Security teams know all too well the grind of manual investigations and remediation. With the mass adoption of AI and increasingly automated attacks, defenders cannot afford to rely on overly manual, low priority, and complex workflows.
Heavily burdensome manual response introduces delays as analysts bounce between consoles and high alert volumes, contributing to alert fatigue. Even worse, it prevents security teams from dedicating time to high-priority threats and strategic, innovative work. To keep pace, SOCs need automated responses that contain and remediate common threats at machine speed before they become business-impacting incidents.
That’s why today, we’re excited to announce a new integration between the Cloudflare One platform and CrowdStrike’s Falcon® Fusion SOAR.
As part of our ongoing partnership with CrowdStrike, this integration introduces two out-of-the-box integrations for Zero Trust and Email Security designed for organizations already leveraging CrowdStrike Falcon® Insight XDR or CrowdStrike Falcon® Next-Gen SIEM.
This allows SOC teams to gain powerful new capabilities to stop phishing, malware, and suspicious behavior faster, with less manual effort.
Although teams can always create custom automations, we’ve made it simple to get started with two pre-built integrations focused on Zero Trust Access and Email Security. Both follow the same general structure and are available directly in the CrowdStrike Content Library.
Cloudflare within CrowdStrike Content Library
The actions you can take within CrowdStrike from these integrations are the following:
|
Email Security – Update Allow Policy – Search Email Messages – List Trusted Domains – List Protected Domains – List Blocked Senders – List Allow Policies – Get Trusted Domain – Get Message Details – Get Detection Details – Get Allow Policy – Delete Trusted Domain – Delete Allow Policy Delete Blocked Sender Create Trusted Domain Create Blocked Sender Create Allow Policy Get Blocked Sender |
Zero Trust Access – Update Reusable Policy – Update Access Group – Revoke Application Tokens – Read Metadata For A Key – List Reusable Policies – List Access Groups – List Access Applications – List Access App Policies – Get Access Reusable Policy – Get Access Group – Get Access Application – Get Access App Policy – Delete Reusable Policy – Delete Access Group – Delete Access Application – Delete Access App Policy – Create Reusable Policy – Create Access Group – Create Access App Policy |
Using these signals, customers can create automated workflows that run with minimal to no human intervention. Falcon Fusion SOAR’s drag-and-drop editor makes it easy to chain together Cloudflare actions with other signals (from CrowdStrike or even third-party vendors) to automate large portions of the SOC workflow.
An example flow that you could create is:
-
A phishing email is detected by Cloudflare Email Security.
-
Falcon Fusion SOAR automatically retrieves detection details, blocks the sender, and updates allow/deny lists.
-
Cloudflare Zero Trust revokes active session tokens for the impacted account.
-
If Falcon confirms the endpoint is compromised, the device is automatically isolated.
Another example of how a workflow like above would show in the UI is the following:
An example automated flow using Cloudflare
From the Cloudflare UI, customers can navigate to the Logpush section where they can set up a job with CrowdStrike. To do this customers need to create a job with “HTTP destination”:
From here, customers can input the HTTP endpoint provided by CrowdStrike in the data connector setup to start sending logs over to Falcon Fusion SOAR. This URL will show up in the following way: ingest.us-2.crowdstrike.com/api/ingest/hec/<CRWDconnectionID>/v1/services/collector/raw
CrowdStrike URL Location
Working Logpush to CrowdStrike
This end-to-end automation allows teams to reduce mean time-to-response from minutes to seconds.
At a technical level, the integration relies on webhook and API integrations between Cloudflare’s SASE platform and CrowdStrike Falcon Fusion SOAR. For example:
-
From endpoint to network: When the CrowdStrike Falcon® platform detects an endpoint compromise, it triggers a workflow to Cloudflare’s API, which enforces step-up authentication or session revocation across SaaS, private apps, or email access. This is done via Cloudflare’s Access product.
-
From network to endpoint: When Cloudflare flags suspicious behavior (e.g., abnormal login patterns, anomalous traffic, or unsafe email activity), it notifies CrowdStrike Falcon Fusion SOAR, which then isolates the device and launches remediation playbooks.
This bidirectional exchange makes sure threats are contained from both sides, endpoint and network, without requiring manual intervention from analysts.
If your organization already uses CrowdStrike Falcon Fusion SOAR with Cloudflare’s SASE platform, you can enable these workflows today directly from the Cloudflare Dashboard and CrowdStrike Falcon console (Zero Trust, Email Security). You can also search for Cloudflare within the content library in CrowdStrike to find the integrations.
For organizations looking to customize further, both platforms allow extensibility through APIs and custom playbooks so SOC teams can tailor response actions to their unique risk posture.
To learn more about our integrations, feel free to reach out to us to get started with a consultation.
