AQUILA - Elastic Defend Host Isolation Exception

Overview

ElasticHost DefendIsolation Exception allows isolated endpoints to maintain connectivity to specific IP addresses while remaining isolated from the rest of the network. This feature is useful when you need to isolate potentially compromised hosts for security purposes while still allowing them to communicate with specific trusted resources.

Prerequisites

• Administrator permissions
• Access to the Control Panel section
  

Step-by-Step Guide

1. Navigate to Endpoint Management

1. From the AQUILA main dashboard, locate the left sidebar menu
2. Under the DOMAINS section, click on Cyber Monitoring
3. Select Endpoint Detection and Response (EDR)
4. Click on Control Panel

This will open the endpoint management interface.

2. Access the Manage Endpoints Section

1. In the Control Panel, click on Manage Endpoints from the Policy Settings menu.

   

2. You'll see a table displaying all registered endpoints with the following information:
   • Operating System
   • Status (healthy, unhealthy, offline, isolated)
   • Date Added
   • Available Actions

3. Isolate an Endpoint

If you need to isolate an endpoint first:

1. Locate the target endpoint in the list
2. Click the Isolate Host button in the Action column
3. In the "Isolate Endpoint" dialog box:
   

   

4. Click the Confirm button to proceed
5. The endpoint status will change to Isolated

   

Note: Once isolated, the endpoint will be disconnected from the network and unable to access external resources except those specified in the Host Isolation Exception list.

4. Verify Isolation Status

After isolation, you can verify the endpoint's network status:

1. Open Command Prompt on the isolated endpoint
2. Test connectivity by pinging a public IP address:
3. You should see General failure messages, confirming the host is isolated
4. The ping statistics should show 100% loss

   

5. Configure Host Isolation Exception

To allow isolated endpoints to connect to specific IP addresses:

In

the

Control Panel left sidebar, under Event Filters, click on Host Isolation Exception

1. Click

   the

   + Add Host Isolation Exception button (top right, blue button)
2. In the "Add Host Isolation Exception" dialog box, fill in the following fields: 

   

   Enter

   IP Address:
   • Enter the IPv4 address you want to whitelist
     
   • You can only enter one IP address per exception
3. Click the Add Host Isolation Exception button to save

6. Verify the Exception is Active

1. Return to the Host Isolation Exception page
2. Verify your newly created exception appears in the lis

   

7. Test the Exception

To confirm the exception is working:

1. Return to the isolated endpoint
2. Open Command Prompt
3. Test connectivity to the whitelisted IP address:

   

4. You should now see successful replies:
   • Reply from 8.8.8.8: bytes=32 time=18ms TTL=117
5. Ping statistics should show 0% loss with round trip times

This confirms that the isolated endpoint can now communicate with the specified IP address.

8. Unisolate an Endpoint.

When you need to restore full network connectivity:

1. Navigate back to Manage Endpoints
2. Locate the isolated endpoint (Status: Isolated)

   

3. Click

   the

   Unisolate

   Host

   button
4. In the "Unisolate Endpoint" dialog box:

   

   • Click

     confirm.

   • After

     that

     it will load while releasing.

     

     
     

5. After refreshing, the endpoint action will go back to Isolate Host after releasing, meaning, the Unisolate is done.