Quarantine an Asset

In InsightIDR, you can quarantine an asset to isolate it from all other network connections, except for connections to the Insight Platform and trusted services, such as DHCP. This allows you to quarantine the asset until you can resolve the investigation. You can quarantine an asset using the Insight Agent or with an out of the box workflow with Cb Response.

Quarantine an asset with the Insight Agent

Before You Begin

Ensure that you configure the appropriate connections for automating workflows and configure your operating systems for Insight Agent quarantine actions.

Quarantine an asset within an Investigation

On Windows machines, the Insight Agent will temporarily provision firewall rules to block all incoming and outgoing traffic, and remove network access from the asset itself and take it offline.

Then, the Insight Agent will create new firewall rules that will allow access to Rapid7 Collectors and the Insight platform, as well as DNS and DHCP connections in order to maintain communication with the asset in the event of quarantine reversal.

When these firewall rules are in place, any attempt to modify these firewall rules will force the asset back into quarantine in a matter of seconds; therefore, an intruder would not be able to edit or add rules to circumvent the quarantine.

For quarantined assets that are Linux or Mac, the Insight Agent will create the Rapid7 Firewall Chain so that any modification to a firewall rule will force the asset back onto the chain.

To quarantine an asset:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the “Select an Action Category” dropdown, select Insight Agent Actions.
  5. From the “Select an Automation Action to Take” dropdown, select Quarantine Asset.
  6. Select the asset you want to quarantine.
  7. Click the Take Action button.

The event will appear on the Investigation timeline when the process completes.

To remove an asset from quarantine:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the investigation with the restricted asset. You will see a timeline of events involving the asset.
  3. From the Investigation timeline, click Undo Quarantine.

You will see a confirmation message about the reversal process and a new event on the Investigation timeline.

When the reverse quarantine is complete, a final event item will appear on the timeline. The user and asset can continue as usual.

Quarantine and unquarantine an asset from the Asset Info page

With the Insight Agent, you can also quarantine and unquarantine an asset directly from the Asset Info page.

  1. Search for the asset in the top search bar of InsightIDR.
  2. On the Asset Info page, use the Quarantined toggle to activate or remove a quarantine.

Quarantine an asset with Cb Response

Before you begin

Ensure that you configure the appropriate connections for automating workflows.

Isolate an Asset

You can use Cb Response to quarantine an asset and move it into an isolated state. To learn more about how it works, see your Carbon Black documentation: https://www.carbonblack.com/products/cb-response/

To isolate an asset:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the “Select an Action Category” dropdown, select Containment Workflows.
  5. From the “Select an Automation Action to Take” dropdown, select Isolate Sensor in Cb Response.
  6. Select the Cb Response connection you want to use and click Continue.
  7. Choose the asset you want to isolate.
  8. Click Take Action.
  9. A Human Decision notification will appear on your timeline. Click Yes to confirm the automated action.

The event will appear on the Investigation timeline when the process completes.

To use the reverse workflow to unisolate an asset:

  1. From your InsightIDR homepage, select Investigations from the left menu.
  2. Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the “Select an Action Category” dropdown, select Containment Workflows.
  5. From the “Select an Automation Action to Take” dropdown, select Unisolate Sensor in Cb Response.
  6. Select the Cb Response connection you want to use and click Continue.
  7. Choose the sensor you want to unisolate.
  8. Click Take Action.
  9. A Human Decision notification will appear on your timeline. Click Yes to confirm the automated action.

You will see a confirmation message about the reversal process and a new event on the Investigation timeline.

When the reverse quarantine is complete, a final event item will appear on the timeline. The user and asset can continue as usual.