Links

Endpoint Isolation

Isolating endpoints during an investigation
Endpoint Isolation works by terminating all connections of an endpoint and not allowing any new connections.
When an endpoint is isolated, you can still perform tasks such as Acquisition, Triage, and Timelining.

How it works

This feature uses a Kernel Mode Driver for performing the isolation and does not depend on Windows Firewall.
The isolation task is persistent. Even if you reboot an isolated machine from the AIR Console, the endpoint will still be isolated after the reboot until you un-isolate it from the Endpoint Details page.