CrowdStrikeintermediate

CrowdStrike Quarantine Endpoint: Contain Host & Network Isolation Guide

Quarantine and contain compromised endpoints in CrowdStrike Falcon to isolate infected hosts from your network. Step-by-step guide to contain, verify, and lift containment with troubleshooting tips.

8 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

When a device is suspected of being compromised, **CrowdStrike Falcon** allows administrators to **quarantine (contain) the host**, isolating it from the network while maintaining a connection to the **Falcon Console**. This prevents further spread of threats while allowing security teams to investigate the issue.

This guide explains how to **contain and uncontain a host** in the Falcon Console.

---

Step 1: Log Into the Falcon Console

    - Open a browser and go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/) or [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/) (Varies by tenant). - Sign in using your **admin credentials**.
---

Step 2: Find the Host to Contain

    - In the **left-hand menu**, go to **Hosts** > **Host Management**. - Use the **search bar** to find the endpoint by:

    • Hostname

    • IP Address

    • Username

    • Click on the Host Name to open its details.

Step 3: Contain (Quarantine) the Host

    - On the **Host Details** page, click **Actions** in the top-right corner. - Select **Contain Host** from the dropdown menu. - Click **Confirm** to proceed.

📌 **What Happens When a Host is Contained?**

- The endpoint **loses all network access**, except for:

  • Communication with CrowdStrike Falcon Cloud (to remain manageable).

  • Whitelisted addresses (if configured in policy settings).

  • Pre-approved remote administration tools (if allowed).

  • The host is fully isolated from the internal network and internet.

Step 4: Verify Containment

    - Return to **Hosts > Host Management**. - Locate the contained endpoint and check the **Containment Status**:

    • Contained – The host is successfully isolated.

    • Failed – The containment request did not complete.

    • Click on the host and look for the Containment Status under Device Details.

📌 Tip: If containment fails, check if the endpoint is offline or if there are network restrictions preventing execution.

Step 5: Lift Containment (Unquarantine the Host)

After the security team has **resolved the issue**, the host can be **restored to full network access**.

    - In **Host Management**, search for the contained endpoint. - Click **Actions** > **Lift Containment**. - Click **Confirm** to remove isolation.

📌 **Note:** It may take a few minutes for the host to regain network access.

---

Best Practices for Host Containment

✅ **Contain First, Investigate Second** – Prevent lateral movement before deeper analysis.
✅ **Verify That Containment Succeeded** – Check the Falcon Console after issuing the command.
✅ **Use Whitelisting for Critical Remote Tools** – Ensure administrators can still access contained hosts if needed.

Frequently Asked Questions

Find answers to common questions

If containment fails, first verify if the endpoint is offline, as this will prevent the command from executing. Check network configurations to ensure there are no restrictions blocking the containment command. Additionally, review any firewall policies that might be affecting the endpoint's connection to the CrowdStrike Falcon Cloud. If the issue persists, attempt to manually restart the endpoint or use alternative management tools to isolate the device temporarily until you can reattempt containment.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Create and manage user roles in CrowdStrike Falcon. Configure RBAC, assign permissions, and restrict console access.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike