The ability to isolate an endpoint is invaluable when working through the containment phase of incident response. Here we'll illustrate how you can quickly isolate an endpoint via the Red Canary portal.

This article is part of a 4 part series:

Respond to confirmed threats
Isolate an endpoint (this article)
Execute response plans
Audit response plans

Isolate an Endpoint

You will notice a red "Isolate Endpoint" button once the response sidebar is revealed. The button is situated at the top of the detection timeline:

Isolating an endpoint prevents all network communication, with the exception of the Endpoint Detection and Response server.

You can request isolation of an endpoint that is offline. The isolation request will be queued and executed when the endpoint comes back online.

Did this answer your question?