icon-itdr.svg
ITDR

Viewing the Blocked Identities

You can view the following details of contained attackers or endpoints depending on the containment integration:

  • The details of blocked attackers or endpoints.
  • The timestamp when the attacker's identity was added to the containment list.
  • The expiration date of the containment.

With CrowdStrike integration, you can also view IOC hashes that are shared by Zscaler ITDR. To learn more about CrowdStrike integration, see Containment Configuration Guide for CrowdStrike.

To view and delete the details of the containment:

  1. Go to Orchestrate > Containment.

  2. Locate the containment integration and follow these steps based on the third-party application:
    • For third-party integrations other than CrowdStrike:
      • To view containment details, click the number under the Blocked Identities column. A window appears listing the contained attacker's IP details.

      • To remove an entry from the list, click the Delete icon in the Actions column, and confirm your action.

    • For CrowdStrike integration:
      • To view containment or shared intelligence details, click IOC Hash to view the list of file hashes that are shared with CrowdStrike as indicators of compromise.

      • To lift containment and remove the entry from one of the lists, click the Delete icon in the Actions column, and confirm your action.

        When the containment is lifted directly from the CrowdStrike Falcon console, the corresponding entry in the Zscaler ITDR Admin Portal is also removed automatically via a scheduled job that typically runs every hour.

Related Articles
About Containment IntegrationContainment Configuration Guide for CrowdStrikeContainment Configuration Guide for Identity Threat Protection with Okta AIContainment Configuration Guide for Zscaler Internet Access (ZIA)Containment Configuration Guide for Zscaler Private Access (ZPA)Viewing the Blocked Identities