Quarantined Items

Quarantine Items lists the Quarantine assets with source as EDR or VMDR. To Quarantine an Asset with source as EDR see, Quarantine an Asset

Quarantine an Asset with VMDR as Source

If you have a subscription for Vulnerability Management and Detection and Response (VMDR) application you can quarantine a host that has vulnerabilities. Perform the following steps to Quarantine an asset from the Responses tab of the VMDR application:

  1. Click Actions > New Actions

    Actions tab under Response tab in VMDR application

  2. In the Create New Action window, provide the Action Name and Description
  3. From the Select Action drop-down, select External Actions
  4. From the Select Connector Type, select Asset Quarantine
  5. Click Save.

    The following screenshot is an example of creating a new action to quarantine an asset from the VMDR application:

    Create New Action window from the VMDR application

    Once the action is created it is listed under the Actions tab of the VMDR application. The following screenshot is an example of the Quarantine Host Type action:

    New action created and listed under Actions tab

  6. Go to Rule Manager and click New Rule.

    Rule Manager in VMDR application

  7. In the Create New Rule window, add the Rule Name, Description, and Rule Severity.
  8. Add a Rule Query that will trigger the alert. In the following screenshot we have used the threatIntel vulnerability query for an asset id:

    rule query in vmdr

  9. In the Trigger Criteria field, select Single Match.

    Currently, Quarantine Asset supports only the Single Match criteria option.

  10. In the Action Settings select the Action you created from the Actions tab. In the following screenshot we have selected the Action that we created in step 5:

    action settings in vmdr

  11. Click Save.

When an alert is triggered from the VMDR application, the asset gets quarantined and is listed under the Activity Log of the EDR application. From the Quarantined Items tab you can Unquarantine an asset. 

About Multiple Rules Support

EDR Quarantined assets can have multiple rules. EDR will enforce the first rule that matches and label the others as 'Audit.'

Activity Log.

When you open an 'Audit' rule, a message indicates the action was successful. This means the rule matched, but the asset was already in quarantine, or a request was waiting in the queue.

Quarantine Host Audit.

This helps clarify which rules are currently in effect and which are pending. Assets will remain in quarantine until all rules have been resolved.

UnQuarantine an Asset

This option allows you to restore the quarantine asset back to its original location. Perform the following steps to unquarantine an asset:

  1. Click Responses > Quarantined Items.
  2. From the list, select a quarantine asset and from the Status column, click UnQuarantine Asset.

    Unquarantine asset in the Quarantined Items tab.

  3. The UnQuarantine Asset window is displayed. Enter the required comment and click Unquarantine Asset

    unquarantined asset window

  4. You can track the progress of the action in the Status column of the Activity Log tab.

Retry Failed Remediation Action

This option allows you to retry the remediation action for failed events.

  1. Select the Failed remediation event from the Requested Activity column.
  2. Click Retry. The following screenshot is a Failed Quarantine File that requires a Retry: 

    Retry option for Failed Quarantine

  3. You will be redirected to the Events page under Hunting tab. From the Remediation Action column, select the required remediation option. The following screenshot is an example of the redirect to the Events page:

    Redirect of the Retry