Our website uses cookies to 3d彩报全部enhance your browsing experience.


How to Network Contain an Endpoint with Falcon Endpoint Protection


this document and accompanying video will demonstrate how to network contain (quarantine) an endpoint with falcon endpoint protection. when systems are contained, they will lose the ability to make network connections to anything other than the crowdstrike cloud infrastructure and any internal ip addresses that have been specified in the respond app.


Read Video Transcript


a windows 7 sp1 or higher system with the falcon sensor installed.


3d彩报全部in the falcon ui, navigate to the detections app.  often times, network containment is necessary when a system appears infected and lateral movement, persistence and exfiltration want to be prevented, among other risks.

in our activity app, we see a system that has multiple detections in a short amount of time, and it can quickly be ascertained that action should be taken.  to get more detail, select any of the lines where an alert is indicated.  doing so will provide more details and allow you to take immediate action.


3d彩报全部after drilling into the alert, we can see multiple detection patterns, including known malware, credential theft and web exploit.  drilling into the process tree, we can see that reconnaissance was performed and credential theft occured, possibly in an attempt for lateral movement.


3d彩报全部to prevent this movement and contain this system from the network, select the “network contain this machine” option near the top of the page.

3d彩报全部selecting the “network contain” will open a dialogue box with a summary of the changes you are about to make and an area to add comments.


after information is entered, select confirm.  the dialogue box will close and take you back to the previous detections window.  to verify that the host has been contained select the hosts icon next to the network contain button.


3d彩报全部the hosts app will open to verify that the host is either in progress or has been contained.  containment should be complete within a few seconds.  if containment is pending the system may currently be off line.

Contained host in hosts app



3d彩报全部after investigation and remediation of the potential threat, it is easy to bring the device back online.  since a connection between the falcon sensor and the cloud are still permitted, “un-contain” is accomplished through the falcon ui.

3d彩报全部in the ui, navigate to the hosts app.  locate the contained host or filter hosts based on “contained” at the top of the screen.  once the host is selected you’ll see that the status is contained (see previous screenshot) and click on the “status: contained” button.


make any comments and select “confirm”.  the previous status will change from “lift containment pending” to “normal” (a refresh may be required).  again if the change doesn’t happen within a few seconds the host may be off line.




network containment is a fast and powerful tool that is designed to give the security admin the power needed to identify threats and stop them.  for more information on falcon, see the additional resources and links below.


CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial

2元中国福利彩票怎么看 2元中国福利彩票的买法 2元买彩票选几个数字 2元就可以打1毛的炸金花棋牌 2元彩是值得您信赖的 2元就可以打1毛的斗地主棋牌 2元彩舒适 2元彩不错 2元彩票 2元彩票网体彩排列三