Incydr Flow: CrowdStrike network containment

Overview

This article explains how to configure the Incydr Flow for CrowdStrike network containment. This Flow adds a response option in the Incydr console that enables you to quarantine all of a user's endpoints and isolate them from the network via Crowdstrike.   

The steps below cover how to create API clients in both CrowdStrike and Incydr, configure the Flow in the Incydr console, and manually execute the Flow from an Incydr alert.

Considerations

• You must be licensed for the CrowdStrike network containment Flow to complete the steps below. Contact your Customer Success Manager (CSM) if you have questions about licensing.

Step 1: CrowdStrike configuration

Work with your CrowdStrike administrator to complete the following steps:

Create an API client in CrowdStrike

1. Create an API client in CrowdStrike with the following permissions:
   • Host (Read/Write)
   • User Management (Read)
2. Save the API client credentials (Token ID and Secret) in a secure location for future reference.
   • These credentials are required to initially enable the Flow in the Incydr console, as well as to update settings after the initial setup.
3. Note your CrowdStrike Base URL, which will be needed during the Incydr configuration.

For detailed instructions on creating an API client in CrowdStrike, refer to the CrowdStrike OAuth2 API Guide (requires authentication).

Step 2: Incydr configuration

Create an API client in Incydr

Create a new Incydr API client:

1. Sign in to the Incydr console.
2. Go to Administration > Integrations > API Clients.
3. Select Create new API Client.
4. Enter a name specific to this Flow (for example, "CrowdStrike network disconnect").
5. Add these permissions:
   • Device - Read
   • User - Read
6. Click Save.
7. Save the Client ID, Secret, and Base URL in a secure location for future reference.
   The Incydr API client credentials are required to initially enable the Flow in the Incydr console, as well as to update settings after the initial setup.

Incydr Flow setup

1. In the Incydr console, go to Administration > Integrations > Incydr Flows.
2. From the list of Flows, select the CrowdStrike network disconnect Flow.
3. Complete these fields:
   • CrowdStrike API client ID: Enter the CrowdStrike API token ID obtained above in step 1.
   • CrowdStrike API secret: Enter the CrowdStrike API secret obtained above in step 1.
   • CrowdStrike Base URL: Enter the Crowdstrike Base URL obtained above in step 1.
   • Code42 API client ID: Enter the Incydr API Client ID obtained in step 2 above.
   • Code42 API client secret: Enter the Incydr API secret obtained in step 2 above.
   • Code42 base URL: Enter the Incydr Base URL obtained in step 2 above. You can also obtain the Base URL by identifying the URL for your Incydr cloud environment.
4. Click Submit.

Execute the Flow

To disconnect a user's devices from the network via CrowdStrike from within Incydr:

1. Sign in to the Incydr console as a user with either the Customer Cloud Admin or Insider Risk Respond role.
2. Go to Alerts > Review Alerts.
3. Select an alert. 
   The Alert details appear.
4. Click the Actions menu. From the Incydr Flows section, select Disconnect device from network | CrowdStrike.
   CrowdStrike Falcon quarantines all of the user's endpoints by disconnecting them from the network.
5. To resume network access for the user's endpoints, you must lift the containment from within Crowdstrike. Access cannot be restored from within Incydr.

External resources

• CrowdStrike: How to network contain an infected system

Related topics

• Introduction to Incydr Flows
• Configure Incydr Flows