Findings
Generator
Configuration
Lucidum Reverse
Architecture
Statistics
← All Findings
Vendor:
CrowdStrike Falcon
FIN-594
Weight:
5
4
3
2
1
Confidence:
High
Medium
Low
Edited:
2026-03-06 18:14
Verified
What It Detects
A network containment action has been initiated for this host in CrowdStrike Falcon, but isolation has not yet completed. The host remains connected to the network and can still communicate with other systems. This is a critical window — the host was flagged for containment (typically due to an active security incident), yet it retains full network access until the Falcon sensor receives and enforces the containment policy.
MITRE ATT&CK Techniques
Comma-separated, e.g. T1078, T1190
Checks
read-only
Field
Operator
Value
Status
equals
containment_pending
Remediation
×
×
×
×
×
+ Add item
Why It Matters
×
×
×
+ Add item
Save Changes
Export Lucidum