How to Contain an Endpoint with CrowdStrike

If you are managing a security incident, containing an endpoint using CrowdStrike can be a critical way to reduce your risk. 

By quickly containing the affected device, you’ll isolate the compromised system and prevent it from spreading malware or other malicious activity across the network.

In this guide, we’ll show you how to contain a device using both the CrowdStrike console and API.

Containing a Compromised Device with CrowdStrike

Using the CrowdStrike Console:

1. First log in to the CrowdStrike Falcon Console.
2. Open the left-hand pane menu, and select Host setup and management and Host Management.
3. Select the device that you want to contain and select Network Contain in the right-hand pane that opens to change the device’s containment status.

4. Confirm that you want to contain the device and add a reason for the audit log.

5. If you want to reverse this action, select the device again, click Lift Containment. Add a reason for the audit log and confirm.

Using the CrowdStrike Falcon API:

CrowdStrike also offers an API to allow administrators to easily programmatically manage their sensors. You can use the one that geographically aligns with your specific CrowdStrike account:

• US-1 “api.crowdstrike.com”
• US-2 “api.us-2.crowdstrike.com”
• US-GOV-1 “api.laggar.gcw.crowdstrike.com”
• EU-1 “api.eu-1.crowdstrike.com”

In the examples we show later, we’ll use “api.us-2.crowdstrike.com”.

CrowdStrike’s API documentation is available after you log in here, and you’ll see information about how to use OAuth2 for authenticating your requests.

Before you start, you will need to make an access token request, including your client ID and client secret. You’ll get an access token in response that will be valid for 30  minutes after that. The API calls you make after that initial call will include that token.

1. Make a POST request to this endpoint:

https://api.us-2.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain

In the request body, specify the host agent ID (AID) and provide it in a JSON format:

{
    "ids":[
            "Fec16arca8c1419fabf7fd1addfved63"
    ]
}

2. If you want to reverse this action, you can make a POST request to this endpoint:

https://api.us-2.crowdstrike.com/devices/entities/devices-actions/v2?action_name=lift_containment

Just like in Step 1, include the host agent id in the body of the request.

Automating CrowdStrike Containment Workflows with Blink

When you want to contain a device, the steps aren’t hard but they do take time away from investigating and scoping the issue.

With Blink, you can just choose whether to contain or lift containment on a certain device. This automation in the Blink library will then take the action in CrowdStrike, update the related incident ticket, and notify the device owner of the action via Slack.

You can run this automation by specifying a Device ID and Device owner’s email. With these inputs, it will do the following steps:

1. Creates ticket descriptions for ServiceNow.
2. If the selected action is Isolate Device, then it isolates the device and creates a ticket in ServiceNow.
3. If the selected action is Lift Isolation, then it lifts the device isolation and closes the existing ticket in ServiceNow.
4. Notifies the device owner via Slack.

This simple automation allows you to ensure a strong audit trail without needing to dedicate time to building it manually. 

You can also trigger automations and use conditional logic. For example, you could customize this automation to trigger whenever a severe malware is detected and contain the device automatically, or upon an approval via Slack.

We have over 5K automations available in the Blink library, or you can customize workflows to fit your unique use case.

Get started with Blink today and see how easy automation can be.