Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Host Containment

Documentation

Host Containment

arxsec-site / library/workflows/host-containment/README.md

arxsec-site repo-root library/workflows/host-containment/README.md

Monitors CrowdStrike for high-severity detections, triggers HITL-gated network containment of the affected host, and creates a PagerDuty incident for the security on-call team.

Maturity: L4+ (Governed and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Reduces response time from ~15 minutes to ~30 seconds for containment actions.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | CrowdStrike | detections:read | Low — read-only | | CrowdStrike | hosts:write | High — network containment | | Slack | chat:write, reactions:read | Low — HITL approval channel | | PagerDuty | incidents:create | Low — creates alerts only |

How It Works

  1. Poll CrowdStrike for new high-severity detections (severity >= threshold).
  2. Enrich the detection with host details and user context.
  3. Post a Slack approval request with detection details and recommended action.
  4. On approval, issue a network containment command via CrowdStrike.
  5. Create a PagerDuty incident with full detection context.
  6. Post containment confirmation to Slack.

ARX Governance

Risk Classification

  • detections:readLow. Read-only detection query.
  • hosts:writeHigh. Network containment isolates a host from the network.
  • chat:write / reactions:readLow. HITL channel communication.
  • incidents:create (PagerDuty) — Low. Creates notification alerts.

HITL Gate Configuration

  • Operation: hosts:write (network containment) — requires approval before execution.
  • Channel: SLACK_CONTAINMENT_CHANNEL (configurable in arx.yaml).
  • Timeout: 15 minutes. If no approval is received, the action is skipped and an escalation is sent via PagerDuty.
  • Approvers: Members of the security-oncall Slack user group.

Policy Rules

  • detections:readpermit — automated, no approval needed.
  • hosts:writeescalate — requires HITL approval via Slack.
  • incidents:createpermit — notification only.
  • Containment of a domain controller or critical asset — deny — must be handled manually.

Audit Trail

  • CrowdStrike detection ID, severity, tactic, and technique.
  • Host ID, hostname, OS, and assigned user.
  • Approver identity, approval timestamp, and Slack message link.
  • Containment command status and CrowdStrike confirmation.
  • PagerDuty incident ID and assigned responder.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Configure CrowdStrike, Slack, and PagerDuty connectors.
  2. Set environment variables:
  • CS_CLIENT_ID, CS_CLIENT_SECRET
  • SLACK_BOT_TOKEN, SLACK_CONTAINMENT_CHANNEL
  • PAGERDUTY_API_KEY, PAGERDUTY_SERVICE_ID
  1. Adjust severity_threshold (default 4) in arx.yaml.
  2. Deploy with arx deploy host-containment.
  3. Test with arx run host-containment --dry-run.

Schedule

Event-driven — triggered by CrowdStrike detection webhook or polled every 60 seconds.