Moving files to quarantine

To prevent a threat distribution, you can move a device on which the file is located to quarantine in one of the following ways:

• From the alert or incident details.
• From the device details.
• From a telemetry event.
• From an investigation graph.

  This option is available if the investigation graph is built.

You can also configure the response action to run automatically when creating or editing a playbook.

To move a device on which the file is located to quarantine, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

It might take up to 15 minutes to launch a response action due to the synchronization interval between the managed device and the Administration Server.

To move a device to quarantine:

1. In the main menu, go to the Monitoring & reporting section, and then select the Alerts or Incidents section.

   If you want to respond from an investigation graph, select the Incidents section.

   If you want to respond from a telemetry event, select the Alerts section.

2. Click the ID of the required alert or incident.
3. In the window that opens, do one of the following:
   • If you want to respond through the alert or incident details, go to the Assets tab, and then select check box next to the device which is to be moved to quarantine.

     You can select several devices, if necessary.

   • If you want to respond through the device details, go to the Assets tab, click the name of the required device, and then in the drop-down list, select View properties.
   • If you want to respond through a telemetry event, go to the Details tab, and then either click the name of the required event and select the device or click the Find in Threat hunting button to go to the Threat Hunting section and select the required device.

     You can also go to the Observables tab, select check box next to the file that you want to move to quarantine, and then click the Move to quarantine button.

   • If you want to respond through an investigation graph, click the View on graph button. In the investigation graph that opens, click the device name to open the device details.
4. In the Select response actions drop-down list, select Move to quarantine.
5. In the window that opens on the right side of the screen, specify the following information on the corresponding fields:
   • File hash.

     You can select either SHA256 or MD5.

   • Path to the file.
6. Click the Move button.

If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Page top