Crowdstrike Falcon Fusion SOAR

CrowdStrike Falcon Fusion SOAR, the native security orchestration automation and response (SOAR) capabilities of the CrowdStrike Falcon platform, frees up valuable time for security analysts and makes investigation and response processes more efficient and effective. With Falcon Fusion SOAR, your security team can automate repeatable tasks and seamlessly orchestrate investigation and response actions across the Falcon platform and third-party tools to keep their focus on the threats that matter the most.

---

Arcanna - Falcon Fusion SOAR integration

The Arcanna integration is available in the Falcon Fusion App catalog and can be easily installed and configured directly from Falcon Fusion. This enables the users to request a decision from Arcanna at any point in a given playbook as well as to automatically close the feedback-loop by providing feedback to Arcanna when an incident is reviewed.

Steps to configure Arcanna integration:

Prerequisites

• A valid Arcanna.ai instance - for setup, follow this user guide.
• A Crodwstrike Falcon Fusion account.

How to connect

Go to Arcanna instance:

1. Generate an Arcanna API Key

2. Create an Arcanna Falcon Fusion integration:

   • Go to the Integrations tab
   • Search for Crowdstrike Falcon Fusion integration and click on it:
   
   • Fill in all the fields as shown below using your own API Key and Title, and then click Confirm:
   

3. Create an Arcanna job using the Falcon Fusion integration:

   • Go to AI Jobs tab and click Create job
   • Complete the Title and select the Falcon Fusion integration just created as the input, as shown below:
   
   • Click Save and run to save and start the job.

Setup in Falcon Fusion

1. Install Arcanna AI App in Falcon Fusion

   • Open the App Catalog in Falcon
   • Search for Arcanna AI
   • Click Install
   • After installation, click Modify Settings

2. Configure the integration In the Arcanna AI app settings:

   • API Key Paste the key from Arcanna
   • Data > API Integrations > Edit > Host Enter the host URL of your arcanna instance (e.g.: https://you-arcanna-hosting.com/api)

3. Setup the Arcanna Workflow

   • Go to the Workflow section in Falcon
   • Locate the Arcanna AI Triage workflow
   • Click Enable This will trigger the Arcanna flow on all detections

How it works

1. A new incident is created in Falcon Fusion
2. The Arcanna AI Triage workflow is triggered
3. The incident is sent to Arcanna via API
4. Arcanna
   • Applies your trained Decision Model
   • Returns a decision
5. In the workflow, based on the decision returned, the following new information will be added on the underlying detection:
   • A tag (e.g: Drop, Investigate, Escalate)
   • A comment containing the: Decision label, confidence score for the decision, Outlier flag.

Analyst feedback loop

Each detection includes an Arcanna Feedback panel at the bottom, allowing analysts to:

• View Arcanna’s decision
• Mark decisions as correct/incorrect
• Submit feedback to improve model performance

This creates a continuous learning loop, helping Arcanna adapt to your detection environment and increase accuracy over time.

🧭 Decision Flexibility

• Default decisions are:
  • ✅ Escalate
  • ❓ Investigate
  • ❌ Drop
• You can add custom decisions to reflect internal workflows
• Each model must be trained specifically for your environment to become trustworthy — no generic AI models are used.

Workflow diagram