This workflow template streamlines the management of device containment within CrowdStrike, enhancing endpoint security operations. Users can choose to contain or lift containment on a device, with the option to provide a comment and specify a wait time for action completion. The workflow automatically extracts the device ID from the associated case or accepts it as input, ensuring seamless integration with Socrates Off-Case. Successful actions are documented with a note in the case, facilitating efficient incident response and tracking.
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Queries the user for an action ('Contain' or 'Lift containment'), a comment for the action and time to wait for completion in minutes
The device ID is extracted from the corresponding case or it can be provided in the user query (for use with Socrates Off-Case)
Depending on the user selection, the device is contained or has containment lifted
If the action is successful, a note is added to the associated case
Vendors
Utils, CrowdStrike, Torq Cases