Endpoint: Isolating Hosts from Network

Document created by RSA Information Design and Development Employee on Jan 31, 2020Last modified by RSA Information Design and Development Employee on Feb 17, 2020
Version 14Show Document
  • Comment0
  • View in full screen mode
 

Note: By default, the network isolation option is disabled in the policy, and you cannot view options mentioned in this section. To enable network isolation, in the policy configuration, select Enabled in the Network Isolation option under Response Action Settings. For more information, see the NetWitness Endpoint Configuration Guide.

To isolate a host from the network:

  1. Go to INVESTIGATE > Hosts and do one of the following:

    • Select a host and select Network Isolation > Isolate from Network from the right-click context menu, or from the More drop-down list in the toolbar.

      Isolate a host from network

    • Select the hostname to open the host details, click More Icon (More) beside the hostname, and select Network Isolation > Isolate from Network.

      Isolate a host from network

  2. In the Isolate from Network dialog, by default, a set of IP addresses are excluded from isolation. For more information, see Network Isolation. To add IP addresses to the list, select the Add your IPs to Exclusion List checkbox. You can enter up to 100 IP addresses separated by comma.

    Isolate a host from network

  3. Enter comments.

  4. Click Isolate Host.

Edit Exclusion List

To edit the exclusion list:

  1. Go to INVESTIGATE > Hosts and do one of the following:

    • Select a host and select Network Isolation > Edit Exclusion List from the right-click context menu, or from the More drop-down list in the toolbar.

      Edit exclusion list

    • Select the hostname to open the host details, click More Icon (More) beside the hostname, and select Network Isolation > Edit Exclusion List.

      Edit exclusion list

  2. Add or modify the IP addresses in the list.

  3. Enter comments and click Save.

Release Isolated Hosts

Releasing the isolated host restores the network connection and removes IP addresses added to the Exclusion list. To release the host from isolation:

  1. Go to INVESTIGATE > Hosts and do one of the following:

    • Select a host and select Network Isolation > Release from Isolation from the right-click context menu, or from the More drop-down list in the toolbar.

      Release from isolation

    • Select the hostname to open the host details, click More Icon (More) beside the hostname, and select Network Isolation > Release from Isolation.

      Release from isolation

  2. Enter comments and click Release Host.

Previous Topic:Analyze Events
You are here
Table of Contents > Network Isolation

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Online Documentation127 Views
      Last modified on Feb 17, 2020 2:04 AM
      Ratings: