Quarantined Items

Quarantine Items lists the Quarantine assets with source as EDR or VMDR. To Quarantine an Asset with source as EDR see, Quarantine an Asset. This section covers the following:

Quarantine an Asset with VMDR as Source

If you have a subscription for Vulnerability Management and Detection and Response (VMDR) application you can quarantine a host that has vulnerabilities. Perform the following steps to Quarantine an asset from the Responses tab of the VMDR application:

  1. Click Actions > New Actions

    Actions tab under Response tab in VMDR application

  2. In the Create New Action window, provide the Action Name and Description
  3. From the Select Action drop-down, select External Actions
  4. From the Select Connector Type, select Asset Quarantine
  5. Click Save.

    The following screenshot is an example of creating a new action to quarantine an asset from the VMDR application:

    Create New Action window from the VMDR application

    Once the action is created it is listed under the Actions tab of the VMDR application. The following screenshot is an example of the Quarantine Host Type action:

    New action created and listed under Actions tab

  6. Go to Rule Manager and click New Rule.

    Rule Manager in VMDR application

  7. In the Create New Rule window, add the Rule Name, Description, and Rule Severity.
  8. Add a Rule Query that will trigger the alert. In the following screenshot we have used the threatIntel vulnerability query for an asset id:

    rule query in vmdr

  9. In the Trigger Criteria field, select Single Match.

    Currently, Quarantine Asset supports only the Single Match criteria option.

  10. In the Action Settings select the Action you created from the Actions tab. In the following screenshot we have selected the Action that we created in step 5:

    action settings in vmdr

  11. Click Save.

When an alert is triggered from the VMDR application, the asset gets quarantined and is listed under the Activity Log of the EDR application. From the Quarantined Items tab you can Unquarantine an asset. 

UnQuarantine an Asset

This option allows you to restore the quarantine asset back to its original location. Perform the following steps to unquarantine an asset:

  1. Click Responses > Quarantined Items.
  2. From the list, select a quarantine asset and from the Status column, click UnQuarantine Asset.

    Unquarantine asset in the Quarantined Items tab.

  3. The UnQuarantine Asset window is displayed. Enter the required comment and click Unquarantine Asset

    unquarantined asset window

  4. You can track the progress of the action in the Status column of the Activity Log tab.

Retry Failed Remediation Action

This option allows you to retry the remediation action for failed events.

  1. Select the Failed remediation event from the Requested Activity column.
  2. Click Retry. The following screenshot is a Failed Quarantine File that requires a Retry: 

    Retry option for Failed Quarantine

  3. You will be redirected to the Events page under Hunting tab. From the Remediation Action column, select the required remediation option. The following screenshot is an example of the redirect to the Events page:

    Redirect of the Retry