Isolate a Red Cloak Endpoint Agent
Note
Host isolation is available for Windows hosts with the Red Cloak™ Endpoint Agent installed with the Hostel module enabled, which is default for agent version 2.0.6.0 and higher (see Red Cloak Endpoint Agent Changelog for version updates).
Isolating an endpoint from network communication (except to XDR) is performed to prevent lateral spreading of threats from an infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.
Tip
Response actions such as isolating and restoring an endpoint can also be enabled via playbooks. For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.
Follow these steps to isolate or restore a host via the XDR default Actions menu options:
- From the XDR left-hand side navigation, select Endpoint Agents → Summary and choose an endpoint from the Endpoint Agents Summary table.
- Select the three dot Actions icon from the Endpoint side drawer summary view or the Actions menu from the Endpoint detailed view.
- Choose either Isolate Host or Restore Host.
- Enter a reason for the action and select either Isolate Host or Restore Host to confirm.
Isolated hosts display a label next to the hostname in the side drawer summary view and the detailed view:
Isolation Status
Note
Disconnected Taegis Endpoint Agents display an Isolation Pending or Restore Pending label until they reconnect to XDR. For more information, see Taegis™ Endpoint Agent Technical Details.
See the Command History section from the endpoint detailed view for a history of isolate and restore actions for the endpoint.
For more information, see Red Cloak Endpoint Agent Technical Details.