Unquarantining an Endpoint / Asset (SOAR Action in ServiceNow)

Use the Unquarantine Endpoint SOAR action to unquarantine the selected assets, or to unquarantine the assets that are associated with selected alerts.

This action can be run from an alert and from a device. It can be run on multiple alerts or devices .
Upon successful execution, a note is posted to Carbon Black Cloud: Device associated with this alert has been unquarantined from ServiceNow.
If this action is run on alerts whose Device OS is LINUX and sensor version is less than 2.13, a note displays in Carbon Black Cloud: This action is not supported on Linux devices with sensor version less than 2.13 installed.
If the action is successful, a worknote message is added to the Incident record indicating that the action occurred.