Configure and trigger additional actions in CrowdStrike Falcon Insight

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • The CrowdStrike Falcon Insight integration supports running additional actions like regular expression (regex). The CrowdStrike Falcon Insight integration provides 40 additional actions with the base system.

    Before you begin

    Role required: sn_si.analyst

    Procedure

    1. Navigate to All > CrowdStrike Falcon Insight Integration > CrowdStrike Additional Actions.
    2. Click New to create your own additional action or select an existing action that comes with the base system.
      For example, let's create a new additional action.
    3. On the form, fill the fields.
      Field Description
      Command Name Command name for the additional action. For example, reg set.
      Base name Base name for the additional action. This field is set by default. For example, reg.
      Capability Capability name for the additional action. This field is set by default. For example, Run Additional Actions on Endpoint.
      Integration source The source for the additional action. For example, CrowdStrike Falcon Insight Integration.
      Active Option to indicate if the additional is active or not.
      Command Type Command type for the additional action. This field is set by default. For example, RTR Custom Script.
      Script
      • OS Type: Option to select the OS type for your script. Select one of the following:
        • Windows
        • MAC OS X
        • Linux
        • None
      • Script: Option to enter your script if you selected one of the following OS, except for None option.
      Configuration
      • Display Tag: Option to display the tag for the configuration. You can select the tag for the following fields:
        • Capability - Initiated. For example, reg set - Initiated.
        • Capability - Completed. For example, reg set - Completed.
        • Capability - Failed. For example, reg set - Failed.
      • Require Approval: Option to select an approver or group that needs to approve the configuration.
      Figure 1. CrowdStrike Falcon Insight Additional Actions
      CrowdStrike Falcon Insight Additional Actions
    4. Click Submit.
    5. You can also choose from the following existing additional actions.
      There are 40 additional actions that come with the base system, which you can use to perform additional configurations.
      Note:
      Ensure that you open the CrowdStrike Additional Actions list and set the required additional action to true, else the additional action will not be available in the workspace.
      Figure 2. List of additional actions that comes with the base system
      List of additional actions that comes with the base system
    6. Navigate to Security Incidents > Show All Incidents.
    7. Select the security incident that you want to review with the run additional actions on Endpoint.
      1. In the related links section, click Run Additional Actions on Endpoint.
      2. Browse and select the required capability.
        For example, click reg set capability.
      3. Select Include Related CI to run the additional actions on all the related CIs of the Endpoint.
      4. You can define the Subkey for the run the additional actions on Endpoint.
        This Subkey can be a HKLM/Software/new key.
    8. To initiate the run additional actions on endpoint, click Run Additional Action.
    9. View the automation activities of the execution, and validate them.
    10. Validate the status of the action on the Additional Actions on Endpoint related lists.