cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
846
Views
20
Helpful
3
Replies

Anomalous Behaviour Reporting

rcullum
Level 1
Level 1

Is there a way to run a report on Anomalous Behaviour?  I can't see where the UI tells me when anomalous behaviour was detected and what the reason for the anomalous behaviour was. Before you say run a report  based on an Anomalous behaviour authz rule, I can't use enforcement to block devices as false positives trigger also this detection. For example, a Windows client will change it's  dhcp class identifier  from MSFT 5.0 to MS-UC-Client when launching Skype. But I do need to investigate all instances when this behaviour is triggered.

I'm runing ISE v2.3 Patch 4.

1 Accepted Solution

Accepted Solutions

anthonylofreso
Level 4
Level 4

I've asked almost this exact question and provided feedback to various groups at Cisco. One being the ISE Care team. Sorry I'm not able to answer your question... but I'll put here what I sent to them and maybe some of the other smart people in the community could help!

 

  • Improve Anomalous Behavior We’ve had detection enabled for quite some time, but would never enforce based on the data it currently provides. Right now there’s just a long list of macs, and an attribute within that says AnomalousBehaviour: true but there are no details (that I can see) to tell me what is anomalous. What’s the criteria to trigger this? Can I write rules? Example: If the OS changes from Windows to Mac OS: block. If the OS changes from Windows 7 to Windows 10, do not block.

View solution in original post

3 Replies 3

anthonylofreso
Level 4
Level 4

I've asked almost this exact question and provided feedback to various groups at Cisco. One being the ISE Care team. Sorry I'm not able to answer your question... but I'll put here what I sent to them and maybe some of the other smart people in the community could help!

 

  • Improve Anomalous Behavior We’ve had detection enabled for quite some time, but would never enforce based on the data it currently provides. Right now there’s just a long list of macs, and an attribute within that says AnomalousBehaviour: true but there are no details (that I can see) to tell me what is anomalous. What’s the criteria to trigger this? Can I write rules? Example: If the OS changes from Windows to Mac OS: block. If the OS changes from Windows 7 to Windows 10, do not block.

Any answer on this ?  I'm working with a customer that even when anomalous behavior is turned off I am seeing.

 

AnomalousBehaviour true

ISE 2.3

 

Why would it be true when the detection is turned off?

 

Thanks!

I checked the the SME and he said its a bug. please work through with tac