Isolate or Unisolate Device on CrowdStrike
Isolates or Unisolates the specific device with a CrowdStrike action. Fast and easy response for a suspicious device. All the related measures are taken: Notify the owner and update the ticket in ServiceNow. It sends a Slack message to the owner of the device that the action has been performed and updates an incident ticket in ServiceNow. All you need is the device’s ID and the device’s owner's email. For unisolate, you’ll also need the ticket ID( ”sys_id” ) of the previously opened ticket in ServiceNow.
  1. Create ticket descriptions for ServiceNow.
  2. If action type is Isolate Device- Isolate the device and create ticket in ServiceNow.
  3. If the action type is not Isolate Device, lift device isolation and close the existing ticket in ServiceNow.
  4. Notify the device owner via Slack.