Isolate an Endpoint

In the event that an endpoint is compromised, you can immediately isolate it to reduce an attacker’s mobility.
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to
Cortex
XDR
. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the
Cortex
XDR
agent receives the instruction to isolate the endpoint and carries out the action, the
Cortex
XDR
console shows an Isolated check-in status. To ensure an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Network isolation is supported for endpoints that meet the following requirements:
Operating System
Prerequisites
Windows
  • Cortex
    XDR
    agent 6.0 or a later release
  • (
    VDI
    ) Network isolation allow list in the Agent Settings Profile is configured to ensure VDI sessions remain uniterrupted.
Mac
  • Cortex
    XDR
    agent 7.3 or a later release
  • macOS 10.15.4 or a later release
  • Cortex
    XDR
    Network extension is enabled on the endpoint.
Network isolation on Mac endpoints does not terminate active connections that were initiated before the
Cortex
XDR
agent was installed on the endpoint.
Linux
  • iptables and ip6tables
  • Cortex
    XDR
    agent 7.7 or a later release
  • Linux kernel with the following enabled:
    • CONFIG_NETFILTER
    • CONFIG_IP_NF_IPTABLES
    • CONFIG_IP_NF_MATCH_OWNER
  • Network isolation allow list configured in the Agent Settings Profile
Network isolation on Linux endpoints is based on the defined IP addresses and ports.
  1. From
    Cortex
    XDR
    , initiate an action to isolate an endpoint.
    Go to
    Incident Response
    Response
    Action Center
    + New Action
    and select
    Isolate
    .
    You can also initiate the action (for one or more endpoints) from the
    Isolation
    page of the Action Center or from
    Endpoints
    Endpoint Management
    Endpoint Administration
    .
  2. Select
    Isolate
    .
  3. Enter a
    Comment
    to provide additional background or other information that explains why you isolated the endpoint.
    After you isolate an endpoint,
    Cortex
    XDR
    will display the
    Isolation Comment
    on the
    Action Center
    Isolation
    . If needed, you can edit the comment from the right-click pivot menu.
  4. Click
    Next
    .
  5. Select the target endpoint that you want to isolate from your network.
    If needed,
    Filter
    the list of endpoints. To learn how to use the
    Cortex
    XDR
    filters, refer to Filter Page Results Filter Page Results.
  6. Click
    Next
    .
  7. Review the action summary and click
    Done
    when finished.
    In the next heart beat, the agent will receive the isolation request from
    Cortex
    XDR
    .
  8. To track the status of an isolation action, select
    Incident Response
    Response
    Action Center
    Currently Applied Actions
    Endpoint Isolation
    .
    If after initiating an isolation action, you want to cancel, right-click the action and select
    Cancel for pending endpoint
    . You can cancel the isolation action only if the endpoint is still in
    Pending
    status and has not been isolated yet.
  9. After you remediate the endpoint, cancel endpoint isolation to resume normal communication.
    You can cancel isolation from the Actions Center (
    Isolation
    page) or from
    Endpoints
    Endpoint Management
    Endpoint Administration
    . From either place right-click the endpoint and select
    Endpoint Control
    Cancel Endpoint Isolation
    .

Recommended For You