quarantine_client
Isolate or restore network access for a Velociraptor client to maintain communication with the server during incident response.
Instructions
Quarantine or unquarantine a Velociraptor client.
Quarantining a client isolates it from the network while maintaining communication with the Velociraptor server.
Args: client_id: The client ID (e.g., 'C.1234567890abcdef') quarantine: True to quarantine, False to unquarantine (default: True) message: Optional message to include with the quarantine action
Returns: Quarantine status of the client.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| client_id | Yes | ||
| quarantine | No | ||
| message | No |
Implementation Reference
- The main handler for the quarantine_client tool, decorated with @mcp.tool() for registration.
@mcp.tool() async def quarantine_client( client_id: str, quarantine: bool = True, message: Optional[str] = None, ) -> list[TextContent]: """Quarantine or unquarantine a Velociraptor client. Quarantining a client isolates it from the network while maintaining communication with the Velociraptor server. Args: client_id: The client ID (e.g., 'C.1234567890abcdef') quarantine: True to quarantine, False to unquarantine (default: True) message: Optional message to include with the quarantine action Returns: Quarantine status of the client. """ try: # Validate client_id client_id = validate_client_id(client_id) client = get_client() if quarantine: # Quarantine the client using the Windows.Remediation.Quarantine artifact # or appropriate artifact for the client's OS vql = f""" SELECT collect_client( client_id='{client_id}', artifacts='Windows.Remediation.Quarantine', env=dict(MessageBox='{message or "System quarantined by administrator"}') ) FROM scope() """ else: # Unquarantine vql = f""" SELECT collect_client( client_id='{client_id}', artifacts='Windows.Remediation.Quarantine', env=dict(RemovePolicy='Y') ) FROM scope() """ results = client.query(vql) return [TextContent(