Host Isolation [7.14][DOCS] #742
Description
Description
We want to be able to disconnect/isolate hosts running the endpoint integration from the network so that adversaries are unable to move laterally and infect other hosts/systems. Isolated Hosts are only able to communicate with kibana/ES until it is released.
License
Platinum
Acceptance Test Criteria
- Users must have superuser permissions to isolate a host (as it built using fleet actions, which currently require superuser)
- Admin user can send an action to the Endpoint to isolate the host from the alert (generated by the endpoint)
- Admin user can send an action to the Endpoint to un-isolate the host from the alert (host can only be released when it has already been isolated)
- When starting an action through an alert, actions are logged in all Cases the alert is associated with
- Admin user can see the status of isolation on the alert (successful/isolated)
User Flow
User can initiate the Isolate Host action 1. via the alert details, from a Case; or 2. the endpoint details. Below shows the alert details/Case flow.
User can comment upon submission of the action
User will get feedback that the action has been submitted. Note: this does not mean the isolation is successful, yet. The isolation action has been successfully submitted to the endpoint.
"Isolation" status appears next to the Agent status in the endpoint list. Isolation status will also show on alert details. Isolation status does not yet show in Fleet/Agent list.
Activity log (in the Endpoint details) will show Endpoint Action history
Release host:
Notes
Additional questions are being tracked in this Google doc.