Host isolation

edit

Host isolation allows you to isolate hosts from your network, blocking communication with other hosts on your network until the host is released. Isolating a host is useful for responding to malicious activity or preventing potential attacks, as it prevents lateral movement across other hosts.

Isolated hosts, however, can still send data to Elasticsearch and Kibana. You can also create host isolation exceptions for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network.

For Elastic Stack version >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions:

  • CentOS/RHEL 8
  • Ubuntu 18.04
  • Ubuntu 20.04
  • AWS Linux 2

To isolate and release hosts in any operating system, you must have the built-in superuser role. For more information, see Built-in users.

Shows a host that’s been isolated

You can isolate a host from an alert attached to a case or from the Endpoints list. Once a host is successfully isolated, an Isolated status displays next to the Agent status field, which you can view on the alert details flyout or Endpoints list table.

If the request fails, verify that the agent and your endpoint are both online before trying again.

All actions executed on a host are tracked in the host’s activity log, which you can access from the Endpoints page. See View host isolation details for more information.

Isolate a host

edit

To isolate a host from a case alert:

  1. Go to Investigate → Cases, then select the appropriate case to view the case activity. Ensure you are viewing a case with at least one alert attached to it.
  2. Find the appropriate alert, then click the Show alert details button (>). The alert details flyout opens.
  3. Click Take action → Isolate host.
  4. Enter a comment describing why you’re isolating the host (optional).
  5. Click Confirm.

To isolate a host from an endpoint:

  1. Go to Manage → Endpoints, then select the appropriate endpoint in the Endpoint column. The endpoint details flyout opens.
  2. Click Take action → Isolate host.
  3. Enter a comment describing why you’re isolating the host (optional).
  4. Click Confirm.

After the host is successfully isolated, an Isolated status is added next to Agent Status.

You can also isolate a host from the Endpoints list by clicking the Actions icon (…​) for the appropriate endpoint, then selecting Isolate host.

Release a host

edit

To release a host from a case alert:

  1. Go to Investigate → Cases, then click on the appropriate case to view the case activity its details.
  2. Find the appropriate alert, then click the Show alert details button (>). The alert details flyout opens.
  3. From the alert details flyout, click Take action → Release host.

To release a host from an endpoint:

  1. Go to Manage → Endpoints, then select the appropriate host name in the Endpoint column. The endpoint details flyout opens.
  2. Click Take action → Release host.

After the host is successfully released, the Isolated status is removed from the Agent Status.

You can also release a host from the Endpoints list by clicking the Actions icon (…​) for the appropriate endpoint and selecting Release host.

View host isolation details

edit

The host activity log tracks all actions performed on the host, including comments added, who made the host isolation request and when, and when the host received the request to isolate.

To view the host’s isolation details:

  1. Go to Manage → Endpoints, then select the appropriate host name in the Endpoints column. The endpoint details flyout opens.
  2. Click Activity Log to view the endpoint’s activity history.
  3. Use the date and time picker to view endpoint activity within a specific date and time period.
Shows the activity log of an isolated host