The configuration is applied in the Containment Policy . Network containment restricts endpoint network activity to isolate a potentially compromised host, but Falcon allows administrators to define specific IP addresses that contained hosts may still communicate with. The official guidance states that on the Containment Policy page, administrators can allow IP addresses over which hosts will always be permitted to communicate, even when contained. This is commonly used for tightly controlled resources such as patching systems, remediation infrastructure, or other trusted internal services needed during response. IP Allowlist Management is different: it controls which source IP addresses may access the Falcon console or API, not which destinations a contained host may reach. Response Policies control Real Time Response command permissions, and Maintenance Tokens relate to sensor uninstall or maintenance operations. Therefore, the correct CCFA topic alignment is Policy Application, specifically Network Containment and Containment Policy configuration.