09-28-2018 03:44 AM
Is there a way to run a report on Anomalous Behaviour? I can't see where the UI tells me when anomalous behaviour was detected and what the reason for the anomalous behaviour was. Before you say run a report based on an Anomalous behaviour authz rule, I can't use enforcement to block devices as false positives trigger also this detection. For example, a Windows client will change it's dhcp class identifier from MSFT 5.0 to MS-UC-Client when launching Skype. But I do need to investigate all instances when this behaviour is triggered.
I'm runing ISE v2.3 Patch 4.
Solved! Go to Solution.
09-28-2018 04:13 AM
I've asked almost this exact question and provided feedback to various groups at Cisco. One being the ISE Care team. Sorry I'm not able to answer your question... but I'll put here what I sent to them and maybe some of the other smart people in the community could help!
09-28-2018 04:13 AM
I've asked almost this exact question and provided feedback to various groups at Cisco. One being the ISE Care team. Sorry I'm not able to answer your question... but I'll put here what I sent to them and maybe some of the other smart people in the community could help!
05-29-2019 03:46 PM
Any answer on this ? I'm working with a customer that even when anomalous behavior is turned off I am seeing.
AnomalousBehaviour true
ISE 2.3
Why would it be true when the detection is turned off?
Thanks!
06-03-2019 09:47 AM - edited 06-18-2019 12:28 PM
I checked the the SME and he said its a bug. please work through with tac
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide