Following a recommendation to isolate a host

To follow a recommendation to isolate a host from the network:

  1. In the recommendation box, select Isolate <host name>.

    This opens the host isolation settings window for the host from the event you are working on.

  2. In the Disable isolation in field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
  3. In the Exclusions to the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
    • Incoming/Outgoing.
    • Incoming.
    • Outgoing.
  4. In the IP field, enter the IP address whose network traffic must not be blocked.
  5. If you selected Incoming or Outgoing, in the Ports field enter the connection ports.
  6. If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
  7. Click Save.

Information about host isolation is displayed in the Endpoint Agents section of the web interface.

You can also create a network isolation rule by clicking the Isolate <host name> link in the alert information and in the Endpoint Agents section of the web interface.

Users with the Security auditor and Security officer roles cannot isolate a host from the network.

See also

Following a recommendation to prevent a file from running

Following a recommendation to create a task
Page top