Returning an isolated host to service
Un-isolation is the easiest action in the portal to click and the hardest one to do correctly. A five-item recovery checklist walked before the click is what separates fast triage from fast triage that holds up.
A click un-isolates; the discipline is checking everything that needs checking before the click. An endpoint released back to the network with the threat unresolved is worse than not isolating at all. You have trained the customer that isolation is a brief interruption rather than a containment, and you have handed the attacker their access back.
The recovery checklist
Five items, in order. Each one matters, and each one has caused a tech to un-isolate prematurely when skipped.
Remediations applied AND verified
The Recommendation usually pairs one or more remediations with isolation. Un-isolating before all of them are applied and verified releases the host with persistence still in place. “Applied” alone isn’t enough; verify is per-remediation, on the endpoint.
No re-detection within the last hour or so
A re-detection on the same host within the last hour is the containment-and-escalate signal from the remediation lessons. Un-isolating in the middle of that pattern is the wrong move. The threat isn’t contained; the senior or SOC needs to weigh the next step before release.
SOC closure or sign-off on release
For routine Low- and High-severity incidents, the Recommendation includes the conditions for release implicitly: once the remediations are applied, release is appropriate. For incidents the SOC has held open with specific notes, those notes drive when release is right. Read them.
User / customer informed
The user whose endpoint was isolated wants to know when it’s coming back. The customer’s IT manager wants the status. The brief callback closes the loop: “Your machine is being released now; you should have network access in the next minute or two. Let me know if anything’s off.”
PSA ticket up-to-date
Document the un-isolation timestamp, the verifications done, who was informed. The incident note and the PSA close are the next two lessons.
Monitor after the click
The endpoint should re-establish network connectivity, the user should be able to reach normal services, no new detection should fire immediately. A new detection within five minutes of un-isolation is a strong signal that the release was premature; re-isolate and bump.
The hour-long post-release watch is the check that catches the threat that was 95 percent addressed but not 100 percent. Walking away after un-isolation means a re-detection lands on the next shift’s queue with no context.
When to escalate
- A re-detection fires within minutes of un-isolation. Re-isolate; bump; the threat isn’t fully resolved.
- The customer pushes hard to release the host before remediations are complete. Customer-relationship piece; senior territory if the push is intense.
- The SOC has held the Incident Report open with specific release conditions you can’t yet satisfy. Wait or bump; don’t release on the runbook’s default timing.