10-03-2016 11:14 AM - edited 02-20-2020 09:02 PM
In AMP for endpoint dashboard in Detections/Quarantine. I see some items as "Quarantine: Not seen". What does not seen mean over here
10-05-2016 05:17 AM
This indicates that the quarantine action did not take place. The primary cause for this event is when the FireAMP connector is configured in Audit Mode. FireAMP is detecting a malicious file, but is not permitted to quarantine it per the policy settings. In rarer cases this can be caused by race conditions with co-existing AV or security products, but this case is more likely to produce a Quarantine: Failed event.
02-03-2017 07:32 AM
Quarantine: Not seen shows that the quarantine action did not take place. In Audit mode it puts the FireAMP Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked.
Pleasee see the below url for the creation of policies on page 15.
http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPDeploymentStrategy.pdf
Hope to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide