Contact sales
Details

This workflow appears in the pivot menu and allows a user to unquarantine a device in Darktrace /NETWORK.

Description

This workflow appears in the pivot menu and allows a user to remove a device from quarantine in Darktrace /NETWORK. Note that this will cancel all active and pending quarantine actions for the device. Supported observables: hostname, IP address, MAC address, Darktrace ID

Target: Darktrace /NETWORK

Steps:

  • Determine which observable type was provided:
    • If a Darktrace ID, set the local ID variable
    • If a hostname, IP address, or MAC address, search for the device and set the local ID variable (if a device isn't found, end the workflow)
  • Get a list of recent antigena actions and parse them to a table
  • Loop through each action to check if it's the action we want to clear (if it is, clear it)
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Darktrace DETECT & RESPOND
About
Author
Cisco
Version
v1.3
Integration
Average rating
No ratings yet
Authorship
Cisco Managed
Contact and support information
https://support.cisco.com
External links

Content Licensing

Developer Community

Related workflows
Logo for Darktrace /NETWORK
Darktrace /NETWORK - Quarantine Device
Cisco Managed
This workflow appears in the pivot menu and allows a user to quarantine a device in Darktrace /NETWORK.
Learn more
Logo for Darktrace /NETWORK
Darktrace /NETWORK - Unquarantine Device
Cisco Managed
This workflow appears in the pivot menu and allows a user to unquarantine a device in Darktrace /NETWORK.
Learn more