Isolate an Endpoint

In the event that an endpoint is compromised, you can immediately isolate it to reduce an attacker’s mobility.
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to Cortex XDR. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the Cortex XDR agent receives the instruction to isolate the endpoint and carries out the action, the Cortex XDR console shows an Isolated check-in status. To ensure an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Network isolation is supported for endpoints that meet the following requirements:
Operating System
Prerequisites
Windows
  • A Cortex XDR agent 6.0 or a later release
  • (
    VDI
    ) Configure your network isolation allow list in the Agent Settings Profile to ensure VDI sessions remain uniterrupted.
Mac
  • A Cortex XDR agent 7.3 or a later release
  • macOS 10.15.4 or a later release
  • Ensure the Cortex XDR Network extension is enabled on the endpoint.
Network isolation on Mac endpoints does not terminate active connections that were initiated before the Cortex XDR agent was installed on the endpoint.
  1. From Cortex XDR, initiate an action to isolate an endpoint.
    Go to
    Response
    Action Center
    + New Action
    and select
    Isolate
    .
    You can also initiate the action (for one or more endpoints) from the
    Isolation
    page of the Action Center or from
    Endpoints
    Endpoint Management
    Endpoint Administration
    .
  2. Select
    Isolate
    .
  3. Enter a
    Comment
    to provide additional background or other information that explains why you isolated the endpoint.
    After you isolate an endpoint, Cortex XDR will display the
    Isolation Comment
    on the
    Action Center
    Isolation
    . If needed, you can edit the comment from the right-click pivot menu.
  4. Click
    Next
    .
  5. Select the target endpoint that you want to isolate from your network.
    If needed,
    Filter
    the list of endpoints. To learn how to use the Cortex XDR filters, refer to Filter Page Results.
  6. Click
    Next
    .
  7. Review the action summary and click
    Done
    when finished.
    In the next heart beat, the agent will receive the isolation request from Cortex XDR.
  8. To track the status of an isolation action, select
    Response
    Action Center
    Isolation
    .
    If after initiating an isolation action, you want to cancel, right-click the action and select
    Cancel for pending endpoint
    . You can cancel the isolation action only if the endpoint is still in
    Pending
    status and has not been isolated yet.
  9. After you remediate the endpoint, cancel endpoint isolation to resume normal communication.
    You can cancel isolation from the Actions Center (
    Isolation
    page) or from
    Endpoints
    Endpoint Management
    Endpoint Administration
    . From either place right-click the endpoint and select
    Endpoint Control
    Cancel Endpoint Isolation
    .

Recommended For You