Host isolation

edit

Host isolation allows you to isolate hosts from your network, blocking communication with other hosts on your network until you release the host. Isolating a host is useful for responding to malicious activity or preventing potential attacks, as it prevents lateral movement across other hosts.

Isolated hosts, however, can still send data to Elasticsearch and Kibana. You can also create host isolation exceptions for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network.

Endpoint page highlighting a host that’s been isolated

You can isolate a host from a detection alert’s details flyout, from the Endpoints page, or (with an Enterprise subscription) from the endpoint response console. Once a host is successfully isolated, an Isolated status displays next to the Agent status field, which you can view on the alert details flyout or Endpoints list table.

If the request fails, verify that the Elastic Agent and your endpoint are both online before trying again.

All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to View host isolation history for more information.

Isolate a host

edit
Isolate a host from a detection alert
  1. Open a detection alert:

    • From the Alerts table or Timeline: Click View details (View details icon).
    • From a case with an attached alert: Click Show alert details (>).
  2. Click Take action → Isolate host.
  3. Enter a comment describing why you’re isolating the host (optional).
  4. Click Confirm.
Isolate a host from an endpoint
  1. Go to Manage → Endpoints, then either:

    • Select the appropriate endpoint in the Endpoint column, and click Take action → Isolate host in the endpoint details flyout.
    • Click the Actions menu (…​) on the appropriate endpoint, then select Isolate host.
  2. Enter a comment describing why you’re isolating the host (optional).
  3. Click Confirm.
Isolate a host from the response console

The response console is an Enterprise subscription feature.

  1. Open the response console for the endpoint (ManageEndpointsActions menu (…​) → Respond).
  2. Enter the isolate command and an optional comment in the input area, for example:

    isolate --comment "Isolate this host"

  3. Press Return.

After the host is successfully isolated, an Isolated status is added to the endpoint. Active end users receive a notification that the computer has been isolated from the network:

Host isolated notification message

Release a host

edit
Release a host from a detection alert
  1. Open a detection alert:

    • From the Alerts table or Timeline: Click View details (View details icon).
    • From a case with an attached alert: Click Show alert details (>).
  2. From the alert details flyout, click Take action → Release host.
  3. Enter a comment describing why you’re releasing the host (optional).
  4. Click Confirm.
Release a host from an endpoint
  1. Go to Manage → Endpoints, then either:

    • Select the appropriate endpoint in the Endpoint column, and click Take action → Release host in the endpoint details flyout.
    • Click the Actions menu (…​) on the appropriate endpoint, then select Release host.
  2. Enter a comment describing why you’re releasing the host (optional).
  3. Click Confirm.
Release a host from the response console

The response console is an Enterprise subscription feature.

  1. Open the response console for the endpoint (ManageEndpointsActions menu (…​) → Respond).
  2. Enter the release command and an optional comment in the input area, for example:

    release --comment "Release this host"

  3. Press Return.

After the host is successfully released, the Isolated status is removed from the endpoint. Active end users receive a notification that the computer has been reconnected to the network:

Host released notification message

View host isolation history

edit

To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host.

Go to ManageEndpoints, click an endpoint’s name, then click the Response action history tab. You can filter the information displayed in this view. Refer to Response actions history for more details.

Response actions history page UI