Quarantine potentially infected CrowdStrike device

The automation blocks outgoing traffic from devices with potential threats, such as malware or viruses detected by CrowdStrike, to prevent lateral movement and communication with Command and Control (C&C).

Supported Product

Check Point Security Management Server (Quantum)
CrowdStrike for Endpoint

Parameters

IP quarantine duration (if admin's approval is required)

Set the expiration period for the automation.

Note - This applies only if you have selected the Admin's approval is required for quarantining device IP checkbox. After the expiration, Infinity Playblocks sends the notification for the Administrator's approval.

IP quarantine duration (automatic prevention)

Set the expiration period for the automations that are executed automatically (without the administrator's approval).

The default duration is 1 day.

Admin's approval is required for quarantining device IP

Select the checkbox if you want administrator's approval to execute the automation.

Best Practice - Check Point recommends that you leave Admin's approval is required for quarantining device IP checkbox unselected.

Trigger

Triggering quarantine for devices identified as infected by CrowdStrike.

To view the example of this log, click Run.

Quarantine potentially infected CrowdStrike device

Supported Product

Parameters

Trigger

Flow