Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2920
Views
5
Helpful
3
Replies

AMP endpoint isolation heartbeat issue

Go to solution
hariharan.siva-SL
Level 1
Level 1

‎12-22-2020 08:03 PM

Hi Folks,

 

I have been trying to automate endpoint isolation through API. But I face the following issue

1. I have endpoint isolation enabled in a policy different from default policy for windows.

2. So I move the laptop to endpoint isolation group (Attached to endpoint isolation policy) and then trigger isolation.

3. But moving the laptop from group to group sometimes takes around 15 min and sometimes it is quick like 2 min.

4. I'm unable to set a timer before I trigger isolation it ends up failing;

5. According to TAC, it is because of the client heartbeat which is set to 15min. No lesser value can be configured.

6. Heartbeat of 15min is fine for regular policy sync and so on.

7. Endpoint isolation is mainly used when there is a compromise of the endpoint or an incident. How good 15min can be? 

How can I go about resolving this? I would like to see the isolation happen quickly. 

May I get some of the brain juice of the experts here?

Thanks,

Hari

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7

‎01-24-2021 07:05 AM - edited ‎01-24-2021 07:06 AM

There have been some recent enhancements to quicken up the isolation process. I am not sure which connector version specifically added the functionality (somewhere mid 2020 release I think) but the gist is that in the past isolation information was only passed to the client at each heartbeat. Policy lookup, file hash lookup and event upload communication now also triggers the isolation request to be delivered to the client. I would recommending updating your connector to the latest release, but apart from that there won't be a out-of-the-box way to improve the speed of isolation.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Oliver Kaiser
Level 7
Level 7

‎01-24-2021 07:05 AM - edited ‎01-24-2021 07:06 AM

There have been some recent enhancements to quicken up the isolation process. I am not sure which connector version specifically added the functionality (somewhere mid 2020 release I think) but the gist is that in the past isolation information was only passed to the client at each heartbeat. Policy lookup, file hash lookup and event upload communication now also triggers the isolation request to be delivered to the client. I would recommending updating your connector to the latest release, but apart from that there won't be a out-of-the-box way to improve the speed of isolation.

0 Helpful

Go to solution
hariharan.siva-SL
Level 1
Level 1
In response to Oliver Kaiser

‎01-24-2021 11:50 PM

thank you Oliver! This had been my findings as well. We have the latest or at least N-2. But This was the response from TAC as well. 

Cheers

Go to solution
shenmsef35259
Level 1
Level 1

‎05-11-2021 08:52 PM - edited ‎05-14-2021 11:40 PM

YES you may installation Manually SD-Access but lot of Manual TASK as I'm doing by learning here, its now not worth (because coping with very tough) - i tried a few without DNAC but no longer really worth of wasting time.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents