I am currently evaluating Rapid Threat Containment with Firepower Threat Defense and ISE. Does anyone if it's possible to add AMP for endpoints to this solution and have AMP to automatically scan a client that has been quarantined by Firepowe/ISE? For example, can ISE send a scan request to AMP via pxGrid?
I believe there are couple of mixtures in terms of integration. AMP performs a real time cloud query for file SHA. Than we have client based IOC scan, and only AMP administrators can trigger this, once they know what artifact they're looking for. The last is scheduled scans, which are fairy redundant, because of an immediate cloud query request.
Beside this AMP offers system protection and Exploit protection.
Maybe you can fire up an enhancement request to our PM, if you think such feature will be beneficial.
And firepower is streaming API request to AMP to get access to Cloud intelligence for such file SHA. Once AMP retrieves that file disposition (clean, malicious, unknown), the status is visible in Firepower.
Thanks, I might submit an enhancement request. What we are after is a solution where the scan automatically starts when an endpoint is quarantined and then move the endpoint out of quarantine after the threat has been removed.