Moving files to quarantine

To prevent a threat distribution, you can move an infected file to quarantine in one of the following ways:

• From the alert or incident details
• From the device details
• From a telemetry event
• From an investigation graph

You can also configure the response action to run automatically when creating or editing a playbook.

To move the file to quarantine, you must have one of the following XDR roles: Main administrator, Tenant administrator, Tier 1 analyst, Tier 2 analyst.

It might take up to 15 minutes to launch a response action due to the synchronization interval between the managed device and Administration Server.

Responding from the alert or incident details

To move a file to quarantine from the alert or incident details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device on which the file to be moved to quarantine is located.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device on which the file to be moved to quarantine is located.
2. In the window that opens, go to the Assets tab.
3. Select check box next to the device on which the file to be moved to quarantine is located.

   You can select several devices, if necessary.

4. In the Select response actions drop-down list, select Move to quarantine.
5. In the window that opens on the right side of the screen, specify the following information in the corresponding fields:
   • File hash.

     You can select either SHA256 or MD5.

   • Path to the file.
6. Click the Move button.

If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Responding from the device details

To move a file to quarantine from the device details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device on which the file to be moved to quarantine is located.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device on which the file to be moved to quarantine is located.
2. In the window that opens, go to the Assets tab.
3. Click the name of the required device, and then in the drop-down list, select View properties.
4. In the Select response actions drop-down list, select Move to quarantine.
5. In the window that opens on the right side of the screen, specify the following information on the corresponding fields:
   • File hash.

     You can select either SHA256 or MD5.

   • Path to the file.
6. Click the Move button.

If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Responding from a telemetry event

To move a file to quarantine from a telemetry event:

1. In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device on which the file to be moved to quarantine is located.
2. In the window that opens, go to the Details tab, and do one of the following:
   • Click the name of the required event and select the device.
   • Click the Find in Threat hunting button to go to the Threat hunting section and select the required device.

   You can also go to the Observables tab, select check box next to the file that you want to move to quarantine, and then click the Move to quarantine button.

3. In the Select response actions drop-down list, select Move to quarantine.
4. In the window that opens on the right side of the screen, specify the following information on the corresponding fields:
   • File hash.

     You can select either SHA256 or MD5.

   • Path to the file.
5. Click the Move button.

If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Responding from an investigation graph

This option is available if the investigation graph is built.

To move a file to quarantine from an investigation graph:

1. In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device on which the file to be moved to quarantine is located.
2. In the window that opens, click the View on graph button.

   The investigation graph opens.

3. Click the device name to open the device details.
4. In the Select response actions drop-down list, select Move to quarantine.
5. In the window that opens on the right side of the screen, specify the following information on the corresponding fields:
   • File hash.

     You can select either SHA256 or MD5.

   • Path to the file.
6. Click the Move button.

If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Page top