Is there any way to remotely access that machine when it's in the isolated state?
VMware Carbon Black EDR (Response)
If you need security assistance from the Red Canary Threat Hunting team, please contact us.
You do have two ways you can access the machine after isolation. One is using Carbon Black Live Response which is strictly CLI (Command Line Interface), the other is adding a certain IP address to the Sensor Group Isolation Exclusions setting to allow an IP address access to the isolated machines.
To access via Live Response:
- Log in to Red Canary.
- Click on the CB icon top right of Red Canary to connect to the Carbon Black server.
- Select Endpoints on the navigation menu, and search for the endpoint that is Isolated.
- Select the endpoint in question by clicking on the endpoint's name.
- Select the Go Live button on the top right of the screen.
To add IP address to Isolation Exclusions to a Sensor Group
- Inside the Carbon Black server select the Sensor Group that the isolated endpoint is located in.
- Select the gear icon on the sensor group to look at settings.
- Under Isolation Exclusions select Add Exclusion.
- Enter in a brief description and the URL or IP address of the machine you wish to allow communication to the isolated endpoint.