Quarantining an Endpoint / Asset (SOAR Action in ServiceNow)

Use the Quarantine Endpoint SOAR action to quarantine the selected assets, or to quarantine the assets that are associated with selected alerts.

This action can be run from an alert and from a device. It can be run on only one alert or device at a time.
Upon successful execution, a note is posted to Carbon Black Cloud: Device associated with this alert has been quarantined from ServiceNow.
If this action is run on alerts whose Device OS is LINUX or MAC and sensor version is less than 2.13, a note displays in Carbon Black Cloud: This action is not supported on Linux devices with sensor version less than 2.13 installed.
If the action is successful, a worknote message is added to the Incident record indicating that the action occurred.
There might be a delay in the execution of this action. This delay reflects the timing of communication between Service Now, Carbon Black Cloud, and the endpoint.