How to Contain an Endpoint with CrowdStrike
When malware is detected on a device, you can contain that endpoint with CrowdStrike to reduce your risk. In this guide, we'll show you how to take these containment steps.
When malware is detected on a device, you can contain that endpoint with CrowdStrike to reduce your risk. In this guide, we'll show you how to take these containment steps.
If you are managing a security incident, containing an endpoint using CrowdStrike can be a critical way to reduce your risk.
By quickly containing the affected device, you’ll isolate the compromised system and prevent it from spreading malware or other malicious activity across the network.
In this guide, we’ll show you how to contain a device using both the CrowdStrike console and API.
CrowdStrike also offers an API to allow administrators to easily programmatically manage their sensors. You can use the one that geographically aligns with your specific CrowdStrike account:
In the examples we show later, we’ll use “api.us-2.crowdstrike.com”.
CrowdStrike’s API documentation is available after you log in here, and you’ll see information about how to use OAuth2 for authenticating your requests.
Before you start, you will need to make an access token request, including your client ID and client secret. You’ll get an access token in response that will be valid for 30 minutes after that. The API calls you make after that initial call will include that token.
In the request body, specify the host agent ID (AID) and provide it in a JSON format:
Just like in Step 1, include the host agent id in the body of the request.
When you want to contain a device, the steps aren’t hard but they do take time away from investigating and scoping the issue.
With Blink, you can just choose whether to contain or lift containment on a certain device. This automation in the Blink library will then take the action in CrowdStrike, update the related incident ticket, and notify the device owner of the action via Slack.
You can run this automation by specifying a Device ID and Device owner’s email. With these inputs, it will do the following steps:
This simple automation allows you to ensure a strong audit trail without needing to dedicate time to building it manually.
You can also trigger automations and use conditional logic. For example, you could customize this automation to trigger whenever a severe malware is detected and contain the device automatically, or upon an approval via Slack.
We have over 5K automations available in the Blink library, or you can customize workflows to fit your unique use case.
Start a free trial of Blink today and see how easy automation can be.
Transform your security and platform operations today with 5000+ no-code automations.