Skip to main content

Isolate Endpoint - Generic V2

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook isolates a given endpoint via various endpoint product integrations. Make sure to provide the valid playbook input for the integration you are using.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Isolate Endpoint - Cybereason
  • FireEye HX - Isolate Endpoint
  • Block Endpoint - Carbon Black Response V2
  • Cortex XDR - Isolate Endpoint
  • Crowdstrike Falcon - Isolate Endpoint


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
Endpoint_hostnameThe hostname of the endpoint to isolate.Optional
ManualHunting.DetectedHostsHosts that where detected as infected during the manual hunting.Optional
Endpoint_ipThe IP of the endpoint to isolate.Optional
Endpoint_idThe ID of the endpoint to isolate.Optional

Playbook Outputs#

CbResponse.Sensors.CbSensorIDCarbon Black Response Sensors IDs that are isolated.string
EndpointThe isolated endpoint.string
Traps.Isolate.EndpointIDThe ID of the endpoint.string
Traps.IsolateResult.StatusThe status of the isolation operation.string
Cybereason.MachineCybereason machine name.unknown
Cybereason.IsIsolatedWhether the machine is isolated.unknown
Endpoint.HostnameHostname of the endpoint.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_idThe endpoint ID.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_nameThe endpoint name.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_statusThe status of the endpoint.unknown
PaloAltoNetworksXDR.Endpoint.ipThe endpoint's IP addresses.unknown
PaloAltoNetworksXDR.Endpoint.is_isolatedWhether the endpoint is isolated.unknown
CbResponse.Sensors.StatusSensor status.unknown
CbResponse.Sensors.IsolatedWhether the sensor is isolated.unknown

Playbook Image#

Isolate Endpoint - Generic V2