# Endpoint Isolation and Containment Procedures One-sentence definition: Standard steps to rapidly isolate compromised hosts while preserving evidence. ## Key Facts - Use EDR network isolation; avoid power-off unless required; capture memory first. - Disconnect risky processes, revoke tokens, rotate creds, block IOCs. - Coordinate with business to avoid critical system impact; staged containment. - Document timeline, commands, artifacts; link to incident ticket. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose isolation as first-line containment to stop spread. **Mnemonic:** “**Quarantine fast, prove later**.” ## Mini Scenario Q: Crypto activity spikes on a server—first move? A: EDR isolate, snapshot, collect memory, then eradicate. ## Revision Checklist - Isolation vs shutdown. - Two immediate actions. - Evidence notes. ## Related [[Incident Response Lifecycle (NIST-Style)]] · [[Malware Analysis Triage and Containment]] · [[Endpoint EDR Detection Validation]] · [[Playbooks and SOAR Automation]] · [[Domain 7 - Index]]