Quarantine an Asset

In InsightIDR, you can quarantine an asset using the Insight Agent, or with an out of the box workflow with Cb Response. When you quarantine an asset, it is isolated from all other network connections, except for connections to the Insight platform and trusted services, such as DHCP. This allows you to quarantine the asset until you can resolve the investigation.

Before You Begin

After you install the Insight Orchestrator, make sure that you configure the appropriate connections for automating workflows.

Quarantine with the Insight Agent

On Windows machines, the Insight Agent will temporarily provision firewall rules to block all incoming and outgoing traffic, and remove network access from the asset itself and take it offline.

Then, the Insight Agent will create new firewall rules that will allow access to Rapid7 Collectors and the Insight platform, as well as DNS and DHCP connections in order to maintain communication with the asset in the event of quarantine reversal.

When these firewall rules are in place, any attempt to modify these firewall rules will force the asset back into quarantine in a matter of seconds; therefore, an intruder would not able to edit or add rules to circumvent the quarantine.

For quarantined assets that are Linux or Mac, the Insight Agent will create the Rapid7 Firewall Chain so that any modification to a firewall rule will force the asset back onto the chain.

To quarantine an asset with the Insight Agent:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the “Select an Action Category” dropdown, select Insight Agent Actions.
  5. From the “Select an Automation Action to Take” dropdown, select Quarantine Asset.
  6. Select the asset you want to quarantine.
  7. Click the Take Action button.

The event will appear on the Investigation timeline when the process completes.

Reverse a Quarantine

To remove an asset from quarantine with the Insight Agent:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the investigation with the restricted asset. You will see a timeline of events involving the asset.
  3. From the Investigation timeline, click Undo Quarantine.

You will see a confirmation message about the reversal process and a new event on the Investigation timeline.

When the reverse quarantine is complete, a final event item will appear on the timeline. The user and asset can continue as usual.

Isolate an Asset with Cb Response

You can use Cb Response to quarantine an asset and move it into an isolated state. To learn more about how it works, see your Carbon Black documentation: https://www.carbonblack.com/products/cb-response/

To isolate an asset with Cb Response:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the “Select an Action Category” dropdown, select Containment Workflows.
  5. From the “Select an Automation Action to Take” dropdown, select Isolate Sensor in Cb Response.
  6. Select the Cb Response connection you want to use and click Continue.
  7. Choose the asset you want to isolate.
  8. Click Take Action.
  9. A Human Decision notification will appear on your timeline. Click Yes to confirm the automated action.

The event will appear on the Investigation timeline when the process completes.

Unisolate an Asset with Cb Response

To use the reverse workflow to unisolate an asset with Cb Response:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the “Select an Action Category” dropdown, select Containment Workflows.
  5. From the “Select an Automation Action to Take” dropdown, select Unisolate Sensor in Cb Response.
  6. Select the Cb Response connection you want to use and click Continue.
  7. Choose the sensor you want to unisolate.
  8. Click Take Action.
  9. A Human Decision notification will appear on your timeline. Click Yes to confirm the automated action.

You will see a confirmation message about the reversal process and a new event on the Investigation timeline.

When the reverse quarantine is complete, a final event item will appear on the timeline. The user and asset can continue as usual.