09-28-2018 03:44 AM
Is there a way to run a report on Anomalous Behaviour? I can't see where the UI tells me when anomalous behaviour was detected and what the reason for the anomalous behaviour was. Before you say run a report based on an Anomalous behaviour authz rule, I can't use enforcement to block devices as false positives trigger also this detection. For example, a Windows client will change it's dhcp class identifier from MSFT 5.0 to MS-UC-Client when launching Skype. But I do need to investigate all instances when this behaviour is triggered.
I'm runing ISE v2.3 Patch 4.
Solved! Go to Solution.
09-28-2018 04:13 AM
I've asked almost this exact question and provided feedback to various groups at Cisco. One being the ISE Care team. Sorry I'm not able to answer your question... but I'll put here what I sent to them and maybe some of the other smart people in the community could help!
09-28-2018 04:13 AM
I've asked almost this exact question and provided feedback to various groups at Cisco. One being the ISE Care team. Sorry I'm not able to answer your question... but I'll put here what I sent to them and maybe some of the other smart people in the community could help!
05-29-2019 03:46 PM
Any answer on this ? I'm working with a customer that even when anomalous behavior is turned off I am seeing.
AnomalousBehaviour true
ISE 2.3
Why would it be true when the detection is turned off?
Thanks!
06-03-2019 09:47 AM - edited 06-18-2019 12:28 PM
I checked the the SME and he said its a bug. please work through with tac
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: