07-10-2019 11:11 AM - edited 07-10-2019 11:13 AM
Is there a way to apply an automated EPS or ANC policy when an AMP4E event is sent to ISE? Also, when I look in the threat category in my policy set condition attributes, I see attributes for vulnerability scanners, but I don't see any AMP attributes. The use case I'm working on is to have ISE take an automated response to an AMP4E event.
Thanks,
Matt
Solved! Go to Solution.
07-10-2019 11:28 AM
I don't believe there is a way to do an automated response for AMP events in ISE. The only attributes that are supported are:
Threat:Qualys-CVSS_Base_Score
Threat:Qualys-CVSS_Temporal_Score
Rapid7 Nexpose-CVSS_Base_Score
Tenable Security Center-CVSS_Base_Score
Tenable Security Center-CVSS_Temporal_Score
I know at Live they demonstrated this working but I believe it was with FMC in the mix. FMC/FTD would learn about the vulnerable endpoint and issue a quarantine to ISE. I think Aaron presented on that two years ago, but I may not be remembering that correctly.
07-10-2019 11:28 AM
I don't believe there is a way to do an automated response for AMP events in ISE. The only attributes that are supported are:
Threat:Qualys-CVSS_Base_Score
Threat:Qualys-CVSS_Temporal_Score
Rapid7 Nexpose-CVSS_Base_Score
Tenable Security Center-CVSS_Base_Score
Tenable Security Center-CVSS_Temporal_Score
I know at Live they demonstrated this working but I believe it was with FMC in the mix. FMC/FTD would learn about the vulnerable endpoint and issue a quarantine to ISE. I think Aaron presented on that two years ago, but I may not be remembering that correctly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: