Isolate a system for suspicious activity — Carbon Black Defense
This article is regarding the way to isolate the machine from the organization’s network.
This was my personal experience in the company. I have been reached out by a person who identified the suspicious activity.
The suspected person has sent a broadcast email to his clients with no body and no content in the email. For some reason, the email has been failed and notified to the whistle-blower of my company.
As per the protocol, I have been reached out by the whistle-blower. With some SIEM tools, I have disabled AD account and Quarantined his system from the network.
The reason to disable AD account is he won’t access any internal resources of the company
I. The STEPS to disable Active Directory account
- Login into Active Directory
- Click on the domain to which the user has been added
- Search for the user in the domain and click find
- right-click the user, select diable account
Now the user will not have any access to resources but he still can log in to the system which is a potential threat like worms, viruses, trojan-horse to other systems in the network. For this reason, I have quarantined the machine from the network
II. The STEPS to quarantined the system
- Login Carbon Black Cloud
- Navigate to Inventory -> Endpoints in dashboard
- Search for the system
- Select -> Take Actions -> Assign Policy -> Disabled OU
Disabled OU is the policy I created to move and keep a track of all the systems which needed to be quarantine
5. After the status changes from green to grey, the system needs to be selected again
Select -> Take Actions -> Quarantine assets
Now the system is officially isolated and it won’t be able to infect other systems present in the network.
Until the Cyber Investigation is finished, we will not release the system from isolation.
Thanks for reading my article. Hope it was helpful to you.
Please let me know your thoughts in the comment section