The "QuickAction - Manage Containment on a Device in CrowdStrike" workflow template streamlines the process of managing device containment within CrowdStrike. It allows users to quickly choose between containing a device or lifting its containment, add a comment, and specify a wait time for action completion. This workflow is ideal for Endpoint Detection and Response (EDR) scenarios, enhancing incident response efficiency by automating containment actions and updating case notes accordingly.
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Queries the user for an action ('Contain' or 'Lift containment'), a comment for the action and time to wait for completion in minutes
The device ID is extracted from the corresponding case
Depending on the user selection, the device is contained or has containment lifted
If the action is successful, a note is added to the associated case
Vendors
Utils, CrowdStrike, Torq Cases