CrowdStrikeintermediate

4 min read

title: CrowdStrike Quarantine Endpoint: Contain Host & Network Isolation Guide description: Quarantine and contain compromised endpoints in CrowdStrike Falcon to isolate infected hosts from your network. Step-by-step guide to contain, verify, and lift containment with troubleshooting tips. difficulty: intermediate estimatedReadTime: 8 lastUpdated: January 2025 featured: false faqItems:

  • question: What steps should I take if containment fails in CrowdStrike Falcon? answer: >- If containment fails, first verify if the endpoint is offline, as this will prevent the command from executing. Check network configurations to ensure there are no restrictions blocking the containment command. Additionally, review any firewall policies that might be affecting the endpoint's connection to the CrowdStrike Falcon Cloud. If the issue persists, attempt to manually restart the endpoint or use alternative management tools to isolate the device temporarily until you can reattempt containment.
  • question: >- How can I ensure the integrity of remote administration tools during host containment? answer: >- To maintain access to critical remote administration tools, configure whitelisting in your CrowdStrike policy settings prior to containment. List the specific IP addresses or tools that should remain accessible. This allows administrators to manage contained hosts without compromising security. Always review and update this list regularly to ensure it reflects current operational needs and security policies, thereby minimizing risks while maintaining necessary functionality.
  • question: >- What communication capabilities does a contained host retain in CrowdStrike Falcon? answer: >- When a host is contained, it retains communication solely with the CrowdStrike Falcon Cloud for management purposes. Additionally, if configured, the host can access whitelisted addresses and pre-approved remote administration tools. This limited connectivity ensures that security teams can still monitor and manage the endpoint while preventing any communication that could facilitate lateral movement of threats. Be sure to define and regularly review these whitelisted resources to maintain security and operational efficiency. heroImage: "https://images.unsplash.com/photo-1562577309-2592ab84b1bd?w=1200&h=630&fit=crop"

When a device is suspected of being compromised, CrowdStrike Falcon allows administrators to quarantine (contain) the host, isolating it from the network while maintaining a connection to the Falcon Console. This prevents further spread of threats while allowing security teams to investigate the issue.

This guide explains how to contain and uncontain a host in the Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in using your admin credentials.

Step 2: Find the Host to Contain

  1. In the left-hand menu, go to Hosts > Host Management.
  2. Use the search bar to find the endpoint by:
    • Hostname
    • IP Address
    • Username
  3. Click on the Host Name to open its details.

Step 3: Contain (Quarantine) the Host

  1. On the Host Details page, click Actions in the top-right corner.
  2. Select Contain Host from the dropdown menu.
  3. Click Confirm to proceed.

📌 What Happens When a Host is Contained?

  • The endpoint loses all network access, except for:
    • Communication with CrowdStrike Falcon Cloud (to remain manageable).
    • Whitelisted addresses (if configured in policy settings).
    • Pre-approved remote administration tools (if allowed).
  • The host is fully isolated from the internal network and internet.

Step 4: Verify Containment

  1. Return to Hosts > Host Management.
  2. Locate the contained endpoint and check the Containment Status:
    • Contained – The host is successfully isolated.
    • Failed – The containment request did not complete.
  3. Click on the host and look for the Containment Status under Device Details.

📌 Tip: If containment fails, check if the endpoint is offline or if there are network restrictions preventing execution.

Step 5: Lift Containment (Unquarantine the Host)

After the security team has resolved the issue, the host can be restored to full network access.

  1. In Host Management, search for the contained endpoint.
  2. Click Actions > Lift Containment.
  3. Click Confirm to remove isolation.

📌 Note: It may take a few minutes for the host to regain network access.

Best Practices for Host Containment

Contain First, Investigate Second – Prevent lateral movement before deeper analysis.
Verify That Containment Succeeded – Check the Falcon Console after issuing the command.
Use Whitelisting for Critical Remote Tools – Ensure administrators can still access contained hosts if needed.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike