Isolate a Red Cloak Endpoint Agent
Note
Host isolation is available for Windows hosts with the Red Cloak™ Endpoint Agent installed with the Hostel module enabled, which is default for agent version 2.0.6.0 and higher (see Red Cloak Endpoint Agent Changelog for version updates).
Isolating an endpoint from network communication (except to XDR) is performed to prevent lateral spreading of threats from an infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.
Response actions such as isolating and restoring an endpoint are enabled via playbooks. For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.
Once playbooks have been configured, follow these steps to isolate or restore a host:
- From the XDR left-hand side navigation, select Endpoint Agents → Summary and choose an endpoint from the Endpoint Agents Summary table.
- Select the three dot Actions icon from the Endpoint side drawer summary view or the Actions menu from the Endpoint detailed view.
- From the Response Actions section, choose the action you configured via a relevant playbook.
Isolated hosts display a label next to the hostname in the side drawer summary view and the detailed view:
Isolation Status
Note
Disconnected Taegis Endpoint Agents display an Isolation Pending or Restore Pending label until they reconnect to XDR. For more information, see Taegis™ Endpoint Agent Technical Details.
See the History section from the endpoint detailed view for a history of isolate and restore actions for the endpoint.
Note
Legacy default actions such as Isolate Host and Restore Host have been replaced by automations that perform these actions. Ensure you have configured response action playbooks to perform these actions. For more information, see the following release note.
For more information, see Red Cloak Endpoint Agent Technical Details.