|
#security #automation #crowdstrike #incident-response #soc #soar

How to Automatically Contain High-Severity Threats in CrowdStrike Falcon Using Fusion Workflows

A practical guide to building severity-based auto-containment playbooks in CrowdStrike Falcon Fusion to stop threats and reduce SOC alert fatigue.

If you’ve spent any meaningful amount of time in a Security Operations Center (SOC), you know the feeling. It’s 3:00 AM, the queue is flooded with a mix of adware alerts and anomalous script executions, and somewhere in that haystack is a legitimate threat actor trying to establish persistence.

Alert fatigue is the quiet killer of SOC efficiency. When analysts are forced to manually triage every single low-level blip, their reaction time to critical threats plummets. In modern environments where ransomware can encrypt a subnet in minutes, relying solely on human speed for initial containment is a losing strategy.

This is where automated, severity-based playbooks become non-negotiable. By leveraging Security Orchestration, Automation, and Response (SOAR) capabilities—specifically within CrowdStrike Falcon Fusion—we can build workflows that handle the heavy lifting.

In this post, we’ll walk through the practical design and implementation of a severity-driven playbook in CrowdStrike Falcon. Our objective: build a workflow that automatically isolates hosts experiencing High or Critical detections, while simply notifying the SOC for Medium and Low severities.

1. Playbook Logic Overview

Before touching the console, we need to map out our decision flow. Good automation is predictable automation. Our playbook will trigger the moment CrowdStrike generates a new detection. From there, it will evaluate the severity of the detection and split into two distinct branches.

The Logic Block

TRIGGER: New Endpoint Detection Generated
 
IF Detection.Severity IS ("High" or "Critical"):
    ACTION 1: Initiate Network Containment on Affected Host
    ACTION 2: Send High-Priority Email to SOC Triage Inbox
    TERMINATE WORKFLOW
 
ELSE IF Detection.Severity IS ("Medium" or "Low"):
    ACTION 1: Send Standard Email to SOC Triage Inbox
    TERMINATE WORKFLOW
 
ELSE:
    TERMINATE WORKFLOW

This logic ensures that actionable, fast-moving threats are instantly quarantined, preventing lateral movement or data exfiltration. Meanwhile, lower-confidence or lower-impact alerts are queued for human review without disrupting the end-user's work.

2. Step-by-Step Implementation in CrowdStrike Falcon

CrowdStrike’s SOAR capability (Falcon Fusion) makes this implementation straightforward, provided you know exactly which variables and actions to link together.

Step 2.1: Creating the Workflow and Setting the Trigger

  1. Navigate to Fusion > Workflows in the Falcon console.
  2. Click Create Workflow and select Start from scratch.
  3. Name the workflow: IR-PB-01: Severity-Based Containment and Notification.
  4. Under the Trigger block, select Endpoint Detection and choose New Detection. This ensures the workflow fires the moment a new alert is written to the database.

Step 2.2: Building the Conditional Logic

We need to branch our workflow based on severity.

  1. Add a Condition node immediately after the trigger.
  2. Set the condition to evaluate the severity:
    • Field: Severity
    • Operator: is greater than or equal to
    • Value: High
  3. Rename this branch to "High or Critical Branch".
  4. Add a Default/Else branch and rename it to "Medium or Lower Branch".

Step 2.3: Configuring the High/Critical Actions

For our High/Critical branch, we need two actions: Containment and Notification.

Action 1: Network Containment

  • Click the + icon under the High/Critical branch.
  • Search for the Contain action and select Network Containment (or Contain device).
  • Set the Device ID dynamically using the data picker (e.g., {{trigger.device.deviceId}}).
  • Optional: Add an expression in the comment section like "Automated containment initiated for Detection ID: {{trigger.detectionId}}" to maintain a clear audit trail.

Action 2: Email Notification

  • Add another action beneath the containment block.
  • Select Notifications > Send Email.

Step 2.4: Configuring the Medium or Lower Actions

  • Click the + icon under the Medium or lower branch.
  • Select Notifications > Send Email.
  • Configure the standard email template for routine triage.

3. Email Notification Design

Your email notification should provide enough context for the analyst to immediately grasp the situation. Within the Fusion UI, use the Data to include section and the Message content field.

Email Template

Subject: [URGENT] CRITICAL Detection & Host Contained: {{trigger.device.hostname}}

Message:
SOC Team,
 
A High/Critical severity detection has been triggered. The affected host has been AUTOMATICALLY CONTAINED to prevent lateral movement.
 
Please review the attached "Data to include" for specific incident details.
 
Next Steps:
1. Review the detection in the Falcon Console.
2. Utilize Real Time Response (RTR) to investigate the isolated host.
3. Validate if this is a true positive before lifting containment.
 
View Detection: {{trigger.falconLink}}

Data to Include

Select the following variables in the Fusion data picker to ensure they are attached to the alert:

  • Hostname: {{trigger.device.hostname}}
  • OS: {{trigger.device.osVersion}}
  • Detection Name: {{trigger.detectName}}
  • Tactic/Technique: {{trigger.tactic}} / {{trigger.technique}}
  • Severity: {{trigger.severityName}}

4. Key Considerations and Pitfalls

The Risk of Over-Containment

What happens if a false positive High-severity detection triggers on your Primary Domain Controller or a critical production database? If your playbook contains that server, you’ve just taken down the company faster than the threat actor could have.

Solution: Implement exclusion logic. During initial rollout, exclude all servers from automated containment.

  • Add a condition checking the host's grouping or tags before the containment action.
  • Example Check: If trigger.device.productType NOT IN ["Server"] OR If trigger.device.groups NOT IN ["Tier 0 Servers", "Production DBs"].

Handling False Positives

If your helpdesk receives complaints of random network drops, they need to know how to quickly verify if a workflow caused it. Always ensure your workflow includes a "Comment" action on the detection itself so the audit trail is visible directly in the incident view.

CrowdStrike Cloud Communication

Keep in mind that Network Containment in Falcon is a logical isolation. The host cannot talk to the LAN or the internet, but it maintains its TLS connection to the CrowdStrike Cloud. This allows you to still use Real Time Response (RTR) to run commands, kill processes, and remediate the host even while it is entirely isolated from your corporate network.

5. Testing and Validation

Step 5.1: Scope for Testing

Before enabling the workflow globally, edit the Trigger Conditions to only apply to a specific test host group (e.g., SOC_Test_Machines).

Step 5.2: Simulating Detections

  • Medium or lower Testing: Run a simple reconnaissance command like whoami or net user from an unapproved shell, which may trigger a low-level behavioral alert depending on your prevention policies.
  • High or higher Testing: Use a controlled simulation framework like Atomic Red Team. Safely executing a technique like T1003 (OS Credential Dumping) is a reliable way to trigger a High/Critical behavioral detection without causing actual harm.

6. Real-World Example Scenario

The Setup: An employee receives a targeted phishing email containing a malicious ZIP. They extract it and run a payload that attempts to download a Cobalt Strike beacon via a PowerShell download cradle.

The Execution:

  1. Falcon recognizes the obfuscated PowerShell command and assigns it a Critical severity.
  2. The New Detection trigger fires. The logic evaluates the severity and routes down the High or Critical branch.
  3. Within 5 seconds, the Falcon platform issues a Network Containment command.
  4. An urgent email with full context is routed to the SOC.

The Result: By the time the attacker's server attempts to establish an interactive session, the laptop’s network adapter has been logically disconnected. Lateral movement is entirely stopped. The analyst clicks the link in the email, uses RTR to pull the malicious script for analysis, and initiates the cleanup process—all without breaking a sweat.

Conclusion

Building a severity-based playbook in CrowdStrike Falcon fundamentally shifts the SOC from a reactive posture to a controlled, investigative one. By automating the containment of high-confidence threats, you reduce alert fatigue and protect the network from rapid-moving attacks like ransomware.

Start small, test rigorously with exclusions, and scale the automation as your confidence in the platform grows.