12-22-2020 08:03 PM
Hi Folks,
I have been trying to automate endpoint isolation through API. But I face the following issue
1. I have endpoint isolation enabled in a policy different from default policy for windows.
2. So I move the laptop to endpoint isolation group (Attached to endpoint isolation policy) and then trigger isolation.
3. But moving the laptop from group to group sometimes takes around 15 min and sometimes it is quick like 2 min.
4. I'm unable to set a timer before I trigger isolation it ends up failing;
5. According to TAC, it is because of the client heartbeat which is set to 15min. No lesser value can be configured.
6. Heartbeat of 15min is fine for regular policy sync and so on.
7. Endpoint isolation is mainly used when there is a compromise of the endpoint or an incident. How good 15min can be?
How can I go about resolving this? I would like to see the isolation happen quickly.
May I get some of the brain juice of the experts here?
Thanks,
Hari
Solved! Go to Solution.
01-24-2021 07:05 AM - edited 01-24-2021 07:06 AM
There have been some recent enhancements to quicken up the isolation process. I am not sure which connector version specifically added the functionality (somewhere mid 2020 release I think) but the gist is that in the past isolation information was only passed to the client at each heartbeat. Policy lookup, file hash lookup and event upload communication now also triggers the isolation request to be delivered to the client. I would recommending updating your connector to the latest release, but apart from that there won't be a out-of-the-box way to improve the speed of isolation.
01-24-2021 07:05 AM - edited 01-24-2021 07:06 AM
There have been some recent enhancements to quicken up the isolation process. I am not sure which connector version specifically added the functionality (somewhere mid 2020 release I think) but the gist is that in the past isolation information was only passed to the client at each heartbeat. Policy lookup, file hash lookup and event upload communication now also triggers the isolation request to be delivered to the client. I would recommending updating your connector to the latest release, but apart from that there won't be a out-of-the-box way to improve the speed of isolation.
01-24-2021 11:50 PM
thank you Oliver! This had been my findings as well. We have the latest or at least N-2. But This was the response from TAC as well.
Cheers
05-11-2021 08:52 PM - edited 05-14-2021 11:40 PM
YES you may installation Manually SD-Access but lot of Manual TASK as I'm doing by learning here, its now not worth (because coping with very tough) - i tried a few without DNAC but no longer really worth of wasting time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide