Skip to main content

Isolate Endpoint - Generic V2

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block Endpoint - Carbon Black Response V2
  • FireEye HX - Isolate Endpoint
  • Cortex XDR - Isolate Endpoint
  • Crowdstrike Falcon - Isolate Endpoint
  • Isolate Endpoint - Cybereason
  • Microsoft Defender For Endpoint - Isolate Endpoint


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
Endpoint_hostnameThe host name of the endpoint to isolate.Optional
Endpoint_ipThe IP of the endpoint to isolate.Optional
Endpoint_idThe ID of the endpoint to isolate.Optional

Playbook Outputs#

CbResponse.Sensors.CbSensorIDCarbon Black Response Sensor IDs that were isolated.string
EndpointThe isolated endpoint.string
Traps.Isolate.EndpointIDThe ID of the endpoint.string
Traps.IsolateResult.StatusThe status of the isolation operation.string
Cybereason.MachineThe Cybereason machine name.unknown
Cybereason.IsIsolatedWhether the machine is isolated.unknown
Endpoint.HostnameThe host name of the endpoint.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_idThe endpoint ID.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_nameThe endpoint name.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_statusThe status of the endpoint.unknown
PaloAltoNetworksXDR.Endpoint.ipThe endpoint's IP address.unknown
PaloAltoNetworksXDR.Endpoint.is_isolatedWhether the endpoint is isolated.unknown
CbResponse.Sensors.StatusThe sensor status.unknown
CbResponse.Sensors.IsolatedWhether the sensor is isolated.unknown
MicrosoftATP.MachineAction.IDThe machine action ID.string
MicrosoftATP.IsolateListThe IDs of the machines that were isolated.string
MicrosoftATP.NonIsolateListThe IDs of the machines that will not be isolated.string
MicrosoftATP.IncorrectIDsIncorrect device IDs entered.string
MicrosoftATP.IncorrectHostnamesIncorrect device host names entered.string
MicrosoftATP.IncorrectIPsIncorrect device IPs entered.string

Playbook Image#

Isolate Endpoint - Generic V2