Isolate an Endpoint - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-07-17
Category
Administrator Guide
Abstract

In the event that an endpoint is compromised, you can immediately isolate it to reduce an attacker’s mobility.

When you isolate an endpoint, you halt all network access on the endpoint except for traffic to Cortex XSIAM. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the agent receives the instruction to isolate the endpoint and carries out the action, Cortex XSIAM shows an Isolated check-in status. To ensure an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.

Note

IP-based file storage protocol traffic will also be blocked. This might affect endpoint functionality if the endpoint uses such mounts.

Network isolation is supported for endpoints that meet the following requirements:

Operating System

Prerequisites

Windows

  • Agent 6.0 or later

  • (VDI) Network isolation allow list in the Agent Settings Profile is configured to ensure VDI sessions remain uninterrupted.

Mac

  • Agent 7.3 or later

  • macOS 10.15.4 or later

  • Cortex XSIAM Network extension is enabled on the endpoint.

Network isolation on Mac endpoints does not terminate active connections that were initiated before the agent was installed on the endpoint.

Linux

  • iptables and ip6tables

  • Agent 7.7 or later

  • Linux kernel with the following enabled:

    • CONFIG_NETFILTER

    • CONFIG_IP_NF_IPTABLES

    • CONFIG_IP_NF_MATCH_OWNER

  • Network isolation allow list configured in the Agent Settings Profile

Network isolation on Linux endpoints is based on the defined IP addresses and ports.

  1. Initiate an action to isolate an endpoint.

    Go to Incident ResponseResponseAction Center+ New Action and select Isolate.

    You can also initiate the action (for one or more endpoints) from the Isolation page of the Action Center or from EndpointsEndpoint ManagementEndpoint Administration.

  2. Select Isolate.

  3. Enter a Comment to provide additional background or other information that explains why you isolated the endpoint.

    After you isolate an endpoint, Cortex XSIAM displays the Isolation Comment on the Action CenterIsolation. If needed, you can edit the comment from the right-click pivot menu.

  4. Click Next.

  5. Select the target endpoint that you want to isolate from your network.

    Tip

    If needed, Filter the list of endpoints. To learn how to use filters, see Filter Page Results.

  6. Click Next.

  7. Review the action summary and click Done when finished.

    In the next heartbeat, the agent will receive the isolation request from Cortex XSIAM.

  8. To track the status of an isolation action, select Incident ResponseResponseAction CenterCurrently Applied ActionsEndpoint Isolation.

    If after initiating an isolation action, you want to cancel, right-click the action and select Cancel for pending endpoint. You can cancel the isolation action only if the endpoint is still in Pending status and has not been isolated yet.

  9. After you remediate the endpoint, cancel endpoint isolation to resume normal communication.

    You can cancel isolation from the Actions Center (Isolation page) or from EndpointsEndpoint ManagementEndpoint Administration. From either place right-click the endpoint and select Endpoint ControlCancel Endpoint Isolation.

Note

If file system operations become unresponsive during isolation, such as being unable to list folder content, unmount the mounted network shares.