Asset Isolation
Isolating assets from all network access except the AIR Console
Asset Isolation enables you to completely isolate an asset from all network communication except its connection to the AIR Console. This allows your investigation to proceed with full AIR capabilities while preventing threat actors from accessing the asset or external parties from interfering with the investigation.
Key Point: An isolated asset can only communicate with the AIR Console. All other network connections—inbound and outbound—are blocked.
Why Use Asset Isolation?
When you suspect an asset has been compromised, you face a dilemma:
Leave it connected → Risk the threat actor maintaining access, exfiltrating data, or destroying evidence
Disconnect it completely → Lose the ability to perform remote forensic collection
Asset Isolation solves this by cutting off the threat actor while preserving your investigative access. The asset remains fully manageable through AIR, enabling you to collect evidence, run queries, and interact with the system—all while the asset is protected from external interference.
How It Works
When you isolate an asset:
All existing network connections are terminated — Any active connections to other systems are immediately dropped
New network connections are blocked — The asset cannot establish connections to any external system
AIR Console communication is preserved — The Responder maintains its connection to the Console
Full AIR capabilities remain available — Acquisition, Hunt/Triage, interACT, and Time-lining all continue to function
Technical Implementation
This feature uses a Kernel Mode Driver for performing the isolation. It operates independently of Windows Firewall, ensuring reliable isolation regardless of firewall configuration or state.
Persistence: Asset Isolation survives reboots. If you restart an isolated asset from the AIR Console, it will remain isolated after the reboot until you explicitly un-isolate it from the Asset Details page.
What Remains Available
During isolation, all AIR capabilities continue to function:
Acquisition
✅ Available
Collect forensic evidence
Hunt/Triage
✅ Available
Search for indicators of compromise
interACT
✅ Available
Live interaction with the asset
Time-lining
✅ Available
Build activity timelines
Scheduled Tasks
✅ Available
Automated task execution continues
External Network Access
❌ Blocked
Threat actor access denied
Use Cases
Incident Response Containment
When you identify a potentially compromised asset, immediately isolate it to prevent:
Threat actors from maintaining command and control access
Data exfiltration to external servers
Lateral movement to other assets on the network
Remote destruction of evidence
Active Investigation
Isolation allows you to investigate a live system without interference. The threat actor cannot detect your investigation activities or take countermeasures while the asset is isolated.
Evidence Preservation
By isolating the asset, you ensure that evidence remains intact during collection. No external process can modify, encrypt, or delete files while you're acquiring them.
Best Practice: When responding to a suspected compromise, isolate the asset first, then begin your forensic acquisition. This ensures you capture evidence in its current state without risk of tampering.
Isolating and Un-isolating Assets
To Isolate an Asset
Navigate to the asset in the AIR Console
Open the More Actions menu
Select Isolate Asset
The asset will immediately be isolated from all network communication except the AIR Console.
To Un-isolate an Asset
Navigate to the isolated asset's Asset Details page
Select Un-isolate Asset
Network connectivity will be restored and the asset can resume normal operations.
Comparison with Maintenance Mode
Both features control asset behaviour, but serve different purposes:
Primary Purpose
Network containment
Prevent task creation
Network Access
❌ Blocked (except Console)
✅ Normal
Task Creation
✅ Allowed
❌ Blocked
Acquisition
✅ Available
❌ Blocked
Hunt/Triage
✅ Available
❌ Blocked
interACT
✅ Available
✅ Available
Last updated
Was this helpful?