Run Block Request

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Blocks communication with observables associated with a security incident.

    Before you begin

    Role required: sn_si.analyst

    About this task

    Note:
    If no implementations are available, capability actions are not displayed in product menus.

    The Security Operations Integration - Block Request flow can be triggered from an observable form, or from the Security Incident Observables related list on a security incident.

    This example shows a Block Request from a security incident.

    Procedure

    1. Navigate to a security incident.
    2. In the Related Links, select Show all Related Lists.
    3. Select Associated Observables tab.
    4. Select observables from the list.
    5. Select Allow/Block Request in the Actions on selected rows... drop-down menu.
      A dialog box appears.
    6. Select look-up icon next to the Implementation field.
    7. Select a capability from the list.
      Following fields appear if the capability includes additional runtime parameters. Different integrations may have different parameters.
      Table 1. Allow/Block Request
      Field Description
      Indicator Block Action Type Option to control how the detection is handled after the block request is submitted.
      Options include:
      • Block
      • Block, hide detection
      Severity Option to specify the severity assigned to the indicator in CrowdStrike when the block action is submitted.
      Options include:
      • Informal
      • Low
      • Medium
      • High
      • Critical
    8. Select Submit.
      The flow execution audit is displayed in the work notes section.
      Block Request work note example