CrowdStrike Host Isolation with ServiceNow & Slack

Overview

When an endpoint is suspected of compromise, this playbook lets you isolate it from the network via CrowdStrike Falcon with a single action. It simultaneously opens a ServiceNow incident ticket, notifies the device owner in Slack, and tracks the containment action for audit. Unisolate to reverse the action and auto-close the ticket.

Who this is for: SOC teams running CrowdStrike Falcon who need fast, auditable host containment

Why automate this

Network isolation is one of the fastest, highest-impact containment actions a SOC can take, but it's also destructive to the user. This playbook makes it safe by packaging isolation with owner notification, audit ticketing, and a clean rollback path. Analysts can act confidently knowing every action is tracked and reversible.

How it works

1. 01

   Receive the device ID and owner email as input parameters

2. 02

   Branch on action type: isolate vs unisolate

3. 03

   For isolate: call the CrowdStrike Falcon API to quarantine the host

4. 04

   Create a new ServiceNow incident with device and owner metadata

5. 05

   Message the device owner in Slack with the action and contact details

6. 06

   For unisolate: lift the network containment via the Falcon API

7. 07

   Locate the existing ServiceNow ticket by sys_id and mark it resolved

8. 08

   Notify the device owner that access is restored

Impact

• One-click host containment with full audit trail

• Reduces mean-time-to-contain from hours to seconds

• Owner notification prevents 'why was my laptop cut off?' support tickets

• Reversible action with automatic ticket closure