Quarantine an Asset
In InsightIDR, you can quarantine an asset to isolate it from all other network connections, except for connections to the Insight Platform and trusted services, such as DNS and DHCP. This allows you to quarantine the asset until you can resolve the investigation. You can quarantine an asset using the Insight Agent or with an out of the box workflow with Cb Response. Quarantining an asset allows the Rapid7 Managed Services team and Insight Platform Administrators to investigate a device from InsightIDR. Rapid7 Support will still be able to pull Insight Agent logs from devices that are in a quarantined state.
- What happens when an asset is quarantined?
- Quarantine an asset with the Insight Agent
- Quarantine an asset with Cb Response
What happens when an asset is quarantined?
When an asset is quarantined all incoming and outgoing traffic is blocked, and a secure connection is established between Rapid7 and the asset so our teams can conduct remote investigations and pull Insight Agent logs from the device while in quarantine. You may see the asset become unreachable from the Asset Details page in InsightIDR for some time before it regains connection to the Platform. This change to an offline status is expected and is part of the quarantine process.
Step 1: Incoming and outgoing traffic is blocked
When an asset is quarantined on a Windows machine, the Insight Agent creates a backup of your firewall configuration, and temporarily provisions firewall rules to block all incoming and outgoing traffic, which removes network access from the asset itself and takes it offline.
The following connections are blocked:
- ICMP (ping)
- All UDP connections except for DNS requests, UDP/53, and DHCP, UDP/67
Step 2: A secure connection between the asset and Rapid7 is established
The Insight Agent creates new firewall rules that allow access to Rapid7 Collectors and the Insight Platform, as well as DNS and DHCP connections in order to maintain communication with the asset in the event of quarantine reversal. It can take up to 30 minutes to gain access to the Insight Platform.
For Linux or Mac assets that are quarantined, the Insight Agent will create the Rapid7 Firewall Chain so that any modification to a firewall rule will force the asset back onto the chain.
Agent firewall rules are not customizable during quarantine
When these firewall rules are in place, any attempt to modify these rules will force the asset back into quarantine in a matter of seconds; therefore, an intruder would not be able to edit or add rules to circumvent the quarantine. Only Rapid7 teams can establish connections and utilise remote remediation tools, and all non approved remediation tools are blocked.
Step 3: The asset is removed from quarantine
Once the asset is unquarantined, the Insight Agent returns the asset’s network configuration to its original state.
Quarantine an asset with the Insight Agent
Before You Begin
Ensure that you configure the appropriate connections for automating workflows and configure your operating systems for Insight Agent quarantine actions.
Quarantine an asset within an investigation
- From your InsightIDR homepage, select Investigations from the left menu.
- Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
- Click the Take Action button. The “Take Action” panel appears.
- From the “Select an Action Category” dropdown, select Insight Agent Actions.
- From the “Select an Automation Action to Take” dropdown, select Quarantine Asset.
- Select the asset you want to quarantine.
- Click the Take Action button.
The event will appear on the Investigation timeline when the process completes.
Remove an asset from quarantine:
- From your InsightIDR homepage, select Investigations from the left menu.
- Open the investigation with the restricted asset. You will see a timeline of events involving the asset.
- From the Investigation timeline, click Undo Quarantine.
You will see a confirmation message about the reversal process and a new event on the Investigation timeline.
When the reverse quarantine is complete, a final event item will appear on the timeline. The user and asset can continue as usual.
Quarantine and unquarantine an asset from the Asset Info page
With the Insight Agent, you can also quarantine and unquarantine an asset directly from the Asset Info page. You must have the required firewall settings configured to quarantine using this method.
- Search for the asset in the top search bar of InsightIDR.
- On the Asset Info page, use the Quarantined toggle to activate or remove a quarantine.
Is the quarantine toggle deactivated?
Once the required firewall settings have been applied, it may take up to 6 hours for the Quarantine toggle on the asset page to become active. During this time, you will be able to quarantine the asset through an investigation instead.
Quarantine an asset with Cb Response
Before you begin
Ensure that you configure the appropriate connections for automating workflows.
Isolate an Asset
You can use Cb Response to quarantine an asset and move it into an isolated state. To learn more about how it works, see your Carbon Black documentation: https://www.carbonblack.com/products/cb-response/
To isolate an asset:
- From your InsightIDR homepage, select Investigations from the left menu.
- Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
- Click the Take Action button. The “Take Action” panel appears.
- From the “Select an Action Category” dropdown, select Containment Workflows.
- From the “Select an Automation Action to Take” dropdown, select Isolate Sensor in Cb Response.
- Select the Cb Response connection you want to use and click Continue.
- Choose the asset you want to isolate.
- Click Take Action.
- A Human Decision notification will appear on your timeline. Click Yes to confirm the automated action.
The event will appear on the Investigation timeline when the process completes.
To use the reverse workflow to unisolate an asset:
- From your InsightIDR homepage, select Investigations from the left menu.
- Open the desired investigation involving a restricted asset. You will see a timeline of events involving the asset.
- Click the Take Action button. The “Take Action” panel appears.
- From the “Select an Action Category” dropdown, select Containment Workflows.
- From the “Select an Automation Action to Take” dropdown, select Unisolate Sensor in Cb Response.
- Select the Cb Response connection you want to use and click Continue.
- Choose the sensor you want to unisolate.
- Click Take Action.
- A Human Decision notification will appear on your timeline. Click Yes to confirm the automated action.
You will see a confirmation message about the reversal process and a new event on the Investigation timeline.
When the reverse quarantine is complete, a final event item will appear on the timeline. The user and asset can continue as usual.