In the event that an endpoint is compromised, you can
immediately isolate it to reduce an attacker’s mobility.
you isolate an endpoint, you halt all network access on the endpoint
except for traffic to Cortex XDR. This can prevent a compromised
endpoint from communicating with other endpoints thereby reducing
an attacker’s mobility on your network. After the Cortex XDR agent
receives the instruction to isolate the endpoint and carries out
the action, the Cortex XDR console shows an Isolated check-in status.
To ensure an endpoint remains in isolation, agent upgrades are not
available for isolated endpoints.
Network isolation is supported
for endpoints that meet the following requirements:
A Cortex XDR agent 6.0 or a later release
) Configure your network isolation allow list
in the Agent Settings Profile to ensure
VDI sessions remain uniterrupted.
A Cortex XDR agent 7.3 or a later release
macOS 10.15.4 or a later release
Ensure the Cortex XDR Network extension is enabled on the
Network isolation on Mac endpoints does
not terminate active connections that were initiated before the
Cortex XDR agent was installed on the endpoint.
From Cortex XDR, initiate an action to isolate
+ New Action
You can also initiate
the action (for one or more endpoints) from the
of the Action Center or from
provide additional background or other information that explains
why you isolated the endpoint.
After you isolate an endpoint, Cortex XDR will display
If needed, you can edit the comment from the right-click pivot menu.
Select the target endpoint that you want to isolate from
list of endpoints. To learn how to use the Cortex XDR filters, refer
to Filter Page Results.
Review the action summary and click
In the next heart beat, the agent will receive the isolation
request from Cortex XDR.
To track the status of an isolation action, select
If after initiating an isolation action, you want to cancel,
right-click the action and select
for pending endpoint
. You can cancel the
isolation action only if the endpoint is still in
and has not been isolated yet.
After you remediate the endpoint, cancel endpoint isolation
to resume normal communication.
You can cancel isolation from the Actions Center (
From either place right-click the endpoint and select