Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
1
Helpful
2
Replies

Automatic Isolation didn't happen with retrospective detection

Go to solution
Chris05
Level 1
Level 1

‎06-14-2024 08:34 AM

We had an endpoint automatically isolate with a high severity retrospective detection, as per our settings. 

A couple days later, the same endpoint had another high severity retrospective detection but there was no attempt by the console to automatically isolate. 

In the first instance, the file quarantine failed, in the second, the quarantine was successful; does this distinction account for the change in behaviour?  ie, automatic isolation won't be triggered with a retrospective detection that is successfully quarantined? 

Thank you, 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee

‎06-14-2024 10:58 AM - edited ‎06-14-2024 10:59 AM

I think its based on the same logic as Forensic Snapshot which is also part of Automated Actions. The automated actions will fire up based on the fact if the machine is compromised or not there is few other things in to that but the main part is being compromised.

So if there is event on your endpoint lets say malicious file and that file  was successfully quarantined then we did the job right and removed the potential threat, hence the machine is not compromised. But in case quarantine failed where we don't know where the file is or why we failed that machine is consider as compromised and then automated actions should trigger.

Posted this couple years ago that explain the whole process. Hope that helps.

https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217463-automated-actions-forensic-snapshot.html

 

or Video : https://youtu.be/dONLRCnDTGA

 

View solution in original post

2 Replies 2

Go to solution
Ken Stieers
VIP
VIP

‎06-14-2024 09:29 AM

I feel like that's actually intentional.
But strangely enough the help has nothing about the Isolate automated action.

0 Helpful

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee

‎06-14-2024 10:58 AM - edited ‎06-14-2024 10:59 AM

I think its based on the same logic as Forensic Snapshot which is also part of Automated Actions. The automated actions will fire up based on the fact if the machine is compromised or not there is few other things in to that but the main part is being compromised.

So if there is event on your endpoint lets say malicious file and that file  was successfully quarantined then we did the job right and removed the potential threat, hence the machine is not compromised. But in case quarantine failed where we don't know where the file is or why we failed that machine is consider as compromised and then automated actions should trigger.

Posted this couple years ago that explain the whole process. Hope that helps.

https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217463-automated-actions-forensic-snapshot.html

 

or Video : https://youtu.be/dONLRCnDTGA

 

Customers Also Viewed These Support Documents