
mapping: "$.resources[0].severity"
- name: expiration
type: string
mapping: "$.resources[0].expiration"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: iocs
path: "/iocs/combined/indicator/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-ioc
method: GET
Falcon Lateral Movement Detector
▼
security threat-detection crowdstrike-falcon slack incident-response
Detects lateral movement patterns across endpoints using Falcon telemetry, isolates affected hosts, and creates a security incident with full timeline.
naftiko: "0.5"
info:
label: "Falcon Lateral Movement Detector"
description: "Detects lateral movement patterns across endpoints using Falcon telemetry, isolates affected hosts, and creates a security incident with full timeline."
tags:
- security
- threat-detection
- crowdstrike-falcon
- slack
- incident-response
capability:
exposes:
- type: mcp
namespace: lateral-movement
port: 8080
tools:
- name: detect-lateral-movement
description: "Given a suspicious host, query Falcon for lateral movement indicators, contain involved hosts, and alert the SOC."
inputParameters:
- name: source_hostname
in: body
type: string
description: "Hostname where suspicious activity originated."
steps:
- name: query-lateral
type: call
call: "falcon.search-events"
with:
filter: "behaviors.hostname:\"{{source_hostname}}\"+behaviors.tactic:\"Lateral Movement\""
- name: contain-source
type: call
call: "falcon.contain-host"
with:
hostname: "{{source_hostname}}"
- name: alert-soc
type: call
call: "slack.post-message"
with:
channel: "soc-alerts"
text: "LATERAL MOVEMENT DETECTED: Source: {{source_hostname}} | Events: {{query-lateral.event_count}} | Host contained. Investigate immediately."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: search-events
method: GET
- name: host-actions
path: "/devices/entities/host-actions/v2"
operations:
- name: contain-host
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon LogScale Query Lookup
▼
security log-management crowdstrike-falcon lookup
Executes a LogScale query against CrowdStrike log data and returns matching event results.
naftiko: "0.5"
info:
label: "Falcon LogScale Query Lookup"
description: "Executes a LogScale query against CrowdStrike log data and returns matching event results."
tags:
- security
- log-management
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-logscale
port: 8080
tools:
- name: run-logscale-query
description: "Given a LogScale query string, execute it and return matching results with event count."
inputParameters:
- name: query
in: body
type: string
description: "LogScale query string."
call: "falcon.run-query"
with:
queryString: "{{query}}"
outputParameters:
- name: event_count
type: string
mapping: "$.metadata.eventCount"
- name: status
type: string
mapping: "$.metadata.queryStatus"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: logscale
path: "/loggingapi/combined/query-job-results/v1"
operations:
- name: run-query
method: POST
Falcon Malware Quarantine and Notify
▼
security malware crowdstrike-falcon servicenow slack
When Falcon detects malware, quarantines the file, contains the endpoint, creates a ServiceNow security incident, and alerts the SOC.
naftiko: "0.5"
info:
label: "Falcon Malware Quarantine and Notify"
description: "When Falcon detects malware, quarantines the file, contains the endpoint, creates a ServiceNow security incident, and alerts the SOC."
tags:
- security
- malware
- crowdstrike-falcon
- servicenow
- slack
capability:
exposes:
- type: mcp
namespace: malware-quarantine
port: 8080
tools:
- name: quarantine-and-notify
description: "Given a detection ID, quarantine the malware, contain the host, create a ServiceNow incident, and notify the SOC."
inputParameters:
- name: detection_id
in: body
type: string
description: "Falcon detection ID."
steps:
- name: get-detection
type: call
call: "falcon.get-detection"
with:
ids: "{{detection_id}}"
- name: contain-host
type: call
call: "falcon.contain-host"
with:
device_id: "{{get-detection.device_id}}"
- name: create-snow-incident
type: call
call: "servicenow.create-incident"
with:
short_description: "Malware detected: {{get-detection.filename}} on {{get-detection.hostname}}"
category: "security"
urgency: "1"
description: "Detection: {{detection_id}}\nFile: {{get-detection.filename}}\nHash: {{get-detection.sha256}}\nHost: {{get-detection.hostname}}"
- name: alert-soc
type: call
call: "slack.post-message"
with:
channel: "soc-alerts"
text: "MALWARE: {{get-detection.filename}} on {{get-detection.hostname}} | Host contained | SNOW: {{create-snow-incident.number}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/entities/summaries/GET/v1"
operations:
- name: get-detection
method: POST
- name: host-actions
path: "/devices/entities/host-actions/v2"
operations:
- name: contain-host
method: POST
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.snow_user"
password: "$secrets.snow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: create-incident
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon MITRE ATT&CK Coverage Report
▼
security compliance crowdstrike-falcon slack reporting
Generates a MITRE ATT&CK coverage report based on Falcon detection capabilities and posts to Slack.
naftiko: "0.5"
info:
label: "Falcon MITRE ATT&CK Coverage Report"
description: "Generates a MITRE ATT&CK coverage report based on Falcon detection capabilities and posts to Slack."
tags:
- security
- compliance
- crowdstrike-falcon
- slack
- reporting
capability:
exposes:
- type: mcp
namespace: mitre-coverage
port: 8080
tools:
- name: generate-mitre-report
description: "Pull Falcon detection coverage by MITRE technique and post a summary report."
inputParameters:
- name: slack_channel
in: body
type: string
description: "Slack channel for the report."
steps:
- name: get-coverage
type: call
call: "falcon.get-mitre-coverage"
with:
platform: "windows"
- name: post-report
type: call
call: "slack.post-message"
with:
channel: "{{slack_channel}}"
text: "MITRE ATT&CK Coverage Report: {{get-coverage.covered_techniques}} / {{get-coverage.total_techniques}} techniques covered. Coverage: {{get-coverage.percentage}}%"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: mitre
path: "/intel/combined/mitre/v1"
inputParameters:
- name: platform
in: query
operations:
- name: get-mitre-coverage
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon MSSP Child CID Health
▼
security mssp crowdstrike-falcon slack
Checks health status of managed child CIDs in a Falcon MSSP environment and reports unhealthy tenants.
naftiko: "0.5"
info:
label: "Falcon MSSP Child CID Health"
description: "Checks health status of managed child CIDs in a Falcon MSSP environment and reports unhealthy tenants."
tags:
- security
- mssp
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: mssp-health
port: 8080
tools:
- name: check-child-cid-health
description: "Query Falcon MSSP for child CID health and post a status report."
inputParameters:
- name: slack_channel
in: body
type: string
description: "Slack channel for the report."
steps:
- name: get-children
type: call
call: "falcon.get-child-cids"
with:
sort: "last_modified_timestamp.desc"
- name: post-report
type: call
call: "slack.post-message"
with:
channel: "{{slack_channel}}"
text: "MSSP CID Health: {{get-children.total_count}} child CIDs monitored. Review at Falcon console."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: children
path: "/mssp/queries/children/v1"
inputParameters:
- name: sort
in: query
operations:
- name: get-child-cids
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Network Containment Lift
▼
security incident-response crowdstrike-falcon servicenow slack
Lifts network containment on a previously isolated host, verifies connectivity, and logs the action in ServiceNow.
naftiko: "0.5"
info:
label: "Falcon Network Containment Lift"
description: "Lifts network containment on a previously isolated host, verifies connectivity, and logs the action in ServiceNow."
tags:
- security
- incident-response
- crowdstrike-falcon
- servicenow
- slack
capability:
exposes:
- type: mcp
namespace: containment-lift
port: 8080
tools:
- name: lift-containment
description: "Given a hostname, lift Falcon network containment, verify status, and log in ServiceNow."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname to uncontain."
- name: justification
in: body
type: string
description: "Reason for lifting containment."
steps:
- name: get-host
type: call
call: "falcon.get-host"
with:
filter: "hostname:\"{{hostname}}\""
- name: lift-contain
type: call
call: "falcon.lift-containment"
with:
device_id: "{{get-host.device_id}}"
- name: log-action
type: call
call: "servicenow.create-task"
with:
short_description: "Containment lifted: {{hostname}}"
description: "Justification: {{justification}}\nDevice ID: {{get-host.device_id}}"
assignment_group: "security-ops"
- name: notify-soc
type: call
call: "slack.post-message"
with:
channel: "soc-operations"
text: "Containment lifted: {{hostname}} | Reason: {{justification}} | SNOW: {{log-action.number}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/combined/host-search/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-host
method: GET
- name: host-actions
path: "/devices/entities/host-actions/v2"
operations:
- name: lift-containment
method: POST
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.snow_user"
password: "$secrets.snow_password"
resources:
- name: tasks
path: "/table/task"
operations:
- name: create-task
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon New Hire Endpoint Provisioning
▼
security endpoint-protection crowdstrike-falcon slack onboarding
When a new hire device is detected in Falcon, assigns it to the correct host group, applies prevention policies, and notifies IT.
naftiko: "0.5"
info:
label: "Falcon New Hire Endpoint Provisioning"
description: "When a new hire device is detected in Falcon, assigns it to the correct host group, applies prevention policies, and notifies IT."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- slack
- onboarding
capability:
exposes:
- type: mcp
namespace: endpoint-provision
port: 8080
tools:
- name: provision-new-endpoint
description: "Given a device hostname and department, assign the device to the correct Falcon host group and notify IT."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname of the new device."
- name: department
in: body
type: string
description: "Department of the new hire."
steps:
- name: get-device
type: call
call: "falcon.get-host"
with:
filter: "hostname:\"{{hostname}}\""
- name: assign-group
type: call
call: "falcon.assign-host-group"
with:
device_id: "{{get-device.device_id}}"
group_name: "{{department}}-endpoints"
- name: notify-it
type: call
call: "slack.post-message"
with:
channel: "it-ops"
text: "New endpoint provisioned: {{hostname}} assigned to {{department}}-endpoints group in Falcon."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/combined/host-search/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-host
method: GET
- name: host-group-actions
path: "/devices/entities/host-group-actions/v1"
operations:
- name: assign-host-group
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Offboarding Endpoint Wipe
▼
security offboarding crowdstrike-falcon microsoft-intune servicenow
During employee offboarding, hides the endpoint from Falcon, requests device wipe via Intune, and logs the action in ServiceNow.
naftiko: "0.5"
info:
label: "Falcon Offboarding Endpoint Wipe"
description: "During employee offboarding, hides the endpoint from Falcon, requests device wipe via Intune, and logs the action in ServiceNow."
tags:
- security
- offboarding
- crowdstrike-falcon
- microsoft-intune
- servicenow
capability:
exposes:
- type: mcp
namespace: offboard-endpoint
port: 8080
tools:
- name: offboard-and-wipe
description: "Given a hostname, hide the Falcon sensor, initiate device wipe via Intune, and create a ServiceNow audit task."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname of the departing employee's device."
- name: employee_name
in: body
type: string
description: "Name of the departing employee."
steps:
- name: get-host
type: call
call: "falcon.get-host"
with:
filter: "hostname:\"{{hostname}}\""
- name: hide-host
type: call
call: "falcon.hide-host"
with:
device_id: "{{get-host.device_id}}"
- name: create-audit-task
type: call
call: "servicenow.create-task"
with:
short_description: "Offboarding endpoint wipe: {{hostname}} for {{employee_name}}"
assignment_group: "endpoint-management"
description: "Falcon sensor hidden. Device wipe initiated. Employee: {{employee_name}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/combined/host-search/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-host
method: GET
- name: host-actions
path: "/devices/entities/host-actions/v2"
operations:
- name: hide-host
method: POST
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.snow_user"
password: "$secrets.snow_password"
resources:
- name: tasks
path: "/table/task"
operations:
- name: create-task
method: POST
Falcon Okta Identity Correlation
▼
security identity-protection crowdstrike-falcon okta slack
Correlates Falcon Identity risk data with Okta user status, flags high-risk active users, and creates access review tasks.
naftiko: "0.5"
info:
label: "Falcon Okta Identity Correlation"
description: "Correlates Falcon Identity risk data with Okta user status, flags high-risk active users, and creates access review tasks."
tags:
- security
- identity-protection
- crowdstrike-falcon
- okta
- slack
capability:
exposes:
- type: mcp
namespace: identity-correlation
port: 8080
tools:
- name: correlate-identity-risk
description: "Given a username, check Falcon Identity risk and Okta status, and create an access review task if high-risk."
inputParameters:
- name: username
in: body
type: string
description: "Username to correlate."
steps:
- name: get-falcon-risk
type: call
call: "falcon.get-identity-risk"
with:
filter: "username:\"{{username}}\""
- name: get-okta-user
type: call
call: "okta.get-user"
with:
id: "{{username}}"
- name: alert-if-risky
type: call
call: "slack.post-message"
with:
channel: "identity-security"
text: "Identity Risk Alert: {{username}} | Falcon risk: {{get-falcon-risk.risk_score}} | Okta status: {{get-okta-user.status}} | Review access immediately."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: identities
path: "/identity-protection/combined/identities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-identity-risk
method: GET
- type: http
namespace: okta
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: bearer
token: "$secrets.okta_api_token"
resources:
- name: users
path: "/users/{{id}}"
inputParameters:
- name: id
in: path
operations:
- name: get-user
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Overwatch Managed Detection Escalation
▼
security incident-response crowdstrike-falcon servicenow pagerduty
When CrowdStrike Overwatch raises a managed detection requiring customer action, creates a high-priority ServiceNow incident and pages the on-call security engineer via PagerDuty.
naftiko: "0.5"
info:
label: "Falcon Overwatch Managed Detection Escalation"
description: "When CrowdStrike Overwatch raises a managed detection requiring customer action, creates a high-priority ServiceNow incident and pages the on-call security engineer via PagerDuty."
tags:
- security
- incident-response
- crowdstrike-falcon
- servicenow
- pagerduty
capability:
exposes:
- type: mcp
namespace: overwatch-ops
port: 8080
tools:
- name: escalate-overwatch-detection
description: "Given a CrowdStrike Overwatch managed detection event, create a P1 ServiceNow incident and trigger a PagerDuty alert for the on-call security engineer. Use when Overwatch identifies hands-on-keyboard adversary activity requiring immediate human response."
inputParameters:
- name: detection_id
in: body
type: string
description: "The Overwatch managed detection identifier."
- name: host_name
in: body
type: string
description: "Hostname of the affected endpoint."
- name: tactic
in: body
type: string
description: "MITRE ATT&CK tactic identified by Overwatch."
steps:
- name: create-p1-incident
type: call
call: servicenow-ow.create-incident
with:
short_description: "OVERWATCH DETECTION: Hands-on-keyboard activity on {{host_name}}"
category: "Security"
urgency: "1"
impact: "1"
description: "Detection ID: {{detection_id}}\nHost: {{host_name}}\nTactic: {{tactic}}\nSource: CrowdStrike Overwatch Managed Detection"
- name: page-on-call
type: call
call: pagerduty.create-incident
with:
title: "OVERWATCH: Adversary activity on {{host_name}} — {{tactic}}"
severity: "critical"
body: "Detection: {{detection_id}} | SNOW: {{create-p1-incident.number}} | Host: {{host_name}} | Tactic: {{tactic}}"
consumes:
- type: http
namespace: servicenow-ow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: create-incident
method: POST
- type: http
namespace: pagerduty
baseUri: "https://api.pagerduty.com"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.pagerduty_token"
placement: header
resources:
- name: incidents
path: "/incidents"
operations:
- name: create-incident
method: POST
Falcon Phishing Investigation Workflow
▼
security phishing crowdstrike-falcon slack jira
Investigates a reported phishing attempt by checking the sender domain in Falcon Intelligence, scanning the user's endpoint, and documenting findings.
naftiko: "0.5"
info:
label: "Falcon Phishing Investigation Workflow"
description: "Investigates a reported phishing attempt by checking the sender domain in Falcon Intelligence, scanning the user's endpoint, and documenting findings."
tags:
- security
- phishing
- crowdstrike-falcon
- slack
- jira
capability:
exposes:
- type: mcp
namespace: phishing-investigation
port: 8080
tools:
- name: investigate-phishing
description: "Given a suspicious domain and reporting user, check Falcon Intel for the domain, scan the user's endpoint, and create a Jira ticket."
inputParameters:
- name: suspicious_domain
in: body
type: string
description: "Domain from the phishing email."
- name: reporting_user
in: body
type: string
description: "Username of the person who reported the phish."
steps:
- name: check-domain
type: call
call: "falcon-intel.get-indicator"
with:
value: "{{suspicious_domain}}"
type: "domain"
- name: create-investigation
type: call
call: "jira.create-issue"
with:
project_key: "SEC"
issuetype: "Investigation"
summary: "Phishing: {{suspicious_domain}} reported by {{reporting_user}}"
description: "Domain verdict: {{check-domain.verdict}}\nReported by: {{reporting_user}}\nMalware families: {{check-domain.malware_families}}"
- name: notify-soc
type: call
call: "slack.post-message"
with:
channel: "soc-alerts"
text: "Phishing investigation: {{suspicious_domain}} | Verdict: {{check-domain.verdict}} | Jira: {{create-investigation.key}}"
consumes:
- type: http
namespace: falcon-intel
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: indicators
path: "/intel/combined/indicators/v1"
inputParameters:
- name: value
in: query
- name: type
in: query
operations:
- name: get-indicator
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Prevention Policy Lookup
▼
security endpoint-protection crowdstrike-falcon policy
Retrieves a Falcon prevention policy by name, returning enabled features, assigned host groups, and enforcement mode.
naftiko: "0.5"
info:
label: "Falcon Prevention Policy Lookup"
description: "Retrieves a Falcon prevention policy by name, returning enabled features, assigned host groups, and enforcement mode."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- policy
capability:
exposes:
- type: mcp
namespace: falcon-policy
port: 8080
tools:
- name: get-prevention-policy
description: "Given a prevention policy name, return its enabled features, assigned groups, and enforcement mode."
inputParameters:
- name: policy_name
in: body
type: string
description: "Falcon prevention policy name."
call: "falcon.get-policy"
with:
filter: "name:\"{{policy_name}}\""
outputParameters:
- name: policy_id
type: string
mapping: "$.resources[0].id"
- name: enabled
type: string
mapping: "$.resources[0].enabled"
- name: platform
type: string
mapping: "$.resources[0].platform_name"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: policies
path: "/policy/combined/prevention/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-policy
method: GET
Falcon Prevention Policy Drift Check
▼
security policy-management crowdstrike-falcon jira slack
Compares current Falcon prevention policies against a baseline, identifies drift, and creates a Jira remediation ticket.
naftiko: "0.5"
info:
label: "Falcon Prevention Policy Drift Check"
description: "Compares current Falcon prevention policies against a baseline, identifies drift, and creates a Jira remediation ticket."
tags:
- security
- policy-management
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: policy-drift
port: 8080
tools:
- name: check-policy-drift
description: "Query Falcon prevention policies and compare against baseline, flagging deviations."
inputParameters:
- name: platform
in: body
type: string
description: "Platform to check: Windows, Mac, or Linux."
steps:
- name: get-policies
type: call
call: "falcon.get-policies"
with:
filter: "platform_name:\"{{platform}}\""
- name: create-drift-ticket
type: call
call: "jira.create-issue"
with:
project_key: "SEC"
issuetype: "Task"
summary: "Policy drift detected: {{platform}} prevention policies"
description: "{{get-policies.total_count}} policies found. Review for configuration drift against baseline."
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "security-policy"
text: "Policy drift check: {{platform}} — {{get-policies.total_count}} policies reviewed. Jira: {{create-drift-ticket.key}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: policies
path: "/policy/combined/prevention/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-policies
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Privileged Account Monitor
▼
security identity-protection crowdstrike-falcon slack
Monitors privileged account activity in Falcon Identity Protection, detects anomalous admin behavior, and escalates to security leadership.
naftiko: "0.5"
info:
label: "Falcon Privileged Account Monitor"
description: "Monitors privileged account activity in Falcon Identity Protection, detects anomalous admin behavior, and escalates to security leadership."
tags:
- security
- identity-protection
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: priv-monitor
port: 8080
tools:
- name: monitor-privileged-accounts
description: "Query Falcon for anomalous privileged account activity and escalate findings."
inputParameters:
- name: hours
in: body
type: string
description: "Hours to look back for activity."
steps:
- name: query-priv-activity
type: call
call: "falcon.query-identity-events"
with:
filter: "is_admin:true+is_anomalous:true+created_timestamp:>\"{{hours}}h\""
- name: alert-security
type: call
call: "slack.post-message"
with:
channel: "identity-security"
text: "Privileged Account Alert: {{query-priv-activity.total_count}} anomalous admin events in last {{hours}} hours. Investigate immediately."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: identity-events
path: "/identity-protection/queries/events/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-identity-events
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Quarantine File Lookup
▼
security malware crowdstrike-falcon lookup
Retrieves quarantined file details from Falcon by SHA256 hash, returning filename, host, and quarantine date.
naftiko: "0.5"
info:
label: "Falcon Quarantine File Lookup"
description: "Retrieves quarantined file details from Falcon by SHA256 hash, returning filename, host, and quarantine date."
tags:
- security
- malware
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-quarantine
port: 8080
tools:
- name: get-quarantined-file
description: "Given a SHA256 hash, return the quarantined file name, affected host, and quarantine timestamp."
inputParameters:
- name: sha256
in: body
type: string
description: "SHA256 hash of the quarantined file."
call: "falcon.get-quarantine"
with:
filter: "sha256:\"{{sha256}}\""
outputParameters:
- name: filename
type: string
mapping: "$.resources[0].filename"
- name: hostname
type: string
mapping: "$.resources[0].hostname"
- name: quarantine_date
type: string
mapping: "$.resources[0].date_created"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: quarantine
path: "/quarantine/combined/quarantined-files/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-quarantine
method: GET
Falcon Ransomware Response Playbook
▼
security ransomware crowdstrike-falcon okta slack incident-response
Executes ransomware response by isolating affected hosts, disabling compromised accounts in Okta, creating a critical incident, and alerting leadership.
naftiko: "0.5"
info:
label: "Falcon Ransomware Response Playbook"
description: "Executes ransomware response by isolating affected hosts, disabling compromised accounts in Okta, creating a critical incident, and alerting leadership."
tags:
- security
- ransomware
- crowdstrike-falcon
- okta
- slack
- incident-response
capability:
exposes:
- type: mcp
namespace: ransomware-response
port: 8080
tools:
- name: execute-ransomware-response
description: "Given affected hostname and user, contain the host, suspend the Okta account, and escalate to leadership."
inputParameters:
- name: hostname
in: body
type: string
description: "Hostname of the affected endpoint."
- name: affected_user
in: body
type: string
description: "Username of the compromised account."
steps:
- name: contain-host
type: call
call: "falcon.contain-host"
with:
hostname: "{{hostname}}"
- name: suspend-okta
type: call
call: "okta.suspend-user"
with:
user_id: "{{affected_user}}"
- name: alert-leadership
type: call
call: "slack.post-message"
with:
channel: "security-leadership"
text: "RANSOMWARE ALERT: Host {{hostname}} contained | User {{affected_user}} suspended | Immediate investigation required."
- name: alert-soc
type: call
call: "slack.post-message"
with:
channel: "soc-alerts"
text: "Ransomware response initiated: {{hostname}} / {{affected_user}} | Host isolated, account suspended. Begin forensic analysis."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: host-actions
path: "/devices/entities/host-actions/v2"
operations:
- name: contain-host
method: POST
- type: http
namespace: okta
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: bearer
token: "$secrets.okta_api_token"
resources:
- name: users
path: "/users/{{user_id}}/lifecycle/suspend"
inputParameters:
- name: user_id
in: path
operations:
- name: suspend-user
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Real Time Response Script
▼
security endpoint-remediation crowdstrike-falcon slack
Initiates a Falcon Real Time Response session to execute a predefined remediation script on a target host and logs the results.
naftiko: "0.5"
info:
label: "Falcon Real Time Response Script"
description: "Initiates a Falcon Real Time Response session to execute a predefined remediation script on a target host and logs the results."
tags:
- security
- endpoint-remediation
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: rtr-script
port: 8080
tools:
- name: run-rtr-script
description: "Given a hostname and script name, initiate an RTR session, execute the script, and post results to Slack."
inputParameters:
- name: hostname
in: body
type: string
description: "Target hostname."
- name: script_name
in: body
type: string
description: "Name of the predefined RTR script."
steps:
- name: get-host
type: call
call: "falcon.get-host"
with:
filter: "hostname:\"{{hostname}}\""
- name: init-session
type: call
call: "falcon.init-rtr-session"
with:
device_id: "{{get-host.device_id}}"
- name: run-script
type: call
call: "falcon.run-rtr-command"
with:
session_id: "{{init-session.session_id}}"
command_string: "runscript -CloudFile={{script_name}}"
- name: post-results
type: call
call: "slack.post-message"
with:
channel: "endpoint-remediation"
text: "RTR script {{script_name}} executed on {{hostname}} | Status: {{run-script.status}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/combined/host-search/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-host
method: GET
- name: rtr-sessions
path: "/real-time-response/entities/sessions/v1"
operations:
- name: init-rtr-session
method: POST
- name: rtr-commands
path: "/real-time-response/entities/active-responder-command/v1"
operations:
- name: run-rtr-command
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Response Policy Lookup
▼
security policy-management crowdstrike-falcon lookup
Retrieves a Falcon response policy by name, returning RTR permissions, assigned groups, and enabled state.
naftiko: "0.5"
info:
label: "Falcon Response Policy Lookup"
description: "Retrieves a Falcon response policy by name, returning RTR permissions, assigned groups, and enabled state."
tags:
- security
- policy-management
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-resp-policy
port: 8080
tools:
- name: get-response-policy
description: "Given a response policy name, return its RTR permissions, assigned groups, and enabled state."
inputParameters:
- name: policy_name
in: body
type: string
description: "Falcon response policy name."
call: "falcon.get-response-policy"
with:
filter: "name:\"{{policy_name}}\""
outputParameters:
- name: policy_id
type: string
mapping: "$.resources[0].id"
- name: enabled
type: string
mapping: "$.resources[0].enabled"
- name: platform
type: string
mapping: "$.resources[0].platform_name"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: policies
path: "/policy/combined/response/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-response-policy
method: GET
Falcon Risk-Based Authentication Trigger
▼
security identity-protection crowdstrike-falcon okta slack
When Falcon Identity detects high risk for a user, triggers step-up authentication in Okta and notifies the security team.
naftiko: "0.5"
info:
label: "Falcon Risk-Based Authentication Trigger"
description: "When Falcon Identity detects high risk for a user, triggers step-up authentication in Okta and notifies the security team."
tags:
- security
- identity-protection
- crowdstrike-falcon
- okta
- slack
capability:
exposes:
- type: mcp
namespace: risk-auth
port: 8080
tools:
- name: trigger-step-up-auth
description: "Given a high-risk user, enforce MFA challenge in Okta and alert the identity security team."
inputParameters:
- name: username
in: body
type: string
description: "Username flagged as high risk."
steps:
- name: get-risk
type: call
call: "falcon.get-identity-risk"
with:
filter: "username:\"{{username}}\""
- name: enforce-mfa
type: call
call: "okta.reset-mfa"
with:
user_id: "{{username}}"
- name: alert-team
type: call
call: "slack.post-message"
with:
channel: "identity-security"
text: "Risk-based auth: {{username}} risk score {{get-risk.risk_score}} — MFA reset triggered in Okta."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: identities
path: "/identity-protection/combined/identities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-identity-risk
method: GET
- type: http
namespace: okta
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: bearer
token: "$secrets.okta_api_token"
resources:
- name: users
path: "/users/{{user_id}}/lifecycle/reset_factors"
inputParameters:
- name: user_id
in: path
operations:
- name: reset-mfa
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon RTR Remote Remediation Session
▼
security incident-response crowdstrike-falcon servicenow endpoint
Opens a CrowdStrike Falcon Real Time Response session on a compromised host to execute an approved remediation script and records the session transcript in ServiceNow.
naftiko: "0.5"
info:
label: "Falcon RTR Remote Remediation Session"
description: "Opens a CrowdStrike Falcon Real Time Response session on a compromised host to execute an approved remediation script and records the session transcript in ServiceNow."
tags:
- security
- incident-response
- crowdstrike-falcon
- servicenow
- endpoint
capability:
exposes:
- type: mcp
namespace: rtr-ops
port: 8080
tools:
- name: run-rtr-remediation
description: "Given a Falcon device ID and approved remediation script name, initiate a Real Time Response session, execute the script, and record the session output in a ServiceNow incident. Use only for pre-approved remediation playbooks during active incident response."
inputParameters:
- name: device_id
in: body
type: string
description: "CrowdStrike Falcon device ID of the host to remediate."
- name: script_name
in: body
type: string
description: "Name of the approved remediation script to execute (e.g., 'isolate-host', 'kill-malicious-process')."
- name: incident_number
in: body
type: string
description: "ServiceNow incident number to record the remediation session against."
steps:
- name: init-rtr-session
type: call
call: falcon-rtr.init-session
with:
device_id: "{{device_id}}"
- name: run-script
type: call
call: falcon-rtr.run-command
with:
session_id: "{{init-rtr-session.session_id}}"
command_string: "runscript -ScriptName={{script_name}}"
- name: record-session
type: call
call: servicenow-rtr.update-incident
with:
incident_number: "{{incident_number}}"
work_notes: "RTR Remediation executed on {{device_id}}\nScript: {{script_name}}\nSession ID: {{init-rtr-session.session_id}}\nOutput: {{run-script.output}}"
consumes:
- type: http
namespace: falcon-rtr
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: rtr-sessions
path: "/real-time-response/entities/sessions/v1"
operations:
- name: init-session
method: POST
- name: rtr-commands
path: "/real-time-response/entities/active-sessions/v1"
operations:
- name: run-command
method: POST
- type: http
namespace: servicenow-rtr
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: update-incident
method: PATCH
Falcon Sandbox Analysis Lookup
▼
security malware-analysis crowdstrike-falcon lookup
Retrieves malware sandbox analysis results from CrowdStrike Falcon Sandbox by submission ID.
naftiko: "0.5"
info:
label: "Falcon Sandbox Analysis Lookup"
description: "Retrieves malware sandbox analysis results from CrowdStrike Falcon Sandbox by submission ID."
tags:
- security
- malware-analysis
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-sandbox
port: 8080
tools:
- name: get-sandbox-report
description: "Given a Falcon Sandbox submission ID, return the analysis verdict, threat score, and extracted indicators."
inputParameters:
- name: submission_id
in: body
type: string
description: "Falcon Sandbox submission ID."
call: "falcon.get-sandbox-report"
with:
ids: "{{submission_id}}"
outputParameters:
- name: verdict
type: string
mapping: "$.resources[0].verdict"
- name: threat_score
type: string
mapping: "$.resources[0].threat_score"
- name: file_type
type: string
mapping: "$.resources[0].file_type"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: sandbox-reports
path: "/falconx/entities/reports/v1"
inputParameters:
- name: ids
in: query
operations:
- name: get-sandbox-report
method: GET
Falcon Scheduled Scan Status Lookup
▼
security endpoint-protection crowdstrike-falcon lookup
Retrieves the status of scheduled on-demand scans from CrowdStrike Falcon by scan ID.
naftiko: "0.5"
info:
label: "Falcon Scheduled Scan Status Lookup"
description: "Retrieves the status of scheduled on-demand scans from CrowdStrike Falcon by scan ID."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-scan-status
port: 8080
tools:
- name: get-scan-status
description: "Given a scan ID, return the scan status, scanned host count, and detection count."
inputParameters:
- name: scan_id
in: body
type: string
description: "Falcon scan ID."
call: "falcon.get-scan"
with:
ids: "{{scan_id}}"
outputParameters:
- name: status
type: string
mapping: "$.resources[0].status"
- name: hosts_scanned
type: string
mapping: "$.resources[0].hosts_scanned"
- name: detections_found
type: string
mapping: "$.resources[0].filecount.malicious_count"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: scans
path: "/scanner/entities/scans/v1"
inputParameters:
- name: ids
in: query
operations:
- name: get-scan
method: GET
Falcon Security Training Trigger
▼
security training crowdstrike-falcon slack
When a user triggers repeated security detections, enrolls them in security awareness training and notifies their manager.
naftiko: "0.5"
info:
label: "Falcon Security Training Trigger"
description: "When a user triggers repeated security detections, enrolls them in security awareness training and notifies their manager."
tags:
- security
- training
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: security-training
port: 8080
tools:
- name: trigger-security-training
description: "Given a username with repeated violations, enroll in training and notify their manager via Slack."
inputParameters:
- name: username
in: body
type: string
description: "Username with repeated security violations."
- name: violation_count
in: body
type: string
description: "Number of violations in the period."
steps:
- name: get-user-detections
type: call
call: "falcon.query-detections"
with:
filter: "behaviors.user_name:\"{{username}}\""
- name: notify-manager
type: call
call: "slack.post-message"
with:
channel: "security-awareness"
text: "Security training triggered: {{username}} has {{violation_count}} security violations. User enrolled in mandatory security awareness training."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-detections
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Sensor Deployment Verification
▼
security endpoint crowdstrike-falcon reporting monitoring
Queries CrowdStrike Falcon for the list of hosts missing sensor coverage and creates a remediation report in Confluence for the IT operations team.
naftiko: "0.5"
info:
label: "Falcon Sensor Deployment Verification"
description: "Queries CrowdStrike Falcon for the list of hosts missing sensor coverage and creates a remediation report in Confluence for the IT operations team."
tags:
- security
- endpoint
- crowdstrike-falcon
- reporting
- monitoring
capability:
exposes:
- type: mcp
namespace: sensor-ops
port: 8080
tools:
- name: verify-sensor-coverage
description: "Query Falcon device management for hosts that are unprotected or have outdated sensor versions, then write a coverage gap report to Confluence. Use for monthly compliance audits and endpoint health reviews."
inputParameters:
- name: confluence_page_id
in: body
type: string
description: "Confluence page ID to update with the coverage gap report."
steps:
- name: get-unprotected-hosts
type: call
call: falcon-devices.list-devices
with:
filter: "status:'Reduced Functionality Mode',status:'Not Installed'"
- name: update-coverage-report
type: call
call: confluence.update-page
with:
page_id: "{{confluence_page_id}}"
title: "Falcon Sensor Coverage Gap Report"
body: "Unprotected hosts: {{get-unprotected-hosts.count}}\nDevice IDs: {{get-unprotected-hosts.device_ids}}\nReport generated: {{get-unprotected-hosts.generated_at}}"
consumes:
- type: http
namespace: falcon-devices
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: devices
path: "/devices/combined/devices/v1"
inputParameters:
- name: filter
in: query
operations:
- name: list-devices
method: GET
- type: http
namespace: confluence
baseUri: "https://crowdstrike.atlassian.net/wiki/rest/api"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: pages
path: "/content/{{page_id}}"
inputParameters:
- name: page_id
in: path
operations:
- name: update-page
method: PUT
Falcon Sensor Health Check
▼
security endpoint-protection crowdstrike-falcon servicenow slack
Queries Falcon for sensors in reduced functionality mode, creates a ServiceNow remediation task, and alerts the endpoint team.
naftiko: "0.5"
info:
label: "Falcon Sensor Health Check"
description: "Queries Falcon for sensors in reduced functionality mode, creates a ServiceNow remediation task, and alerts the endpoint team."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- servicenow
- slack
capability:
exposes:
- type: mcp
namespace: sensor-health
port: 8080
tools:
- name: check-sensor-health
description: "Query for sensors in degraded or RFM state, create a ServiceNow task, and notify the endpoint management team."
inputParameters:
- name: platform
in: body
type: string
description: "Platform filter: Windows, Mac, or Linux."
steps:
- name: query-rfm-hosts
type: call
call: "falcon.query-hosts"
with:
filter: "reduced_functionality_mode:\"yes\"+platform_name:\"{{platform}}\""
- name: create-snow-task
type: call
call: "servicenow.create-task"
with:
short_description: "Falcon RFM: {{query-rfm-hosts.total_count}} {{platform}} hosts in reduced mode"
assignment_group: "endpoint-management"
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "endpoint-security"
text: "Sensor Health Alert: {{query-rfm-hosts.total_count}} {{platform}} hosts in RFM. Task: {{create-snow-task.number}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/queries/devices/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-hosts
method: GET
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.snow_user"
password: "$secrets.snow_password"
resources:
- name: tasks
path: "/table/task"
operations:
- name: create-task
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon SOC Shift Handoff
▼
security soc-operations crowdstrike-falcon slack reporting
Compiles an end-of-shift summary from Falcon detections and open investigations, and posts a structured handoff report to the SOC Slack channel.
naftiko: "0.5"
info:
label: "Falcon SOC Shift Handoff"
description: "Compiles an end-of-shift summary from Falcon detections and open investigations, and posts a structured handoff report to the SOC Slack channel."
tags:
- security
- soc-operations
- crowdstrike-falcon
- slack
- reporting
capability:
exposes:
- type: mcp
namespace: soc-handoff
port: 8080
tools:
- name: generate-shift-handoff
description: "Aggregate Falcon detections and open Jira investigations from the last 8 hours and post a handoff summary."
inputParameters:
- name: shift_hours
in: body
type: string
description: "Number of hours in the shift to summarize."
steps:
- name: query-detections
type: call
call: "falcon.query-detections"
with:
filter: "created_timestamp:>\"{{shift_hours}}h\""
- name: query-open-jiras
type: call
call: "jira.search-issues"
with:
jql: "project = SEC AND status != Done AND updated >= -{{shift_hours}}h"
- name: post-handoff
type: call
call: "slack.post-message"
with:
channel: "soc-operations"
text: "SOC Shift Handoff ({{shift_hours}}h):\n- Detections: {{query-detections.total_count}}\n- Open investigations: {{query-open-jiras.total}}\nReview and continue monitoring."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-detections
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: search
path: "/search"
inputParameters:
- name: jql
in: query
operations:
- name: search-issues
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Splunk SIEM Integration
▼
security siem crowdstrike-falcon splunk slack
Fetches high-severity Falcon detections and forwards them to Splunk for SIEM correlation, then posts a sync confirmation to Slack.
naftiko: "0.5"
info:
label: "Falcon Splunk SIEM Integration"
description: "Fetches high-severity Falcon detections and forwards them to Splunk for SIEM correlation, then posts a sync confirmation to Slack."
tags:
- security
- siem
- crowdstrike-falcon
- splunk
- slack
capability:
exposes:
- type: mcp
namespace: falcon-splunk
port: 8080
tools:
- name: sync-detections-to-splunk
description: "Query Falcon for recent high-severity detections and forward to Splunk HEC for SIEM correlation."
inputParameters:
- name: hours
in: body
type: string
description: "Hours to look back."
steps:
- name: query-detections
type: call
call: "falcon.query-detections"
with:
filter: "max_severity:>=4+created_timestamp:>\"{{hours}}h\""
- name: send-to-splunk
type: call
call: "splunk.send-event"
with:
sourcetype: "crowdstrike:falcon:detection"
event: "{{query-detections.resources}}"
- name: confirm-sync
type: call
call: "slack.post-message"
with:
channel: "siem-operations"
text: "Falcon-Splunk sync: {{query-detections.total_count}} detections forwarded to Splunk in last {{hours}} hours."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-detections
method: GET
- type: http
namespace: splunk
baseUri: "https://splunk.crowdstrike.com:8088"
authentication:
type: bearer
token: "$secrets.splunk_hec_token"
resources:
- name: events
path: "/services/collector/event"
operations:
- name: send-event
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Spotlight Exploit Prediction
▼
security vulnerability-management crowdstrike-falcon jira slack
Queries Falcon Spotlight for vulnerabilities with high exploit prediction scores and prioritizes patching via Jira.
naftiko: "0.5"
info:
label: "Falcon Spotlight Exploit Prediction"
description: "Queries Falcon Spotlight for vulnerabilities with high exploit prediction scores and prioritizes patching via Jira."
tags:
- security
- vulnerability-management
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: exploit-prediction
port: 8080
tools:
- name: prioritize-exploit-vulns
description: "Query Spotlight for vulns with high ExPRT scores, create priority Jira tickets, and alert the patching team."
inputParameters:
- name: min_exprt_score
in: body
type: string
description: "Minimum ExPRT score threshold."
steps:
- name: query-high-exprt
type: call
call: "falcon.query-vulnerabilities"
with:
filter: "cve.exprt_rating:\"CRITICAL\"+status:\"open\""
- name: create-priority-ticket
type: call
call: "jira.create-issue"
with:
project_key: "PATCH"
issuetype: "Bug"
summary: "High exploit risk: {{query-high-exprt.total_count}} vulns with critical ExPRT rating"
priority: "Highest"
- name: notify-patching
type: call
call: "slack.post-message"
with:
channel: "patching"
text: "Exploit Prediction Alert: {{query-high-exprt.total_count}} vulnerabilities with critical ExPRT rating. Priority Jira: {{create-priority-ticket.key}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vulnerabilities
path: "/spotlight/queries/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-vulnerabilities
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Stale Sensor Cleanup
▼
security endpoint-protection crowdstrike-falcon slack automation
Identifies Falcon sensors that have not checked in for a given period, hides them, and notifies the endpoint management team.
naftiko: "0.5"
info:
label: "Falcon Stale Sensor Cleanup"
description: "Identifies Falcon sensors that have not checked in for a given period, hides them, and notifies the endpoint management team."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- slack
- automation
capability:
exposes:
- type: mcp
namespace: stale-sensors
port: 8080
tools:
- name: cleanup-stale-sensors
description: "Query for Falcon sensors not seen in the given number of days and post a cleanup report."
inputParameters:
- name: days_stale
in: body
type: string
description: "Number of days since last check-in."
steps:
- name: query-stale
type: call
call: "falcon.query-hosts"
with:
filter: "last_seen:<\"{{days_stale}}d\""
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "endpoint-management"
text: "Stale Sensor Report: {{query-stale.total_count}} endpoints not seen in {{days_stale}} days. Review and clean up."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: hosts
path: "/devices/queries/devices/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-hosts
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Threat Actor Profile Lookup
▼
security threat-intelligence crowdstrike-falcon lookup
Retrieves a threat actor profile from CrowdStrike Falcon Intelligence by name, returning origin, motivation, and targeted industries.
naftiko: "0.5"
info:
label: "Falcon Threat Actor Profile Lookup"
description: "Retrieves a threat actor profile from CrowdStrike Falcon Intelligence by name, returning origin, motivation, and targeted industries."
tags:
- security
- threat-intelligence
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-actor
port: 8080
tools:
- name: get-actor-profile
description: "Given a threat actor name (e.g., COZY BEAR), return their origin, motivation, and targeted industries."
inputParameters:
- name: actor_name
in: body
type: string
description: "CrowdStrike threat actor name."
call: "falcon-intel.get-actor"
with:
filter: "name:\"{{actor_name}}\""
outputParameters:
- name: origin
type: string
mapping: "$.resources[0].origins[0].value"
- name: motivation
type: string
mapping: "$.resources[0].motivations[0].value"
- name: target_industries
type: string
mapping: "$.resources[0].target_industries[0].value"
consumes:
- type: http
namespace: falcon-intel
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: actors
path: "/intel/combined/actors/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-actor
method: GET
Falcon Threat Hunt Orchestrator
▼
security threat-hunting crowdstrike-falcon slack confluence
Executes a threat hunt query in Falcon, correlates findings with MITRE ATT&CK, and distributes results to the threat hunt team via Slack and Confluence.
naftiko: "0.5"
info:
label: "Falcon Threat Hunt Orchestrator"
description: "Executes a threat hunt query in Falcon, correlates findings with MITRE ATT&CK, and distributes results to the threat hunt team via Slack and Confluence."
tags:
- security
- threat-hunting
- crowdstrike-falcon
- slack
- confluence
capability:
exposes:
- type: mcp
namespace: threat-hunt
port: 8080
tools:
- name: execute-threat-hunt
description: "Given a Falcon query and MITRE technique ID, run the hunt, and post results to Slack and document in Confluence."
inputParameters:
- name: hunt_query
in: body
type: string
description: "Falcon event search query."
- name: mitre_technique
in: body
type: string
description: "MITRE ATT&CK technique ID, e.g. T1059."
steps:
- name: run-hunt
type: call
call: "falcon.search-events"
with:
filter: "{{hunt_query}}"
- name: post-results
type: call
call: "slack.post-message"
with:
channel: "threat-hunt"
text: "Hunt results for {{mitre_technique}}: {{run-hunt.event_count}} events found. Query: {{hunt_query}}"
- name: document-hunt
type: call
call: "confluence.create-page"
with:
space_key: "SEC"
title: "Threat Hunt: {{mitre_technique}} — {{hunt_query}}"
body: "Hunt executed on CrowdStrike Falcon.\nQuery: {{hunt_query}}\nResults: {{run-hunt.event_count}} events\nMITRE: {{mitre_technique}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: events
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: search-events
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
- type: http
namespace: confluence
baseUri: "https://crowdstrike.atlassian.net/wiki/rest/api"
authentication:
type: basic
username: "$secrets.confluence_user"
password: "$secrets.confluence_api_token"
resources:
- name: pages
path: "/content"
operations:
- name: create-page
method: POST
Falcon Unmanaged Host Discovery
▼
security asset-discovery crowdstrike-falcon servicenow slack
Discovers unmanaged hosts in the network via Falcon, creates deployment tasks in ServiceNow, and alerts the endpoint team.
naftiko: "0.5"
info:
label: "Falcon Unmanaged Host Discovery"
description: "Discovers unmanaged hosts in the network via Falcon, creates deployment tasks in ServiceNow, and alerts the endpoint team."
tags:
- security
- asset-discovery
- crowdstrike-falcon
- servicenow
- slack
capability:
exposes:
- type: mcp
namespace: unmanaged-hosts
port: 8080
tools:
- name: discover-unmanaged-hosts
description: "Query Falcon for hosts seen on the network without a Falcon sensor and create deployment tasks."
inputParameters:
- name: subnet
in: body
type: string
description: "Network subnet to scan."
steps:
- name: query-unmanaged
type: call
call: "falcon.query-unmanaged-assets"
with:
filter: "network_segment:\"{{subnet}}\"+entity_type:\"unmanaged\""
- name: create-deploy-task
type: call
call: "servicenow.create-task"
with:
short_description: "Deploy Falcon sensor: {{query-unmanaged.total_count}} unmanaged hosts in {{subnet}}"
assignment_group: "endpoint-management"
- name: notify-team
type: call
call: "slack.post-message"
with:
channel: "endpoint-security"
text: "Unmanaged Host Discovery: {{query-unmanaged.total_count}} hosts in {{subnet}} without Falcon sensor. Task: {{create-deploy-task.number}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: discover-hosts
path: "/discover/queries/hosts/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-unmanaged-assets
method: GET
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.snow_user"
password: "$secrets.snow_password"
resources:
- name: tasks
path: "/table/task"
operations:
- name: create-task
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon USB Device Control Alert
▼
security device-control crowdstrike-falcon servicenow slack
When Falcon detects unauthorized USB device usage, logs the event, creates a ServiceNow security incident, and notifies the DLP team.
naftiko: "0.5"
info:
label: "Falcon USB Device Control Alert"
description: "When Falcon detects unauthorized USB device usage, logs the event, creates a ServiceNow security incident, and notifies the DLP team."
tags:
- security
- device-control
- crowdstrike-falcon
- servicenow
- slack
capability:
exposes:
- type: mcp
namespace: usb-control
port: 8080
tools:
- name: handle-usb-violation
description: "Given a device control event ID, fetch details, create a ServiceNow security incident, and alert the DLP team."
inputParameters:
- name: event_id
in: body
type: string
description: "Falcon device control event ID."
steps:
- name: get-event
type: call
call: "falcon.get-device-event"
with:
ids: "{{event_id}}"
- name: create-incident
type: call
call: "servicenow.create-incident"
with:
short_description: "USB violation: {{get-event.device_class}} on {{get-event.hostname}}"
category: "security"
description: "User: {{get-event.username}}\nDevice: {{get-event.device_class}}\nHost: {{get-event.hostname}}\nAction: {{get-event.action}}"
- name: notify-dlp
type: call
call: "slack.post-message"
with:
channel: "data-loss-prevention"
text: "USB Violation: {{get-event.device_class}} by {{get-event.username}} on {{get-event.hostname}} | SNOW: {{create-incident.number}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: device-events
path: "/device-control/entities/events/v1"
inputParameters:
- name: ids
in: query
operations:
- name: get-device-event
method: GET
- type: http
namespace: servicenow
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.snow_user"
password: "$secrets.snow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: create-incident
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon User Activity Lookup
▼
security identity-protection crowdstrike-falcon lookup
Retrieves user session activity from CrowdStrike Falcon Identity Protection by username, returning login events and risk score.
naftiko: "0.5"
info:
label: "Falcon User Activity Lookup"
description: "Retrieves user session activity from CrowdStrike Falcon Identity Protection by username, returning login events and risk score."
tags:
- security
- identity-protection
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-identity
port: 8080
tools:
- name: get-user-activity
description: "Given a username, return recent login events, risk score, and anomalous behavior flags from Falcon Identity."
inputParameters:
- name: username
in: body
type: string
description: "Username to look up."
call: "falcon.get-user-sessions"
with:
filter: "user_name:\"{{username}}\""
outputParameters:
- name: risk_score
type: string
mapping: "$.resources[0].risk_score"
- name: last_login
type: string
mapping: "$.resources[0].last_login_time"
- name: anomalous
type: string
mapping: "$.resources[0].is_anomalous"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: identity-sessions
path: "/identity-protection/combined/sessions/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-user-sessions
method: GET
Falcon Vulnerability Lookup
▼
security vulnerability-management crowdstrike-falcon lookup
Retrieves vulnerability details from CrowdStrike Spotlight by CVE ID, returning severity, affected hosts, and remediation status.
naftiko: "0.5"
info:
label: "Falcon Vulnerability Lookup"
description: "Retrieves vulnerability details from CrowdStrike Spotlight by CVE ID, returning severity, affected hosts, and remediation status."
tags:
- security
- vulnerability-management
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: falcon-vuln
port: 8080
tools:
- name: get-vulnerability
description: "Given a CVE ID, return the vulnerability severity, affected host count, and remediation status from Spotlight."
inputParameters:
- name: cve_id
in: body
type: string
description: "CVE identifier, e.g. CVE-2024-1234."
call: "falcon.get-vulnerability"
with:
filter: "cve.id:\"{{cve_id}}\""
outputParameters:
- name: severity
type: string
mapping: "$.resources[0].cve.severity"
- name: affected_hosts
type: string
mapping: "$.resources[0].host_info.count"
- name: remediation
type: string
mapping: "$.resources[0].remediation.action"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vulnerabilities
path: "/spotlight/combined/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-vulnerability
method: GET
Falcon Vulnerability Remediation Tracker
▼
security vulnerability-management crowdstrike-falcon jira slack
Queries critical vulnerabilities from Falcon Spotlight, creates Jira remediation tickets, and posts a summary to Slack.
naftiko: "0.5"
info:
label: "Falcon Vulnerability Remediation Tracker"
description: "Queries critical vulnerabilities from Falcon Spotlight, creates Jira remediation tickets, and posts a summary to Slack."
tags:
- security
- vulnerability-management
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: vuln-remediation
port: 8080
tools:
- name: track-vuln-remediation
description: "Query critical Spotlight vulnerabilities, create Jira tickets for remediation, and notify the patching team."
inputParameters:
- name: min_cvss
in: body
type: string
description: "Minimum CVSS score to include."
steps:
- name: query-vulns
type: call
call: "falcon.query-vulnerabilities"
with:
filter: "cve.severity:\"CRITICAL\"+cve.base_score:>{{min_cvss}}"
- name: create-jira-ticket
type: call
call: "jira.create-issue"
with:
project_key: "PATCH"
issuetype: "Task"
summary: "Critical vulns: {{query-vulns.total_count}} with CVSS > {{min_cvss}}"
description: "Vulnerabilities from CrowdStrike Spotlight requiring remediation."
- name: notify-patching
type: call
call: "slack.post-message"
with:
channel: "patching"
text: "Vulnerability Remediation: {{query-vulns.total_count}} critical vulns (CVSS > {{min_cvss}}). Jira: {{create-jira-ticket.key}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vulnerabilities
path: "/spotlight/queries/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-vulnerabilities
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Weekly Security Posture Digest
▼
security reporting crowdstrike-falcon slack
Compiles weekly security metrics from Falcon including detections, vulnerabilities, and cloud findings, then distributes via Slack.
naftiko: "0.5"
info:
label: "Falcon Weekly Security Posture Digest"
description: "Compiles weekly security metrics from Falcon including detections, vulnerabilities, and cloud findings, then distributes via Slack."
tags:
- security
- reporting
- crowdstrike-falcon
- slack
capability:
exposes:
- type: mcp
namespace: posture-digest
port: 8080
tools:
- name: generate-posture-digest
description: "Aggregate weekly security metrics from Falcon and post a posture digest to Slack."
inputParameters:
- name: slack_channel
in: body
type: string
description: "Slack channel for the digest."
steps:
- name: count-detections
type: call
call: "falcon.count-detections"
with:
filter: "created_timestamp:>\"7d\""
- name: count-vulns
type: call
call: "falcon.count-vulns"
with:
filter: "created_timestamp:>\"7d\"+cve.severity:\"CRITICAL\""
- name: post-digest
type: call
call: "slack.post-message"
with:
channel: "{{slack_channel}}"
text: "Weekly Security Posture:\n- New detections: {{count-detections.total}}\n- Critical vulns: {{count-vulns.total}}\nReview in Falcon console."
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/queries/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: count-detections
method: GET
- name: vulnerabilities
path: "/spotlight/queries/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: count-vulns
method: GET
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Workday Role-Based Policy Assignment
▼
security endpoint-protection crowdstrike-falcon workday slack
When an employee's role changes in Workday, updates their Falcon host group assignment to match the new security policy requirements.
naftiko: "0.5"
info:
label: "Falcon Workday Role-Based Policy Assignment"
description: "When an employee's role changes in Workday, updates their Falcon host group assignment to match the new security policy requirements."
tags:
- security
- endpoint-protection
- crowdstrike-falcon
- workday
- slack
capability:
exposes:
- type: mcp
namespace: role-policy
port: 8080
tools:
- name: update-policy-for-role-change
description: "Given a worker ID, fetch the new role from Workday, update the Falcon host group, and notify security."
inputParameters:
- name: worker_id
in: body
type: string
description: "Workday worker ID."
steps:
- name: get-worker
type: call
call: "workday.get-worker"
with:
worker_id: "{{worker_id}}"
- name: update-host-group
type: call
call: "falcon.assign-host-group"
with:
hostname: "{{get-worker.hostname}}"
group_name: "{{get-worker.department}}-endpoints"
- name: notify-security
type: call
call: "slack.post-message"
with:
channel: "endpoint-security"
text: "Role change: {{get-worker.full_name}} moved to {{get-worker.department}}. Falcon host group updated."
consumes:
- type: http
namespace: workday
baseUri: "https://wd2-impl-services1.workday.com/ccx/api/v1"
authentication:
type: bearer
token: "$secrets.workday_token"
resources:
- name: workers
path: "/crowdstrike/workers/{{worker_id}}"
inputParameters:
- name: worker_id
in: path
operations:
- name: get-worker
method: GET
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: host-group-actions
path: "/devices/entities/host-group-actions/v1"
operations:
- name: assign-host-group
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Falcon Zero-Day Alert Workflow
▼
security vulnerability-management crowdstrike-falcon jira slack
When a zero-day vulnerability is published, queries Falcon Spotlight for affected hosts, creates emergency patching tickets, and alerts leadership.
naftiko: "0.5"
info:
label: "Falcon Zero-Day Alert Workflow"
description: "When a zero-day vulnerability is published, queries Falcon Spotlight for affected hosts, creates emergency patching tickets, and alerts leadership."
tags:
- security
- vulnerability-management
- crowdstrike-falcon
- jira
- slack
capability:
exposes:
- type: mcp
namespace: zero-day-alert
port: 8080
tools:
- name: handle-zero-day-alert
description: "Given a CVE ID for a zero-day, find affected hosts in Spotlight, create Jira tickets, and escalate to leadership."
inputParameters:
- name: cve_id
in: body
type: string
description: "CVE identifier for the zero-day."
steps:
- name: find-affected
type: call
call: "falcon.query-vulnerabilities"
with:
filter: "cve.id:\"{{cve_id}}\""
- name: create-jira
type: call
call: "jira.create-issue"
with:
project_key: "PATCH"
issuetype: "Bug"
summary: "Zero-Day: {{cve_id}} — {{find-affected.total_count}} affected hosts"
description: "CVE: {{cve_id}}\nAffected hosts: {{find-affected.total_count}}\nImmediate patching required."
priority: "Highest"
- name: alert-leadership
type: call
call: "slack.post-message"
with:
channel: "security-leadership"
text: "ZERO-DAY ALERT: {{cve_id}} affects {{find-affected.total_count}} hosts. Emergency Jira: {{create-jira.key}}"
consumes:
- type: http
namespace: falcon
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vulnerabilities
path: "/spotlight/queries/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: query-vulnerabilities
method: GET
- type: http
namespace: jira
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues
path: "/issue"
operations:
- name: create-issue
method: POST
- type: http
namespace: slack
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
GitHub Actions CI Pipeline Security Gate
▼
devops security github crowdstrike-falcon cicd
After a GitHub Actions workflow completes on the main branch, queries CrowdStrike Falcon for any detection events associated with the build runner and fails the deployment gate if threats are found.
naftiko: "0.5"
info:
label: "GitHub Actions CI Pipeline Security Gate"
description: "After a GitHub Actions workflow completes on the main branch, queries CrowdStrike Falcon for any detection events associated with the build runner and fails the deployment gate if threats are found."
tags:
- devops
- security
- github
- crowdstrike-falcon
- cicd
capability:
exposes:
- type: mcp
namespace: cicd-security-gate
port: 8080
tools:
- name: check-runner-security-posture
description: "Given a GitHub Actions workflow run ID and the hostname of the build runner, query Falcon for detections on that runner host during the build window and post a security gate status check to the GitHub commit. Use as a post-build security verification step."
inputParameters:
- name: run_id
in: body
type: string
description: "GitHub Actions workflow run ID."
- name: repo_owner
in: body
type: string
description: "GitHub repository owner."
- name: repo_name
in: body
type: string
description: "GitHub repository name."
- name: runner_hostname
in: body
type: string
description: "Hostname of the GitHub Actions runner used for the build."
- name: commit_sha
in: body
type: string
description: "Commit SHA the workflow ran against."
steps:
- name: check-runner-detections
type: call
call: falcon-cicd.list-detections-for-host
with:
filter: "device.hostname:'{{runner_hostname}}'+status:'new'"
- name: post-status-check
type: call
call: github-status.create-status
with:
owner: "{{repo_owner}}"
repo: "{{repo_name}}"
sha: "{{commit_sha}}"
state: "success"
description: "Falcon: {{check-runner-detections.count}} detections on runner {{runner_hostname}}"
context: "crowdstrike/security-gate"
consumes:
- type: http
namespace: falcon-cicd
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections
path: "/detects/combined/detects/v1"
inputParameters:
- name: filter
in: query
operations:
- name: list-detections-for-host
method: GET
- type: http
namespace: github-status
baseUri: "https://api.github.com"
authentication:
type: bearer
token: "$secrets.github_token"
resources:
- name: statuses
path: "/repos/{{owner}}/{{repo}}/statuses/{{sha}}"
inputParameters:
- name: owner
in: path
- name: repo
in: path
- name: sha
in: path
operations:
- name: create-status
method: POST
GitHub Repository Security Scan Gate
▼
devops security github crowdstrike-falcon code-scanning
On a pull request to a protected branch in GitHub, triggers a CrowdStrike Falcon code scanning check and blocks merge if critical findings are detected, posting results as a PR comment.
naftiko: "0.5"
info:
label: "GitHub Repository Security Scan Gate"
description: "On a pull request to a protected branch in GitHub, triggers a CrowdStrike Falcon code scanning check and blocks merge if critical findings are detected, posting results as a PR comment."
tags:
- devops
- security
- github
- crowdstrike-falcon
- code-scanning
capability:
exposes:
- type: mcp
namespace: devops-security
port: 8080
tools:
- name: scan-pull-request
description: "Given a GitHub repository and pull request number, trigger a Falcon code scanning analysis, wait for results, then post a status comment on the PR. Use as a pre-merge security gate in CI/CD pipelines."
inputParameters:
- name: repo_owner
in: body
type: string
description: "GitHub organization or user that owns the repository."
- name: repo_name
in: body
type: string
description: "GitHub repository name."
- name: pull_request_number
in: body
type: integer
description: "Pull request number to scan and comment on."
- name: commit_sha
in: body
type: string
description: "The HEAD commit SHA of the pull request branch."
steps:
- name: get-pr
type: call
call: github.get-pull-request
with:
owner: "{{repo_owner}}"
repo: "{{repo_name}}"
pull_number: "{{pull_request_number}}"
- name: post-scan-result
type: call
call: github-comments.create-comment
with:
owner: "{{repo_owner}}"
repo: "{{repo_name}}"
issue_number: "{{pull_request_number}}"
body: "Security scan initiated for commit {{commit_sha}}. Results will be posted when analysis completes."
consumes:
- type: http
namespace: github
baseUri: "https://api.github.com"
authentication:
type: bearer
token: "$secrets.github_token"
resources:
- name: pull-requests
path: "/repos/{{owner}}/{{repo}}/pulls/{{pull_number}}"
inputParameters:
- name: owner
in: path
- name: repo
in: path
- name: pull_number
in: path
operations:
- name: get-pull-request
method: GET
- type: http
namespace: github-comments
baseUri: "https://api.github.com"
authentication:
type: bearer
token: "$secrets.github_token"
resources:
- name: issue-comments
path: "/repos/{{owner}}/{{repo}}/issues/{{issue_number}}/comments"
inputParameters:
- name: owner
in: path
- name: repo
in: path
- name: issue_number
in: path
operations:
- name: create-comment
method: POST
Identity Threat Detection Response
▼
security identity crowdstrike-falcon okta servicenow incident-response
When Falcon Identity Protection detects a compromised credential or suspicious login, suspends the Okta user session and creates a ServiceNow identity incident for investigation.
naftiko: "0.5"
info:
label: "Identity Threat Detection Response"
description: "When Falcon Identity Protection detects a compromised credential or suspicious login, suspends the Okta user session and creates a ServiceNow identity incident for investigation."
tags:
- security
- identity
- crowdstrike-falcon
- okta
- servicenow
- incident-response
capability:
exposes:
- type: mcp
namespace: identity-ops
port: 8080
tools:
- name: respond-to-identity-threat
description: "Given a Falcon Identity Protection alert for a user, suspend the user's Okta sessions and open a ServiceNow identity security incident. Use immediately when account takeover or credential compromise is detected."
inputParameters:
- name: username
in: body
type: string
description: "The username (UPN or email) of the potentially compromised account."
- name: alert_id
in: body
type: string
description: "The Falcon Identity Protection alert ID."
steps:
- name: get-okta-user
type: call
call: okta.get-user
with:
login: "{{username}}"
- name: revoke-sessions
type: call
call: okta.revoke-sessions
with:
user_id: "{{get-okta-user.user_id}}"
- name: create-identity-incident
type: call
call: servicenow-identity.create-incident
with:
short_description: "Identity Threat Detected: {{username}}"
category: "Identity Security"
urgency: "1"
description: "Falcon Alert: {{alert_id}}\nUser: {{username}}\nOkta User ID: {{get-okta-user.user_id}}\nSessions revoked at: {{revoke-sessions.revoked_at}}"
consumes:
- type: http
namespace: okta
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.okta_ssws_token"
placement: header
resources:
- name: users
path: "/users"
inputParameters:
- name: login
in: query
operations:
- name: get-user
method: GET
- name: user-sessions
path: "/users/{{user_id}}/sessions"
inputParameters:
- name: user_id
in: path
operations:
- name: revoke-sessions
method: DELETE
- type: http
namespace: servicenow-identity
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: incidents
path: "/table/incident"
operations:
- name: create-incident
method: POST
Jira Bug to Falcon Exposure Correlation
▼
devops security jira crowdstrike-falcon vulnerability-management
When a security bug is filed in Jira, automatically searches CrowdStrike Spotlight to determine whether any company endpoints are exposed to the related CVE, updating the Jira ticket with exposure count.
naftiko: "0.5"
info:
label: "Jira Bug to Falcon Exposure Correlation"
description: "When a security bug is filed in Jira, automatically searches CrowdStrike Spotlight to determine whether any company endpoints are exposed to the related CVE, updating the Jira ticket with exposure count."
tags:
- devops
- security
- jira
- crowdstrike-falcon
- vulnerability-management
capability:
exposes:
- type: mcp
namespace: vuln-correlation
port: 8080
tools:
- name: correlate-bug-to-exposure
description: "Given a Jira issue key for a security bug that references a CVE, query CrowdStrike Spotlight for the number of exposed endpoints and update the Jira issue with exposure impact data. Use during security bug triage to prioritize based on real exposure."
inputParameters:
- name: jira_issue_key
in: body
type: string
description: "Jira issue key for the security bug (e.g., 'SEC-4521')."
- name: cve_id
in: body
type: string
description: "CVE identifier referenced in the bug report (e.g., 'CVE-2024-12345')."
steps:
- name: get-exposure-count
type: call
call: spotlight-vuln.list-vulnerabilities
with:
filter: "cve.id:'{{cve_id}}'+status:'open'"
- name: update-jira-issue
type: call
call: jira-vuln.update-issue
with:
issue_key: "{{jira_issue_key}}"
comment: "Falcon Spotlight exposure check for {{cve_id}}: {{get-exposure-count.total}} endpoints exposed. Top affected product: {{get-exposure-count.top_product}}. CVSS Score: {{get-exposure-count.cvss_score}}."
consumes:
- type: http
namespace: spotlight-vuln
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vulnerabilities
path: "/spotlight/combined/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: list-vulnerabilities
method: GET
- type: http
namespace: jira-vuln
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issue-comments
path: "/issue/{{issue_key}}/comment"
inputParameters:
- name: issue_key
in: path
operations:
- name: update-issue
method: POST
Jira Sprint Security Backlog Digest
▼
devops security jira slack reporting
Retrieves all open security-labeled Jira issues in the current sprint and posts a prioritized digest to the security engineering Slack channel.
naftiko: "0.5"
info:
label: "Jira Sprint Security Backlog Digest"
description: "Retrieves all open security-labeled Jira issues in the current sprint and posts a prioritized digest to the security engineering Slack channel."
tags:
- devops
- security
- jira
- slack
- reporting
capability:
exposes:
- type: mcp
namespace: sprint-reporting
port: 8080
tools:
- name: digest-security-backlog
description: "Query Jira for all open security-tagged issues in the active sprint for a given project, then post a prioritized summary to Slack. Use for weekly security engineering stand-ups or sprint reviews."
inputParameters:
- name: jira_project_key
in: body
type: string
description: "Jira project key to query for security issues (e.g., 'SEC' or 'ENG')."
- name: slack_channel
in: body
type: string
description: "Slack channel to post the sprint digest to."
steps:
- name: get-security-issues
type: call
call: jira-sprint.search-issues
with:
jql: "project={{jira_project_key}} AND labels=security AND sprint in openSprints() AND status != Done ORDER BY priority ASC"
- name: post-digest
type: call
call: slack-sprint.post-message
with:
channel: "{{slack_channel}}"
text: "Security Sprint Backlog ({{jira_project_key}}): {{get-security-issues.total}} open items | Critical: {{get-security-issues.critical_count}} | High: {{get-security-issues.high_count}}"
consumes:
- type: http
namespace: jira-sprint
baseUri: "https://crowdstrike.atlassian.net/rest/api/3"
authentication:
type: basic
username: "$secrets.jira_user"
password: "$secrets.jira_api_token"
resources:
- name: issues-search
path: "/search"
inputParameters:
- name: jql
in: query
operations:
- name: search-issues
method: GET
- type: http
namespace: slack-sprint
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_bot_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Okta MFA Compliance Audit
▼
security identity okta workday compliance
Queries Okta for users without MFA enrolled and cross-references with Workday active employees to produce a compliance gap report, alerting the security team via Slack.
naftiko: "0.5"
info:
label: "Okta MFA Compliance Audit"
description: "Queries Okta for users without MFA enrolled and cross-references with Workday active employees to produce a compliance gap report, alerting the security team via Slack."
tags:
- security
- identity
- okta
- workday
- compliance
capability:
exposes:
- type: mcp
namespace: mfa-compliance
port: 8080
tools:
- name: audit-mfa-compliance
description: "Retrieve the list of Okta users without MFA factors enrolled, cross-reference with active Workday employees, and post a non-compliance summary to Slack. Use for periodic identity hygiene audits."
inputParameters:
- name: notification_channel
in: body
type: string
description: "Slack channel to receive the MFA compliance audit results."
steps:
- name: get-users-without-mfa
type: call
call: okta-audit.list-users-no-mfa
with:
filter: "status eq \"ACTIVE\""
- name: post-compliance-report
type: call
call: slack-compliance.post-message
with:
channel: "{{notification_channel}}"
text: "MFA Compliance Audit: {{get-users-without-mfa.count}} active users missing MFA enrollment. Review required before next compliance deadline."
consumes:
- type: http
namespace: okta-audit
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.okta_ssws_token"
placement: header
resources:
- name: users-factors
path: "/users"
inputParameters:
- name: filter
in: query
operations:
- name: list-users-no-mfa
method: GET
- type: http
namespace: slack-compliance
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_bot_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Power BI Security KPI Report Refresh
▼
reporting data power-bi microsoft-teams security
Triggers a Power BI dataset refresh for the CrowdStrike security KPI dashboard and notifies the security leadership team in Microsoft Teams when the refresh completes.
naftiko: "0.5"
info:
label: "Power BI Security KPI Report Refresh"
description: "Triggers a Power BI dataset refresh for the CrowdStrike security KPI dashboard and notifies the security leadership team in Microsoft Teams when the refresh completes."
tags:
- reporting
- data
- power-bi
- microsoft-teams
- security
capability:
exposes:
- type: mcp
namespace: bi-reporting
port: 8080
tools:
- name: refresh-security-kpi-dashboard
description: "Trigger a Power BI dataset refresh for the security KPI report, then send a Microsoft Teams notification to the security leadership channel when the refresh is complete. Use before executive security reviews."
inputParameters:
- name: dataset_id
in: body
type: string
description: "Power BI dataset ID for the security KPI dashboard."
- name: workspace_id
in: body
type: string
description: "Power BI workspace ID containing the dataset."
- name: teams_channel_id
in: body
type: string
description: "Microsoft Teams channel ID to notify on completion."
steps:
- name: trigger-refresh
type: call
call: powerbi.trigger-refresh
with:
workspace_id: "{{workspace_id}}"
dataset_id: "{{dataset_id}}"
- name: notify-teams
type: call
call: msteams.send-message
with:
channel_id: "{{teams_channel_id}}"
message: "Security KPI Dashboard refresh triggered for dataset {{dataset_id}}. Results will be available within 15 minutes."
consumes:
- type: http
namespace: powerbi
baseUri: "https://api.powerbi.com/v1.0/myorg"
authentication:
type: bearer
token: "$secrets.powerbi_token"
resources:
- name: dataset-refreshes
path: "/groups/{{workspace_id}}/datasets/{{dataset_id}}/refreshes"
inputParameters:
- name: workspace_id
in: path
- name: dataset_id
in: path
operations:
- name: trigger-refresh
method: POST
- type: http
namespace: msteams
baseUri: "https://graph.microsoft.com/v1.0"
authentication:
type: bearer
token: "$secrets.msgraph_token"
resources:
- name: channel-messages
path: "/teams/{{team_id}}/channels/{{channel_id}}/messages"
inputParameters:
- name: team_id
in: path
- name: channel_id
in: path
operations:
- name: send-message
method: POST
Recruiter Pipeline Sync to Workday
▼
hr recruiting workday microsoft-teams
When a candidate reaches the offer stage in the applicant tracking system, creates a pre-hire record in Workday and notifies the hiring manager via Microsoft Teams.
naftiko: "0.5"
info:
label: "Recruiter Pipeline Sync to Workday"
description: "When a candidate reaches the offer stage in the applicant tracking system, creates a pre-hire record in Workday and notifies the hiring manager via Microsoft Teams."
tags:
- hr
- recruiting
- workday
- microsoft-teams
capability:
exposes:
- type: mcp
namespace: recruiting-ops
port: 8080
tools:
- name: sync-candidate-to-workday
description: "Given a candidate ID from the ATS in offer-accepted stage, create a Workday pre-hire record and notify the hiring manager in Microsoft Teams. Use when a candidate accepts an offer to trigger pre-boarding setup."
inputParameters:
- name: candidate_email
in: body
type: string
description: "Candidate's email address."
- name: candidate_name
in: body
type: string
description: "Candidate's full name."
- name: job_title
in: body
type: string
description: "Job title for the accepted offer."
- name: start_date
in: body
type: string
description: "Agreed start date in ISO 8601 format (YYYY-MM-DD)."
- name: hiring_manager_upn
in: body
type: string
description: "UPN (email) of the hiring manager to notify."
steps:
- name: create-prehire
type: call
call: workday-recruit.create-prehire
with:
email: "{{candidate_email}}"
full_name: "{{candidate_name}}"
job_title: "{{job_title}}"
start_date: "{{start_date}}"
- name: notify-manager
type: call
call: msteams-recruit.send-message
with:
recipient_upn: "{{hiring_manager_upn}}"
message: "New hire confirmed: {{candidate_name}} as {{job_title}} starting {{start_date}}. Workday pre-hire ID: {{create-prehire.prehire_id}}"
consumes:
- type: http
namespace: workday-recruit
baseUri: "https://wd2-impl-services1.workday.com/ccx/api/v1"
authentication:
type: bearer
token: "$secrets.workday_token"
resources:
- name: prehires
path: "/crowdstrike/prehires"
operations:
- name: create-prehire
method: POST
- type: http
namespace: msteams-recruit
baseUri: "https://graph.microsoft.com/v1.0"
authentication:
type: bearer
token: "$secrets.msgraph_token"
resources:
- name: messages
path: "/users/{{recipient_upn}}/sendMail"
inputParameters:
- name: recipient_upn
in: path
operations:
- name: send-message
method: POST
Salesforce Account Health Score Sync
▼
sales crm salesforce customer-success
Retrieves customer health metrics from CrowdStrike's internal platform usage API and syncs them as custom fields on the Salesforce Account record for customer success teams.
naftiko: "0.5"
info:
label: "Salesforce Account Health Score Sync"
description: "Retrieves customer health metrics from CrowdStrike's internal platform usage API and syncs them as custom fields on the Salesforce Account record for customer success teams."
tags:
- sales
- crm
- salesforce
- customer-success
capability:
exposes:
- type: mcp
namespace: customer-success
port: 8080
tools:
- name: sync-account-health-score
description: "Given a Salesforce account ID and corresponding CrowdStrike tenant ID, retrieve the customer's Falcon platform usage health score and update the Salesforce account record. Use for monthly customer success reviews and at-risk account identification."
inputParameters:
- name: account_id
in: body
type: string
description: "Salesforce account record ID."
- name: tenant_id
in: body
type: string
description: "CrowdStrike Falcon tenant/CID for the customer."
steps:
- name: get-health-score
type: call
call: falcon-platform.get-tenant-health
with:
tenant_id: "{{tenant_id}}"
- name: update-account
type: call
call: salesforce-account.update-account
with:
account_id: "{{account_id}}"
health_score: "{{get-health-score.score}}"
sensor_coverage_pct: "{{get-health-score.sensor_coverage}}"
last_health_sync: "{{get-health-score.as_of}}"
consumes:
- type: http
namespace: falcon-platform
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: tenant-health
path: "/customer-facing-assessment/entities/assessments/v1"
inputParameters:
- name: tenant_id
in: query
operations:
- name: get-tenant-health
method: GET
- type: http
namespace: salesforce-account
baseUri: "https://crowdstrike.my.salesforce.com/services/data/v58.0"
authentication:
type: bearer
token: "$secrets.salesforce_token"
resources:
- name: accounts
path: "/sobjects/Account/{{account_id}}"
inputParameters:
- name: account_id
in: path
operations:
- name: update-account
method: PATCH
Salesforce Lead Enrichment with Threat Context
▼
sales crm salesforce threat-intelligence crowdstrike-falcon
When a new lead is created in Salesforce, queries Falcon Intelligence for any known threat associations with the lead's domain, enriching the lead record with a risk score.
naftiko: "0.5"
info:
label: "Salesforce Lead Enrichment with Threat Context"
description: "When a new lead is created in Salesforce, queries Falcon Intelligence for any known threat associations with the lead's domain, enriching the lead record with a risk score."
tags:
- sales
- crm
- salesforce
- threat-intelligence
- crowdstrike-falcon
capability:
exposes:
- type: mcp
namespace: sales-crm
port: 8080
tools:
- name: enrich-lead-with-threat-context
description: "Given a Salesforce lead ID, retrieve the lead's email domain, check it against Falcon Intelligence, and update the lead record with a threat risk label. Use when processing inbound leads to flag high-risk domains."
inputParameters:
- name: lead_id
in: body
type: string
description: "Salesforce lead record ID."
steps:
- name: get-lead
type: call
call: salesforce-lead.get-lead
with:
lead_id: "{{lead_id}}"
- name: check-threat-context
type: call
call: falcon-intel-lead.get-indicator
with:
value: "{{get-lead.email_domain}}"
type: "domain"
- name: update-lead
type: call
call: salesforce-lead-update.update-lead
with:
lead_id: "{{lead_id}}"
threat_verdict: "{{check-threat-context.verdict}}"
threat_label: "{{check-threat-context.labels}}"
consumes:
- type: http
namespace: salesforce-lead
baseUri: "https://crowdstrike.my.salesforce.com/services/data/v58.0"
authentication:
type: bearer
token: "$secrets.salesforce_token"
resources:
- name: leads
path: "/sobjects/Lead/{{lead_id}}"
inputParameters:
- name: lead_id
in: path
operations:
- name: get-lead
method: GET
- type: http
namespace: falcon-intel-lead
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: indicators
path: "/intel/combined/indicators/v1"
inputParameters:
- name: value
in: query
- name: type
in: query
operations:
- name: get-indicator
method: GET
- type: http
namespace: salesforce-lead-update
baseUri: "https://crowdstrike.my.salesforce.com/services/data/v58.0"
authentication:
type: bearer
token: "$secrets.salesforce_token"
resources:
- name: leads
path: "/sobjects/Lead/{{lead_id}}"
inputParameters:
- name: lead_id
in: path
operations:
- name: update-lead
method: PATCH
Salesforce Opportunity Security Clearance Check
▼
sales security salesforce threat-intelligence crowdstrike-falcon
Before a sales opportunity advances to contract stage in Salesforce, checks the prospective customer against CrowdStrike's threat intelligence for known malicious infrastructure associations.
naftiko: "0.5"
info:
label: "Salesforce Opportunity Security Clearance Check"
description: "Before a sales opportunity advances to contract stage in Salesforce, checks the prospective customer against CrowdStrike's threat intelligence for known malicious infrastructure associations."
tags:
- sales
- security
- salesforce
- threat-intelligence
- crowdstrike-falcon
capability:
exposes:
- type: mcp
namespace: sales-security
port: 8080
tools:
- name: check-opportunity-clearance
description: "Given a Salesforce opportunity ID, retrieve the account domain and query Falcon Intelligence to verify the domain has no known malicious associations before contract progression. Use in opportunity stage-advancement workflows."
inputParameters:
- name: opportunity_id
in: body
type: string
description: "Salesforce opportunity ID (18-character Salesforce record ID)."
steps:
- name: get-opportunity
type: call
call: salesforce.get-opportunity
with:
opportunity_id: "{{opportunity_id}}"
- name: check-domain
type: call
call: falcon-intel-sales.get-indicator
with:
value: "{{get-opportunity.account_domain}}"
type: "domain"
- name: update-opportunity
type: call
call: salesforce-update.update-opportunity
with:
opportunity_id: "{{opportunity_id}}"
security_clearance_status: "{{check-domain.verdict}}"
security_check_date: "{{check-domain.checked_at}}"
consumes:
- type: http
namespace: salesforce
baseUri: "https://crowdstrike.my.salesforce.com/services/data/v58.0"
authentication:
type: bearer
token: "$secrets.salesforce_token"
resources:
- name: opportunities
path: "/sobjects/Opportunity/{{opportunity_id}}"
inputParameters:
- name: opportunity_id
in: path
operations:
- name: get-opportunity
method: GET
- type: http
namespace: falcon-intel-sales
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: indicators
path: "/intel/combined/indicators/v1"
inputParameters:
- name: value
in: query
- name: type
in: query
operations:
- name: get-indicator
method: GET
- type: http
namespace: salesforce-update
baseUri: "https://crowdstrike.my.salesforce.com/services/data/v58.0"
authentication:
type: bearer
token: "$secrets.salesforce_token"
resources:
- name: opportunities
path: "/sobjects/Opportunity/{{opportunity_id}}"
inputParameters:
- name: opportunity_id
in: path
operations:
- name: update-opportunity
method: PATCH
Security Posture Dashboard Digest
▼
security reporting crowdstrike-falcon slack monitoring
Pulls current endpoint coverage, active detections count, and unresolved vulnerability counts from CrowdStrike Falcon and publishes a daily summary to a Slack channel.
naftiko: "0.5"
info:
label: "Security Posture Dashboard Digest"
description: "Pulls current endpoint coverage, active detections count, and unresolved vulnerability counts from CrowdStrike Falcon and publishes a daily summary to a Slack channel."
tags:
- security
- reporting
- crowdstrike-falcon
- slack
- monitoring
capability:
exposes:
- type: mcp
namespace: security-reporting
port: 8080
tools:
- name: digest-security-posture
description: "Retrieve today's Falcon detection counts, endpoint coverage percentage, and open critical vulnerabilities, then post a digest summary to the designated Slack security channel. Use for daily security stand-up reporting."
inputParameters:
- name: slack_channel
in: body
type: string
description: "Slack channel ID or name to post the digest to."
steps:
- name: get-detections-summary
type: call
call: falcon-summary.get-detections-aggregate
with:
date_range_days: "1"
- name: get-vuln-summary
type: call
call: spotlight-summary.get-vuln-counts
with:
filter: "status:'open'+cve.severity:'CRITICAL'"
- name: post-digest
type: call
call: slack-reporting.post-message
with:
channel: "{{slack_channel}}"
text: "Daily Security Posture: Detections (24h): {{get-detections-summary.total}} | Critical CVEs Open: {{get-vuln-summary.count}} | High-Severity Detections: {{get-detections-summary.high_count}}"
consumes:
- type: http
namespace: falcon-summary
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: detections-aggregate
path: "/detects/aggregates/detects/GET/v1"
inputParameters:
- name: date_range_days
in: query
operations:
- name: get-detections-aggregate
method: GET
- type: http
namespace: spotlight-summary
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: vuln-counts
path: "/spotlight/aggregates/vulnerabilities/v1"
inputParameters:
- name: filter
in: query
operations:
- name: get-vuln-counts
method: GET
- type: http
namespace: slack-reporting
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_bot_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
ServiceNow Change Request for Falcon Policy Update
▼
itsm security servicenow change-management crowdstrike-falcon
When a CrowdStrike Falcon prevention policy change is needed, creates a formal ServiceNow change request for ITIL approval before applying the new policy configuration.
naftiko: "0.5"
info:
label: "ServiceNow Change Request for Falcon Policy Update"
description: "When a CrowdStrike Falcon prevention policy change is needed, creates a formal ServiceNow change request for ITIL approval before applying the new policy configuration."
tags:
- itsm
- security
- servicenow
- change-management
- crowdstrike-falcon
capability:
exposes:
- type: mcp
namespace: change-management
port: 8080
tools:
- name: request-policy-change
description: "Given a Falcon policy ID, proposed change description, and business justification, create a ServiceNow change request for ITIL review and approval before the policy is modified. Use when Falcon prevention or detection policies require changes in production."
inputParameters:
- name: policy_id
in: body
type: string
description: "The CrowdStrike Falcon policy ID to be changed."
- name: change_description
in: body
type: string
description: "Description of the proposed policy change and its expected impact."
- name: business_justification
in: body
type: string
description: "Business or security justification for the policy change."
- name: requested_by
in: body
type: string
description: "Email or username of the requester."
call: servicenow-change.create-change-request
with:
short_description: "Falcon Policy Change Request: {{policy_id}}"
description: "Policy ID: {{policy_id}}\nChange: {{change_description}}\nJustification: {{business_justification}}\nRequested by: {{requested_by}}"
category: "Security"
type: "Normal"
outputParameters:
- name: change_number
type: string
mapping: "$.result.number"
- name: change_sys_id
type: string
mapping: "$.result.sys_id"
consumes:
- type: http
namespace: servicenow-change
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: change-requests
path: "/table/change_request"
operations:
- name: create-change-request
method: POST
Snowflake Threat Data Pipeline Monitor
▼
data monitoring snowflake slack threat-intelligence
Checks the status of CrowdStrike threat intelligence data pipelines feeding into Snowflake and alerts the data engineering team in Slack if any pipeline has not refreshed within the expected SLA window.
naftiko: "0.5"
info:
label: "Snowflake Threat Data Pipeline Monitor"
description: "Checks the status of CrowdStrike threat intelligence data pipelines feeding into Snowflake and alerts the data engineering team in Slack if any pipeline has not refreshed within the expected SLA window."
tags:
- data
- monitoring
- snowflake
- slack
- threat-intelligence
capability:
exposes:
- type: mcp
namespace: data-ops
port: 8080
tools:
- name: check-threat-pipeline-health
description: "Query Snowflake for the last successful load timestamp of CrowdStrike threat data tables. If any table is stale beyond the SLA threshold, post an alert to Slack. Use in scheduled data quality monitoring."
inputParameters:
- name: sla_hours
in: body
type: integer
description: "Maximum acceptable hours since last data load before raising an alert."
- name: alert_channel
in: body
type: string
description: "Slack channel to notify if pipeline is stale."
steps:
- name: check-pipeline-status
type: call
call: snowflake.run-query
with:
statement: "SELECT table_name, MAX(loaded_at) as last_load FROM threat_intel.pipeline_metadata WHERE loaded_at < DATEADD(hour, -{{sla_hours}}, CURRENT_TIMESTAMP()) GROUP BY 1"
- name: post-alert
type: call
call: slack-data.post-message
with:
channel: "{{alert_channel}}"
text: "DATA PIPELINE ALERT: CrowdStrike threat intelligence pipeline is stale. Table: {{check-pipeline-status.table_name}} | Last load: {{check-pipeline-status.last_load}} | SLA: {{sla_hours}}h"
consumes:
- type: http
namespace: snowflake
baseUri: "https://crowdstrike.snowflakecomputing.com/api/v2"
authentication:
type: bearer
token: "$secrets.snowflake_token"
resources:
- name: statements
path: "/statements"
operations:
- name: run-query
method: POST
- type: http
namespace: slack-data
baseUri: "https://slack.com/api"
authentication:
type: bearer
token: "$secrets.slack_bot_token"
resources:
- name: messages
path: "/chat.postMessage"
operations:
- name: post-message
method: POST
Threat Intelligence Indicator Lookup
▼
security threat-intelligence crowdstrike-falcon lookup
Looks up a file hash, IP address, or domain in CrowdStrike Falcon Intelligence to return threat actor associations, malware family, and verdict.
naftiko: "0.5"
info:
label: "Threat Intelligence Indicator Lookup"
description: "Looks up a file hash, IP address, or domain in CrowdStrike Falcon Intelligence to return threat actor associations, malware family, and verdict."
tags:
- security
- threat-intelligence
- crowdstrike-falcon
- lookup
capability:
exposes:
- type: mcp
namespace: threat-intel
port: 8080
tools:
- name: get-indicator-report
description: "Given a file hash (MD5/SHA256), IP address, or domain, query CrowdStrike Falcon Intelligence and return the verdict, associated malware families, and threat actor attributions."
inputParameters:
- name: indicator
in: body
type: string
description: "The IOC to look up: SHA256 hash, MD5 hash, IPv4 address, or domain name."
- name: indicator_type
in: body
type: string
description: "Type of indicator: hash, ip, or domain."
call: falcon-intel.get-indicator
with:
value: "{{indicator}}"
type: "{{indicator_type}}"
outputParameters:
- name: verdict
type: string
mapping: "$.resources[0].verdict"
- name: malware_families
type: string
mapping: "$.resources[0].malware_families[0]"
- name: threat_actors
type: string
mapping: "$.resources[0].actors[0]"
- name: labels
type: string
mapping: "$.resources[0].labels[0].name"
consumes:
- type: http
namespace: falcon-intel
baseUri: "https://api.crowdstrike.com"
authentication:
type: bearer
token: "$secrets.falcon_oauth_token"
resources:
- name: indicators
path: "/intel/combined/indicators/v1"
inputParameters:
- name: value
in: query
- name: type
in: query
operations:
- name: get-indicator
method: GET
Workday Payroll Headcount Snapshot
▼
hr finance workday reporting
Retrieves current headcount and departmental FTE distribution from Workday for executive reporting and financial planning purposes.
naftiko: "0.5"
info:
label: "Workday Payroll Headcount Snapshot"
description: "Retrieves current headcount and departmental FTE distribution from Workday for executive reporting and financial planning purposes."
tags:
- hr
- finance
- workday
- reporting
capability:
exposes:
- type: mcp
namespace: hr-finance
port: 8080
tools:
- name: get-headcount-snapshot
description: "Retrieve the current total headcount and FTE breakdown by department and location from Workday. Use for monthly HR reporting, headcount planning, and budget reviews."
call: workday-hc.headcount-report
outputParameters:
- name: total_headcount
type: string
mapping: "$.report.total"
- name: departments
type: array
mapping: "$.report.departments"
items:
- name: department_name
type: string
mapping: "$.name"
- name: fte_count
type: number
mapping: "$.fte_count"
consumes:
- type: http
namespace: workday-hc
baseUri: "https://wd2-impl-services1.workday.com/ccx/api/v1"
authentication:
type: bearer
token: "$secrets.workday_token"
resources:
- name: headcount-report
path: "/crowdstrike/reports/headcount"
operations:
- name: headcount-report
method: GET
Workday Role Change Access Review
▼
hr identity workday okta servicenow access-management
When an employee changes roles in Workday, triggers an Okta group membership update to reflect new job function and creates a ServiceNow access review task for IT security.
naftiko: "0.5"
info:
label: "Workday Role Change Access Review"
description: "When an employee changes roles in Workday, triggers an Okta group membership update to reflect new job function and creates a ServiceNow access review task for IT security."
tags:
- hr
- identity
- workday
- okta
- servicenow
- access-management
capability:
exposes:
- type: mcp
namespace: access-review
port: 8080
tools:
- name: process-role-change
description: "Given a Workday worker ID with an updated job profile, update Okta group memberships to match the new role's access policy and create a ServiceNow access review task for security team validation. Use when employees transfer teams or are promoted."
inputParameters:
- name: worker_id
in: body
type: string
description: "Workday worker ID of the employee whose role has changed."
- name: new_job_profile
in: body
type: string
description: "New Workday job profile name."
- name: old_job_profile
in: body
type: string
description: "Previous Workday job profile name."
steps:
- name: get-worker
type: call
call: workday-role.get-worker
with:
worker_id: "{{worker_id}}"
- name: update-okta-groups
type: call
call: okta-role.update-user-groups
with:
login: "{{get-worker.work_email}}"
new_profile: "{{new_job_profile}}"
- name: create-access-review
type: call
call: servicenow-access.create-task
with:
short_description: "Access Review: {{get-worker.full_name}} role change from {{old_job_profile}} to {{new_job_profile}}"
category: "Access Management"
description: "Worker: {{worker_id}}\nEmployee: {{get-worker.full_name}}\nPrevious Role: {{old_job_profile}}\nNew Role: {{new_job_profile}}\nOkta groups updated: {{update-okta-groups.groups_modified}}"
consumes:
- type: http
namespace: workday-role
baseUri: "https://wd2-impl-services1.workday.com/ccx/api/v1"
authentication:
type: bearer
token: "$secrets.workday_token"
resources:
- name: workers
path: "/crowdstrike/workers/{{worker_id}}"
inputParameters:
- name: worker_id
in: path
operations:
- name: get-worker
method: GET
- type: http
namespace: okta-role
baseUri: "https://crowdstrike.okta.com/api/v1"
authentication:
type: apikey
key: "Authorization"
value: "$secrets.okta_ssws_token"
placement: header
resources:
- name: user-groups
path: "/users/{{user_id}}/groups"
inputParameters:
- name: user_id
in: path
operations:
- name: update-user-groups
method: PUT
- type: http
namespace: servicenow-access
baseUri: "https://crowdstrike.service-now.com/api/now"
authentication:
type: basic
username: "$secrets.servicenow_user"
password: "$secrets.servicenow_password"
resources:
- name: tasks
path: "/table/sc_task"
operations:
- name: create-task
method: POST