Blog · CrowdStrike · host isolation · how-to

How to isolate a CrowdStrike host from your phone

2026-05-27 · 3 min read · By Jason Lazerus, Founder, WeaveHub Technologies LLC

A step-by-step walkthrough of network-containing a Falcon host from PocketSOC on iOS or Android — including biometric confirmation, audit trail, and how to lift isolation when the investigation closes.

CrowdStrike Falcon supports network containment (host isolation) through the Hosts API. PocketSOC exposes that action through a mobile workflow with two safety properties: biometric authentication on the device and explicit confirmation of the host before the API call fires. Here's the full flow.

Prerequisites

  • A configured CrowdStrike vendor connection in PocketSOC (see CrowdStrike Falcon integration)
  • The Falcon OAuth2 API client must have Hosts (read, write) scope
  • Biometric authentication enabled on your device (Face ID, Touch ID, or platform equivalent)

The workflow

  1. You receive a push notification from PocketSOC for a CrowdStrike detection. Tap it.
  2. The app opens directly to the detection. Review the affected host, severity, detection type, and process tree. Make sure this is genuinely compromised — not a noisy detection from a developer running a security tool.
  3. From the detection screen, tap Isolate Host.
  4. PocketSOC prompts for biometric authentication. Authenticate.
  5. A confirmation modal appears with the full host name, the vendor (CrowdStrike Falcon), and the action (Isolate). Read it. Tap Confirm.
  6. PocketSOC calls the Falcon containment API. The host is now isolated.

Falcon will preserve EDR connectivity through the isolation, so you can continue to investigate live. The action appears in Falcon's audit trail attributed to the OAuth2 API client and (where Delegated permissions are configured) the signed-in analyst.

Lifting isolation

When the investigation closes and you're ready to let the host back on the network, repeat the flow from the host details screen — but tap Lift Isolation instead. Same biometric, same confirmation, same audit trail.

What PocketSOC doesn't do

PocketSOC does not start CrowdStrike Real Time Response (RTR) sessions or execute commands on endpoints. See the RTR FAQ entry. For deeper investigation workflows — running custom queries, dropping into a host shell — you still need the Falcon console.

For the broader workflow context, see host containment.

See PocketSOC in your hands

PocketSOC puts the urgent incident response workflows for CrowdStrike Falcon, Microsoft Defender, and AWS GuardDuty on your phone. Get connected in five minutes or see plans and pricing.

2026-05-27 · 4 min read

Why SOC teams need a mobile incident response strategy →

The on-call SOC analyst at 2 AM is the slowest link in your detect-and-respond chain. A mobile-first response strategy isn't about convenience — it's about cutting dwell time and reducing burnout.

2026-05-27 · 5 min read

After-hours alert triage: a SOC playbook →

A practical playbook for the on-call analyst handling a 2 AM page. What information you need before you act, how to decide between escalate / dismiss / contain, and how to leave a clean handoff for the morning shift.