How to Quarantine and Contain a Compromised Endpoint in CrowdStrike Falcon

0 February 11, 2025

When a device is suspected of being compromised, CrowdStrike Falcon allows administrators to quarantine (contain) the host, isolating it from the network while maintaining a connection to the Falcon Console. This prevents further spread of threats while allowing security teams to investigate the issue.

This guide explains how to contain and uncontain a host in the Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to https://falcon.crowdstrike.com.
  2. Sign in using your admin credentials.

Step 2: Find the Host to Contain

  1. In the left-hand menu, go to Hosts > Host Management.
  2. Use the search bar to find the endpoint by:
    • Hostname
    • IP Address
    • Username
  3. Click on the Host Name to open its details.

Step 3: Contain (Quarantine) the Host

  1. On the Host Details page, click Actions in the top-right corner.
  2. Select Contain Host from the dropdown menu.
  3. Click Confirm to proceed.

📌 What Happens When a Host is Contained?

  • The endpoint loses all network access, except for:
    • Communication with CrowdStrike Falcon Cloud (to remain manageable).
    • Whitelisted addresses (if configured in policy settings).
    • Pre-approved remote administration tools (if allowed).
  • The host is fully isolated from the internal network and internet.

Step 4: Verify Containment

  1. Return to Hosts > Host Management.
  2. Locate the contained endpoint and check the Containment Status:
    • Contained – The host is successfully isolated.
    • Failed – The containment request did not complete.
  3. Click on the host and look for the Containment Status under Device Details.

📌 Tip: If containment fails, check if the endpoint is offline or if there are network restrictions preventing execution.

Step 5: Lift Containment (Unquarantine the Host)

After the security team has resolved the issue, the host can be restored to full network access.

  1. In Host Management, search for the contained endpoint.
  2. Click Actions > Lift Containment.
  3. Click Confirm to remove isolation.

📌 Note: It may take a few minutes for the host to regain network access.

Best Practices for Host Containment

Contain First, Investigate Second – Prevent lateral movement before deeper analysis.
Verify That Containment Succeeded – Check the Falcon Console after issuing the command.
Use Whitelisting for Critical Remote Tools – Ensure administrators can still access contained hosts if needed.