Overview
With Blumira Agent's host isolation capabilities, you can respond to threats with both manual and automated interventions. Use the in-app configurations to adjust the level of automatic response according to your organizational needs, and those configurations tell the agent when it is okay to auto-isolate and for which devices. You can pause, resume, and manage the automation settings at any time.
Required: You must have Blumira Agent enabled on your account and running on a supported device to utilize the host isolation capabilities. Detection rules that support AHI must also be enabled in the app.
Managing automated host isolation settings
Account-level settings
Automated host isolation is disabled by default. Administrators can enable it from the control bar at the top of the screen.
To enable AHI for your account:
- In the Automated Host Isolation control bar at the top of the screen, click Settings.
- Click the check boxes next to the Threat and Suspect priority levels that you want to include in automated isolation.
- Click Save Changes.
- In the AHI control bar, click Start.
- The control bar displays "Automated host isolation is running" with the option to pause.
To disable AHI for your account:
- In the AHI control bar at the top of the screen, click Pause.
- In the confirmation window, click Disable Automated Host Isolation.
-
The control bar displays "Automated Host isolation is disabled" with the option to start.
Device-level settings
Automated host isolation includes all endpoints that are running Blumira Agent unless you change the device-level settings to exclude specific devices.
Recommended: Disable AHI on any agent devices that are business-critical and must never be automatically forced into isolation, such as domain controllers and critical servers.
To exclude a device from automated isolation:
- Navigate to Blumira Agent > Devices.
- Click the row of the device then click View device details.
- Under Automated Host Isolation, click the check box next to Exclude this device from automated host isolation.
Manually changing isolation status
You do not need to wait for a finding to be generated if you find any need to isolate a host. Manual isolation is always an option from the Device details window (Blumira Agent > Devices > View device details).
Any account user with app access (Administrator, Manager, Responder) has the permissions needed to remove a host from isolation. Removing a host from isolation is always manual to ensure that the threat has been investigated by your team and mitigated before you decide to give back network access to the device.
Reference: See Managing your Blumira Agent devices for more information.
To update the isolation status of an agent device:
- Navigate to Blumira Agent > Devices.
- Click the row of the device you want to isolate then click Device details.
- Verify that the host is online.
Note: Devices that are offline cannot be removed from isolation until they are back online. - In the Device details window, under Host isolation, click the check box next to the appropriate status.
- Click Save changes.
Where to view host isolation statuses
Notifications |
When Blumira Agent automatically isolates a host, Blumira immediately sends isolation notifications to all account users that are opted-in to receive notifications for that type of finding. A notification is sent about every host, even if the devices relate to the same Blumira finding. Important: Automated isolation notifications follow the same user settings as for the finding that the isolation is related to. An isolation event can occur without sending a notification if the finding notification is disabled. |
---|---|
Universal control bar |
A summary of current isolations appears at the top of every screen in the app with direct access to your AHI settings. Click Refresh for the most accurate count. |
Blumira Agent Devices table |
On the Blumira Agent Devices table, you can view the status of each endpoint in the Host Isolation column and the date and time of isolation change in the Last Modified column. |
Device details window |
You can view and update the isolation status in the Blumira Agent Device details window, under Host Isolation. In the Activity log tab, you can view a history of the isolations that have occurred with timestamps and links to the findings that triggered automated isolation. |
Which findings will trigger isolation?
Because putting a device into isolation means cutting it off entirely from your network, which can be disruptive to the device owner, we have carefully chosen which detection rules can trigger AHI. We have included only the most highly relevant and serious threat detections with low false-positive rates to automatically trigger isolation.
Blumira Agent can automatically isolate its host when that device is identified as the log source - essentially, the threat source - in any of our real-time Windows detections. Blumira Agent does not auto-isolate a device that is identified as the target or destination device in a finding.
Example: Blumira Agent does not auto-isolate if the detection in question would typically have the domain controller (DC) generating the logs. We recommend disabling AHI on DCs and other business-critical servers.
Findings include the source and target details, when known or applicable, in the Analysis section. Review the analysis if you expected isolation to occur but are unsure whether the host was the log source.
Viewing the detection rules that support AHI
In Detection Rules, you can view the list of rules available in your account that include the ability for Blumira Agent to automatically isolate its host.
To see which rules in your account support AHI:
- In Blumira, navigate to Settings > Detection Rules.
- In the Search preset box, select Support automated host isolation.
- The table shows the filtered list of rules.
- (Optional) If an AHI-supported rule is disabled and you want to enable it, click the slider at the start of the rule's row to turn it on.
Note: If a rule is disabled, it cannot trigger a finding or an isolation response. - (Optional) Click a rule name to open the rule details window and see "Supported" next to Automated host isolation.