Contact sales
Details

This incident response workflow allows you to lift containment for hosts in CrowdStrike from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to lift containment for. When using this workflow with an incident automation rule, all assets involved in the incident are removed from containment.

Description

This incident response workflow allows you to lift containment for hosts in CrowdStrike from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to lift containment for. When using this workflow with an incident automation rule, all assets involved in the incident are removed from containment. Supported observables: hostname, MAC address, CrowdStrike ID

Target: CrowdStrike

Steps:

  • Detect the start type and extract the observables
  • Check if any supported observables were found (if not, end the workflow)
  • For each observable:
    • Check the observable's type:
      • If a CrowdStrike ID, set the local ID variable
      • If a hostname or a MAC address, set the necessary local variable and search for the host
    • Fetch the host from CrowdStrike by ID and extract its hostname
    • Lift containment for the host
    • Check if the containment was lifted for the host and update the workflow result
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • CrowdStrike
About
Author
Cisco
Version
v1.0
Intent
Incident Response
Integration
Average rating
No ratings yet
Authorship
Cisco Managed
Contact and support information
https://support.cisco.com
External links

Content Licensing

Developer Community

Related workflows
Logo for CrowdStrike Falcon
CrowdStrike - Contain Host
Cisco Managed
This workflow appears in the pivot menu and allows a user to contain a host in CrowdStrike.
Pivot Menu
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Contain Hosts
Cisco Managed
This incident response workflow allows you to contain hosts involved in an incident using CrowdStrike from a playbook or using an automation rule.
Incident Response
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Create Custom IOC
Cisco Managed
This workflow appears in the pivot menu and allows you to create an IOC in CrowdStrike for an observable.
Pivot Menu
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Create Custom IOCs for Observables
Cisco Managed
This incident response workflow allows you to create custom IOCs for observables in CrowdStrike from a playbook.
Playbook Task
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Delete Custom IOCs for Observables
Cisco Managed
This incident response workflow allows you to delete custom IOCs for observables in CrowdStrike from a playbook.
Playbook Task
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Get Vulnerability Summary for Assets
Cisco Managed
This incident response workflow allows to document a summary of vulnerabilities for hosts in an incident using CrowdStrike from a playbook or using an automation rule.
Incident Response
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Lift Containment for Hosts
Cisco Managed
This incident response workflow allows you to lift containment for hosts in CrowdStrike from a playbook or using an automation rule.
Incident Response
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Lift Host Containment
Cisco Managed
This workflow appears in the pivot menu and allows a user to lift containment for a host in CrowdStrike.
Pivot Menu
Learn more