Network isolation is a vital containment step during incident response. It blocks all network communication for a device to stop threats from spreading (lateral movement) and prevents data theft.
When an endpoint is isolated, its network access is restricted to the Endpoint Detection and Response (EDR) / Endpoint Protection Platform (EPP) and any specifically excluded network destinations. Isolation requests can be issued even to offline devices; the request is queued and automatically executed the next time the endpoint connects to the EDR / EPP server.
Automated Endpoint Isolation
Red Canary Automation allows for the creation of triggers and playbooks to automatically isolate endpoints. This automated approach ensures immediate and consistent security. It mitigates known threats based on predefined conditions, such as a high-severity alert or a confirmed threat, without requiring any manual intervention.
When you’re configuring an isolation playbook in the Red Canary portal, there are two response actions available:
Isolate the Endpoint (Full): This action executes a complete network isolation and is available for all Red Canary-supported EDRs.
Isolate the Endpoint (Selective): This action is only available for Microsoft Defender for Endpoint (MDE). It respects any actively configured Isolation Exclusion Rules within your MDE tenant, but will default to a full isolation if no exclusion rules are present.
You can use both the full and selective isolation actions within pre-built playbooks, or you can run a playbook on-demand, with comprehensive tracking provided through activity timelines, audit logs, and playbook history.
Adding an Isolate Endpoint Action to a Playbook
Navigate to Automations in the Red Canary portal.
Open or create a new Playbook, then click Add Action.
Under Cross-Platform Endpoint Containment & Response, select either Isolate the Endpoint (Selective) or Isolate the Endpoint (Full).
Check the I acknowledge… box.
[OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically triggered executions.
Click Save.
The action will execute automatically when a connected trigger runs the playbook or when you click Run on the Playbook settings page.
Manual Endpoint Isolation
Manual isolation uses the same underlying automation as automated isolation, but the trigger is user-initiated, not based on pre-defined conditions. It's typically used for immediately containing endpoints that may not meet automated criteria.
You must have the Responder role to isolate endpoints manually.
Isolating a Specific Endpoint
Locate the endpoint by viewing it (using ⌘-K or by filtering under Endpoints).
Select the endpoint(s), then click Isolation > Isolate.
Read and acknowledge the resulting prompt.
Isolating an Endpoint Referenced by a Threat
Navigate to a Threat affecting an endpoint in your Red Canary portal.
Click the Actions dropdown next to the endpoint.
Select Isolate Endpoint (Selective) (only available for Microsoft Defender for Endpoint) or Isolate Endpoint (Full) to be run on-demand.
Confirm the action and review results in the activity timeline.
Removing an Isolation
Once a threat is mitigated, isolation can be removed to restore normal network function.
Locate the endpoint by viewing it (using ⌘-K or by filtering under Endpoints).
Click Isolate > Remove Isolation.
Normal network operation will resume after the endpoint successfully checks in with the server.
Handling Offline Endpoints
You can request to isolate or remove isolation from an endpoint even if it is offline. The request is queued and will execute automatically as soon as the endpoint comes back online and connects to the EDR/EPP server. Automated network isolation is the typical use case for this queuing functionality.