Asset Isolation

Asset Isolation enables you to completely isolate an asset from all network communication except its connection to the XDR Forensics Console. This allows your investigation to proceed with full XDR Forensics capabilities while preventing threat actors from accessing the asset or external parties from interfering with the investigation.

Why Use Asset Isolation?

When you suspect an asset has been compromised, you face a dilemma:

Leave it connected → Risk the threat actor maintaining access, exfiltrating data, or destroying evidence
Disconnect it completely → Lose the ability to perform remote forensic collection

Asset Isolation solves this by cutting off the threat actor while preserving your investigative access. The asset remains fully manageable through XDR Forensics, enabling you to collect evidence, run queries, and interact with the system—all while the asset is protected from external interference.

How It Works

When you isolate an asset:

All existing network connections are terminated — Any active connections to other systems are immediately dropped
New network connections are blocked — The asset cannot establish connections to any external system
XDR Forensics Console communication is preserved — The Responder maintains its connection to the Console
Full XDR Forensics capabilities remain available — Acquisition, Hunt/Triage, interACT, and Time-lining all continue to function

Technical Implementation

This feature uses a Kernel Mode Driver for performing the isolation. It operates independently of Windows Firewall, ensuring reliable isolation regardless of firewall configuration or state.

What Remains Available

During isolation, all XDR Forensics capabilities continue to function:

Action	Status	Purpose
Acquisition	✅ Available	Collect forensic evidence
Hunt/Triage	✅ Available	Search for indicators of compromise
interACT	✅ Available	Live interaction with the asset
Time-lining	✅ Available	Build activity timelines
Scheduled Tasks	✅ Available	Automated task execution continues
External Network Access	❌ Blocked	Threat actor access denied

Isolation Policy Controls

Isolation behavior can be further tuned in Policies:

Isolation IP/Port and Process Allow Lists can be used for explicitly allowed communication during isolation.
Exception handling is applied bidirectionally (inbound and outbound) for supported platforms.
DNS and DHCP behavior during isolation can be configured in policy when your operational model requires these services to remain available.

Use Cases

Incident Response Containment

When you identify a potentially compromised asset, immediately isolate it to prevent:

Threat actors from maintaining command and control access
Data exfiltration to external servers
Lateral movement to other assets on the network
Remote destruction of evidence

Active Investigation

Isolation allows you to investigate a live system without interference. The threat actor cannot detect your investigation activities or take countermeasures while the asset is isolated.

Evidence Preservation

By isolating the asset, you ensure that evidence remains intact during collection. No external process can modify, encrypt, or delete files while you’re acquiring them.

Isolating and Un-isolating Assets

To Isolate an Asset

Navigate to the asset in the XDR Forensics Console
Open the More Actions menu
Select Isolate Asset

The asset will immediately be isolated from all network communication except the XDR Forensics Console.

To Un-isolate an Asset

Navigate to the isolated asset’s Asset Details page
Select Un-isolate Asset

Network connectivity will be restored and the asset can resume normal operations.

Comparison with Maintenance Mode

Both features control asset behaviour, but serve different purposes:

Feature	Asset Isolation	Maintenance Mode
Primary Purpose	Network containment	Prevent task creation
Network Access	❌ Blocked (except Console)	✅ Normal
Task Creation	✅ Allowed	❌ Blocked
Acquisition	✅ Available	❌ Blocked
Hunt/Triage	✅ Available	❌ Blocked
interACT	✅ Available	✅ Available