Starting with Carbon Black EDR version 7.7.0, you can monitor all network isolations and remove isolation activities.
The audit support feature lets you track isolation and remove isolation activities so you can coordinate with others in your organization for any additional or critical work needed on the endpoint.
Audit information contains the following details:
- Timestamp: Date and time of the activity
- Action: Isolate or remove isolation
- User Details: Username, first and last name of the user who performed the activity
- User IP address: IP address of the user’s client machine
- Notes: An optional note describing the reason of the activity
The isolation audit table can be viewed on the Sensor Details page under the Status History panel. See Sensor Status History.
Note: To isolate an endpoint, you must be a
Carbon Black EDR Global Administrator, a
Carbon Black Hosted EDR Administrator, or a user on a team that has Analyst privileges for the endpoint to isolate.