Isolate an Endpoint

This capability is supported on Windows endpoints with Traps agent 6.0 and later releases.
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to Cortex XDR. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the Cortex XDR agent receives the instruction to isolate the endpoint and carries out the action, the Cortex XDR console shows an Isolated check-in status. To ensure an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, before using the response action you must add the VDI processes and corresponding IP addresses to your allow list in the Agent Settings profile (
Response Actions
Allow List of Network Isolation
).
  1. From Cortex XDR, initiate an action to isolate an endpoint.
    Go to
    Response
    Action Center
    + New Action
    and select
    Isolate
    .
    You can also initiate the action (for one or more endpoints) from the
    Isolation
    page of the Action Center or from
    Endpoints
    Endpoint Management
    Endpoint Administration
    .
  2. Select
    Isolate
    .
  3. Enter a
    Comment
    to provide additional background or other information that explains why you isolated the endpoint.
    After you isolate an endpoint, Cortex XDR will display the
    Isolation Comment
    on the
    Action Center
    Isolation
    . If needed, you can edit the comment from the right-click pivot menu.
  4. Click
    Next
    .
  5. Select the target endpoint that you want to isolate from your network.
    If needed,
    Filter
    the list of endpoints. To learn how to use the Cortex XDR filters, refer to Filter Page Results.
  6. Click
    Next
    .
  7. Review the action summary and click
    Done
    when finished.
    In the next heart beat, the agent will receive the isolation request from Cortex XDR.
  8. To track the status of an isolation action, select
    Response
    Action Center
    Isolation
    .
    If after initiating an isolation action, you want to cancel, right-click the action and select
    Cancel for pending endpoint
    . You can cancel the isolation action only if the endpoint is still in
    Pending
    status and has not been isolated yet.
  9. After you remediate the endpoint, cancel endpoint isolation to resume normal communication.
    You can cancel isolation from the Actions Center (
    Isolation
    page) or from
    Endpoints
    Endpoint Management
    Endpoint Administration
    . From either place right-click the endpoint and select
    Endpoint Control
    Cancel Endpoint Isolation
    .

Recommended For You