Using Quarantine in Carbon Black Cloud
search cancel

Using Quarantine in Carbon Black Cloud

book

Article ID: 292357

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

To Quarantine a Device in Carbon Black Cloud

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Windows Sensor: All Supported Versions
  • Carbon Black Cloud MacOS Sensor: All Supported Versions
  • Carbon Black Cloud Linux Sensor: Version 2.13 and Later

Resolution

Devices can be quarantined from the Endpoints page or the Investigate Page

Endpoints Page

  1. Search for the device to be quarantined\unquarantined
  2. Select the checkbox to the left of the device to be quarantined
  3. Select "Take Action" 
  4. From the drop down choose "Quarantine devices" to quarantine a device or "Unquarantine devices" to take a device out of quarantine
  5. A popup box will appear with the following message: 
    Quarantine device 
    Are you sure you want to: 
      o Quarantine\Unquarantine the x selected devices 
      o Quarantine\Unquarantine all x devices matching the search
    Yes or Cancel
    
  6. Select "Quarantine the x selected devices" to quarantine only the device selected. If "Quarantine all x devices matching the search" is selected then all devices currently displayed in the Endpoint page will be quarantined.
  7. Select "Yes" to complete the quarantine\unquarantine request
  8. When the the device has received the request to quarantine\unquarantine, the device status will update accordingly

Investigate Page 

  1. Search for the device to be quarantined\unquarantined
  2. Select the Device tab
  3. Select "Take Action" 
  4. From the drop down choose "Quarantine devices" to quarantine a device or "Unquarantine devices" to take a device out of quarantine
  5. A popup box will appear with the following message: 
    Quarantine Device 
    Are you sure you want to quarantine device [device name]
    Request Quarantine or Cancel
    
  6. Select "Request Quarantine" or "Request Unquarantine" to complete the quarantine\unquarantine request
  7. When the the device has received the request to quarantine\unquarantine, the device status will update accordingly


 

Additional Information

For those wishing to automatically quarantine devices, the devices API can be utilized for custom workflows.