Contain CrowdStrike devices from a detection
You can initiate containment of CrowdStrike devices that are participants in a security detection. Containment prevents devices from establishing connections to other devices on your network.
After you initiate containment from a detection, a request is made to CrowdStrike Falcon to contain the devices and a Containment Pending status appears next to the participant. The status is updated to Contained only after the ExtraHop system receives a response from CrowdStrike.
Before you begin
- Device containment must be enabled for the CrowdStrike integration.
- Users must be granted access through the Detections Access Control global policy and have limited-write privileges or higher to complete the tasks in this guide.
- Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
- At the top of the page, click Detections.
Click a detection title to view the detection detail page.
The number of CrowdStrike devices that are participants in the detection appear in the Integrations section under Track Detection.
Click Contain Devices in CrowdStrike.
The dialog box displays the CrowdStrike devices associated with the detection.
Select the devices you want to contain and click Contain in
A request is sent to CrowdStrike and the Containment Pending status appears next to each selected participant.
- Verify device containment by checking the status from the detection details. The
containment status also appears in the device properties.
- Retry containing a device. The Containment Pending status no longer appears when a containment request to CrowdStrike is denied or expires.
- Release a device from containment from the CrowdStrike Falcon console. From the Integrations section under Track Detection, click CrowdStrike Falcon to open the console in a new tab. The containment status no longer appears after the ExtraHop system receives a response from CrowdStrike.
Thank you for your feedback. Can we contact you to ask follow up questions?