CrowdStrike - Contain Hosts
This incident response workflow allows you to contain hosts involved in an incident using CrowdStrike from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to contain. When using this workflow with an incident automation rule, all target hosts involved in the incident are contained.
Description
This incident response workflow allows you to contain hosts involved in an incident using CrowdStrike from a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hosts to contain. When using this workflow with an incident automation rule, all target hosts involved in the incident are contained.
Target: CrowdStrike
Steps:
- Detect the start type and extract the supported observables
- Check if any supported observables were found (if not, end the workflow)
- For each observable:
- Check this observable's type:
- If a CrowdStrike ID, set the local ID variable
- If a hostname or MAC address, search for it in CrowdStrike and set the local ID variable
- Fetch the endpoint and extract its hostname
- Contain the endpoint
- Check if the endpoint was contained and update the workflow result
- Check this observable's type:
This workflow requires the following targets to be available before it can be run.
Integration targets
- CrowdStrike