capability is supported on Windows endpoints with Traps agent 6.0
and later releases.
When you isolate an endpoint, you
halt all network access on the endpoint except for traffic to Cortex
XDR. This can prevent a compromised endpoint from communicating
with other endpoints thereby reducing an attacker’s mobility on
your network. After the Cortex XDR agent receives the instruction
to isolate the endpoint and carries out the action, the Cortex XDR
console shows an Isolated check-in status. To ensure an endpoint
remains in isolation, agent upgrades are not available for isolated
For VDI sessions, using the network isolation
response action can disrupt communication with the VDI host management
system thereby halting access to the VDI session. As a result, before
using the response action you must add the VDI processes and corresponding
IP addresses to your allow list in the Agent Settings profile (
Allow List of
From Cortex XDR, initiate an action to isolate
+ New Action
You can also initiate
the action (for one or more endpoints) from the
of the Action Center or from
provide additional background or other information that explains
why you isolated the endpoint.
After you isolate an endpoint, Cortex XDR will display
If needed, you can edit the comment from the right-click pivot menu.
Select the target endpoint that you want to isolate from
list of endpoints. To learn how to use the Cortex XDR filters, refer
to Filter Page Results.
Review the action summary and click
In the next heart beat, the agent will receive the isolation
request from Cortex XDR.
To track the status of an isolation action, select
If after initiating an isolation action, you want to cancel,
right-click the action and select
for pending endpoint
. You can cancel the
isolation action only if the endpoint is still in
and has not been isolated yet.
After you remediate the endpoint, cancel endpoint isolation
to resume normal communication.
You can cancel isolation from the Actions Center (
From either place right-click the endpoint and select