Product · 4 MIN READ · CLAIRE HOGAN AND JAKE GODGART · MAY 27, 2025 · TAGS: AI & automation
TL;DR
- This auto remediation series focuses on understanding the functionality of all of Expel’s auto remediations
- The “contain host” response action enables the Expel SOC to isolate hosts from your network, stopping communication while allowing analysts to investigate and respond
- You can find blogs on these auto remediations as well (post-publication): Kill process, block bad hash, delete malicious file, delete registry key, disable user account, reset credentials, terminate session, disable access key, and remove malicious email
Host containment—also known as endpoint isolation or endpoint quarantine—is a critical security incident response strategy to prevent an attacker or malware from spreading within a network.
If an endpoint (like a workstation or server) is compromised, it becomes an opening for attackers to move laterally across your network, access data, or communicate with command-and-control (C2) infrastructure. Our contain host auto remediation allows our SOC analysts—with your pre-approval—to automatically isolate a compromised or suspicious endpoint from your network.
This action immediately severs the connection, stopping movement, communication, and further damage. We primarily use this action via your endpoint detection and response (EDR) tooling, and orchestrate it through Expel Workbench™.
How it works
The contain host auto remediation blocks incoming and outgoing traffic to a potentially compromised endpoint. SOC analysts can then continue to triage the security incident while reducing the risk of lateral movement, since the compromised device is no longer connected to the network.
Expel integrates with vendor APIs to enable automatic host containment across a variety of technologies. Security devices handle host containment in a variety of different ways, including:
- Blocking all TCP traffic to any IP or ports
- Blocking all UDP connections except those responsible for DNS requests (like UDP/53)
- Allowing ARP to ensure MAC addresses can resolve to IP addresses
- Allowing ICMP
- Terminating active sockets
Security devices supporting host containment via API generally allow containment to be reverted. This ensures the host can communicate over the network again when the threat has been resolved.
Preventing business disruption using Org Context
One of the unique aspects of Expel’s Workbench platform is the ability for customers to configure their Org Context (login required). This allows customers to decide what, when, and how actions are taken based on their technology, business context, risk tolerance, policies, internal processes, and general comfort level. To ensure we’re able to remediate in your environment without disrupting your business-critical systems, customers often tell us about their:
- High-risk entities, including known high-risk entities involving business operations, sensitive data and because of vulnerabilities.
- “Crown jewels,” also known as your top priorities, including what’s most important to the business.
For example, customers may define in their Org Context that a business-critical server should never be taken offline with the contain host auto remediation, but will allow the kill process action to be taken.
When does Expel use the contain host auto remediation?
The contain host auto remediation is most common for high-risk incidents. Our SOC typically uses this response action early in our detection and response workflow because we’re confident it will mitigate activity (and cut off the attacker) before the threat spreads to multiple machines.
As with all auto remediations, our team takes into account customer preferences using Org Context—what, when, and how our analysts kick off this action on your behalf for pre-approved scenarios, such as:
- Active ransomware spread: Isolating a “patient zero” machine or other rapidly infected hosts during a ransomware outbreak to prevent spread. This occurs when we detect malware propagated from remote access tools (RATs), or initial access tools (IAT) like as Qakbot and Latrodectus.
- Self-propagating malware: Containing hosts confirmed to be infected with self-propagating malware like worms and ransomware to stop their automated spread.
- Confirmed lateral movement: Confirmed detection of an attacker using the host to pivot to other systems, indicated by suspicious network scanning, remote connection attempts (RDP, SMB, RPC), or using tools PsExec.
- Active C2 communication: Verification of a host actively communicating with known malicious C2 servers (to exfiltrate data or get more instructions).
- Critical vulnerability exploitation: Detection of successful exploitation of a severe vulnerability on a host can lead to a full system compromise and additional network access.
- Compromised critical asset: Isolating a high-value target like a domain controller or critical database server (only if it’s customer pre-approved) when strong evidence indicates compromise to create time to investigate further.
- Post-compromise activity: Suspicious actions observed on a host after a credential compromise is detected.
Response timeline: contain host auto remediation workflow
Contain host has five steps to completion. Let’s dive into those steps with an example of an attack our SOC responded to where an attacker was attempting to move laterally in the environment.
1. Detection
A high-confidence, high-severity alert shows up in Workbench from an EDR, SIEM, or other network monitoring tool.
Example: An EDR detects highly suspicious activity on application server A. The alert shows multiple failed login attempts targeting other servers (B and C) using the same service account, immediately followed by a successful remote connection and process execution (WMI) on server B. This indicates a pattern of lateral movement.
2. Validation & context
Our SOC analyst investigates and confirms the risk and threat level of the alert. Our analysts will thoroughly confirm the alert to avoid unnecessarily interrupting critical business functions.
Example: The analyst matches and confirms the suspicion of lateral movement to confirm the alert is high-risk and severe. This is because the attacker is likely to use the service-related account to continue to access other servers, and it’s happening right now.
3. Customer approval check
Workbench will check your customer preferences and determine if this auto remediation is approved. For reference, the contain host auto remediation can designate specific hosts to allow or deny this automation to retain control over isolation.
Example: The analyst confirms via Workbench server A is part of a group of servers the customer has pre-approved for isolation when lateral movement is confirmed.
4. Execution
The analyst triggers the contain host auto remediation via Workbench. Typically, the EDR agent on the endpoint enforces isolation, usually by modifying local firewall rules or network settings to block inbound and outbound network traffic. The exception to this rule is the essential communication between the EDR management console and Expel’s platform so we can continue to monitor and manage the isolated host.
Example: The analyst triggers the auto remediation and server A’s EDR agent immediately enforces isolation and cuts off connection to server B, C, and any additional resources, except for Workbench and your EDR console.
5. Confirmation
As a final step, we log the auto remediation action in Workbench and your EDR console. Our analysts will continue to monitor the host to ensure it remains isolated and the threat spread stops.
Example: The lateral movement stops instantly. Our SOC safely investigates server A to remove the threat and also addresses the compromised credentials. Server B is also investigated for compromise, and the risk of additional lateral movement is eliminated.
How to set it up
Expel customers can learn more about the contain host auto remediation and how to set it up for your environment within the Workbench platform.
Not an Expel customer yet, but curious about our auto remediations? Send us a note.
