You can configure host isolation exceptions for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to Elasticsearch and Kibana, so you don’t need to set up host isolation exceptions for them.
Host isolation exceptions support IPv4 addresses, with optional classless inter-domain routing (CIDR) notation.
You must have the built-in
superuser role to access this feature. For more information, refer to Built-in users.
Each host isolation exception IP address should be a highly trusted and secure location since you’re allowing it to communicate with hosts that have been isolated to prevent a potential threat from spreading.
Host isolation is a Platinum or Enterprise subscription feature. By default, a host isolation exception is recognized globally across all hosts running Endpoint Security. You can also assign a host isolation exception to a specific Endpoint Security integration policy, affecting only the hosts assigned to that policy.
- Go to Manage → Host isolation exceptions.
- Click Add Host isolation exception.
Fill in these fields in the Add Host isolation exception flyout:
Name your host isolation exceptions: Enter a name to identify the host isolation exception.
Description: Enter a description to provide more information on the host isolation exception (optional).
Enter IP Address: Enter the IP address for which you want to allow communication with an isolated host. This must be an IPv4 address, with optional CIDR notation (for example,
Select an option in the Assignment section to assign the host isolation exception to a specific integration policy:
Global: Assign the host isolation exception to all integration policies for Endpoint Security.
Per Policy: Assign the host isolation exception to one or more specific Endpoint Security integration policies. Select each policy where you want the host isolation exception to apply.
You can also select the
Per Policyoption without immediately assigning a policy to the host isolation exception. For example, you could do this to create and review your host isolation exception configurations before putting them into action with a policy.
- Click Add Host isolation exception. The new exception is added to the Host isolation exceptions list.
View and manage host isolation exceptionsedit
The Host isolation exceptions list displays all the host isolation exceptions that have been configured for Elastic Security. To refine the Host isolation exceptions list, use the search bar to search by name, description, or IP address.
Edit a host isolation exceptionedit
You can individually configure each host isolation exception and change the policies applied to each host isolation exception.
To edit a host isolation exception:
- Click the actions button (…) for the exception you want to edit, then select Edit Exception.
- Modify details as needed.
- Click Edit Host isolation exception. The newly modified exception appears at the top of the list.
Delete a host isolation exceptionedit
You can delete a host isolation exception, which removes it entirely from all Endpoint Security policies.
To delete a host isolation exception:
- Click the actions button (…) for the exception you want to delete, then select Delete Exception.
- On the dialog that opens, verify that you are removing the correct host isolation exception, then click Remove exception. A confirmation message is displayed.