cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
5
Helpful
3
Replies
Highlighted
Beginner

AMP and Rapid Threat Containment

Hi,

 

I am currently evaluating Rapid Threat Containment with Firepower Threat Defense and ISE. Does anyone if it's possible to add AMP for endpoints to this solution and have AMP to automatically scan a client that has been quarantined by Firepowe/ISE? For example, can ISE send a scan request to AMP via pxGrid?

 

Thanks

/Jorgen

Everyone's tags (4)
3 REPLIES 3
Highlighted
Cisco Employee

Re: AMP and Rapid Threat Containment

I believe there are couple of mixtures in terms of integration. AMP performs a real time cloud query for file SHA. Than we have client based IOC scan, and only AMP administrators can trigger this, once they know what artifact they're looking for. The last is scheduled scans, which are fairy redundant, because of an immediate cloud query request.

Beside this AMP offers system protection and Exploit protection.

Maybe you can fire up an enhancement request to our PM, if you think such feature will be beneficial.

 

 

Highlighted
Cisco Employee

Re: AMP and Rapid Threat Containment

And firepower is streaming API request to  AMP to get access to Cloud intelligence for such file SHA. Once AMP retrieves that file disposition (clean, malicious, unknown), the status is visible in Firepower.

Highlighted
Beginner

Re: AMP and Rapid Threat Containment

Thanks, I might submit an enhancement request. What we are after is a solution where the scan automatically starts when an endpoint is quarantined and then move the endpoint out of quarantine after the threat has been removed.