CONTAINMENT POLICIES

Question 1

What do containment policies do?

Answer 1

-Can allow list IP Addresses over which your host will always be allowed to communicate, even if a host is contained.

Question 2

How to configure an allowlist of appropriate IP Addresses, while network is under containment?

Answer 2

• Go to Containment Policy Page
• Click Add Rule
• Provide a name, enter an IP, and click Apply

Question 3

What user roles are required to contain a host or remove it from containment?

Answer 3

User must have the:

-Falcon Administrator role

-Falcon Security Lead role

**All users can see which hosts are contained as well as host – specific containment history using the Host App

Question 4

What can a host do when its contained?

Answer 4

-The host can still send and receive information to CrowdStrike Cloud

-Using CS Cloud, you can remediate and remove host from active containment

-Host under containment remains contained even if the connection to the cloud is severed or if the host is rebooted.

Question 5

What does a Network Containment Request do?

Answer 5

– Falcon Sensor blocks all incoming/outgoing network connections to and from the host other than the sensor’s connection to the cloud.

-All existing connections will be terminated except those that you have allowed using IP Allow Listing

Question 6

How to configure