CrowdStrikeintermediate

How to Quarantine and Contain a Compromised Endpoint in CrowdStrike Falcon

Isolate infected endpoints to prevent lateral movement during security incidents

8 min readUpdated January 2025

When a device is suspected of being compromised, CrowdStrike Falcon allows administrators to quarantine (contain) the host, isolating it from the network while maintaining a connection to the Falcon Console. This prevents further spread of threats while allowing security teams to investigate the issue.

This guide explains how to contain and uncontain a host in the Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in using your admin credentials.

Step 2: Find the Host to Contain

  1. In the left-hand menu, go to Hosts > Host Management.
  2. Use the search bar to find the endpoint by:
    • Hostname
    • IP Address
    • Username
  3. Click on the Host Name to open its details.

Step 3: Contain (Quarantine) the Host

  1. On the Host Details page, click Actions in the top-right corner.
  2. Select Contain Host from the dropdown menu.
  3. Click Confirm to proceed.

📌 What Happens When a Host is Contained?

  • The endpoint loses all network access, except for:
    • Communication with CrowdStrike Falcon Cloud (to remain manageable).
    • Whitelisted addresses (if configured in policy settings).
    • Pre-approved remote administration tools (if allowed).
  • The host is fully isolated from the internal network and internet.

Step 4: Verify Containment

  1. Return to Hosts > Host Management.
  2. Locate the contained endpoint and check the Containment Status:
    • Contained – The host is successfully isolated.
    • Failed – The containment request did not complete.
  3. Click on the host and look for the Containment Status under Device Details.

📌 Tip: If containment fails, check if the endpoint is offline or if there are network restrictions preventing execution.

Step 5: Lift Containment (Unquarantine the Host)

After the security team has resolved the issue, the host can be restored to full network access.

  1. In Host Management, search for the contained endpoint.
  2. Click Actions > Lift Containment.
  3. Click Confirm to remove isolation.

📌 Note: It may take a few minutes for the host to regain network access.

Best Practices for Host Containment

Contain First, Investigate Second – Prevent lateral movement before deeper analysis.
Verify That Containment Succeeded – Check the Falcon Console after issuing the command.
Use Whitelisting for Critical Remote Tools – Ensure administrators can still access contained hosts if needed.

Frequently Asked Questions

Find answers to common questions

If containment fails, first verify if the endpoint is offline, as this will prevent the command from executing. Check network configurations to ensure there are no restrictions blocking the containment command. Additionally, review any firewall policies that might be affecting the endpoint's connection to the CrowdStrike Falcon Cloud. If the issue persists, attempt to manually restart the endpoint or use alternative management tools to isolate the device temporarily until you can reattempt containment.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

Creating and Managing User Roles in CrowdStrike Falcon

Set up custom user roles and permissions in CrowdStrike Falcon

Read More →

How to Configure CrowdStrike Exclusions for Exchange Server

Essential exclusions for Microsoft Exchange Server environments

Read More →

Deploying the CrowdStrike Falcon Sensor Using Group Policy (GPO)

Enterprise deployment guide for rolling out CrowdStrike using Active Directory GPO

Read More →
Back to CrowdStrike