Home > CrowdStrike > Steps to Quarantine an Infected Host

CrowdStrike – Steps to Quarantine an Infected Host

Purpose

To quarantine (network contain) an infected host using the CrowdStrike Admin Console and to lift the containment after remediation.

Prerequisites

• Access to CrowdStrike Admin Console

• Hostname of the infected system

Steps to Quarantine an Infected Host

Step 1: Login

• Login to the CrowdStrike Admin Console.

Step 2: Identify the Host

• Navigate to:

→ Host Setup and Management → Host Management

• Identify the infected host using its hostname.

(Note: For this document, an R&D host is used.)

Step 3: Filter Host by Hostname

• Click on "Add filters"

• Search and select "Hostname"

• Select "Equals"

• Enter the <hostname> of the machine to be quarantined

• Select the <host>

• Click "Apply"

Step 4: Network Contain the Host

• Click on the identified host

• A details panel will open on the right side

• Click on "Actions"

• Select "Network Contain Host"

Step 5: Pre-Containment Check

• Verify network connectivity before containment

• Ping the host IP

• Ping should be successful

Step 6: Confirm Containment

• A confirmation pop-up will appear

• Enter the reason for containment

• Confirm the containment action

Step 7: Containment Status

• Initial status: Containment Pending

• Final status: Contained

• Result:

- The system is successfully contained and all network communication is blocked.

Steps to Lift Network Containment

Step 1: Select Host

• Click on the <contained host>

• Click on "Actions"

Step 2: Lift Containment

• Select "Lift Network Containment"

• Enter the reason for lifting containment

• Click "Lift Containment"

• Confirm the action

Step 3: Status After Lift

• Network Containment status changes to Normal

• Host regains normal network communication