Re: AMP and Rapid Threat Containment

Chess Norris · ‎01-28-2019

Hi,

I am currently evaluating Rapid Threat Containment with Firepower Threat Defense and ISE. Does anyone if it's possible to add AMP for endpoints to this solution and have AMP to automatically scan a client that has been quarantined by Firepowe/ISE? For example, can ISE send a scan request to AMP via pxGrid?

Thanks

/Jorgen

David Janulik · ‎01-28-2019

I believe there are couple of mixtures in terms of integration. AMP performs a real time cloud query for file SHA. Than we have client based IOC scan, and only AMP administrators can trigger this, once they know what artifact they're looking for. The last is scheduled scans, which are fairy redundant, because of an immediate cloud query request.

Beside this AMP offers system protection and Exploit protection.

Maybe you can fire up an enhancement request to our PM, if you think such feature will be beneficial.

Cyber security escalation engineer

David Janulik · ‎01-28-2019

And firepower is streaming API request to AMP to get access to Cloud intelligence for such file SHA. Once AMP retrieves that file disposition (clean, malicious, unknown), the status is visible in Firepower.

Cyber security escalation engineer

Chess Norris · ‎01-29-2019

Thanks, I might submit an enhancement request. What we are after is a solution where the scan automatically starts when an endpoint is quarantined and then move the endpoint out of quarantine after the threat has been removed.