topic Re: Automatic Isolation didn't happen with retrospective detection in Endpoint Security

Automatic Isolation didn't happen with retrospective detection

Chris05 — Fri, 14 Jun 2024 15:34:03 GMT

We had an endpoint automatically isolate with a high severity retrospective detection, as per our settings.

A couple days later, the same endpoint had another high severity retrospective detection but there was no attempt by the console to automatically isolate.

In the first instance, the file quarantine failed, in the second, the quarantine was successful; does this distinction account for the change in behaviour? ie, automatic isolation won't be triggered with a retrospective detection that is successfully quarantined?

Thank you,

Re: Automatic Isolation didn't happen with retrospective detection

Ken Stieers — Fri, 14 Jun 2024 16:29:16 GMT

I feel like that's actually intentional.
But strangely enough the help has nothing about the Isolate automated action.

Re: Automatic Isolation didn't happen with retrospective detection

Roman Valenta — Fri, 14 Jun 2024 17:59:44 GMT

I think its based on the same logic as Forensic Snapshot which is also part of Automated Actions. The automated actions will fire up based on the fact if the machine is compromised or not there is few other things in to that but the main part is being compromised.

So if there is event on your endpoint lets say malicious file and that file was successfully quarantined then we did the job right and removed the potential threat, hence the machine is not compromised. But in case quarantine failed where we don't know where the file is or why we failed that machine is consider as compromised and then automated actions should trigger.

Posted this couple years ago that explain the whole process. Hope that helps.

https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217463-automated-actions-forensic-snapshot.html

or Video : https://youtu.be/dONLRCnDTGA