cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3062
Views
20
Helpful
6
Replies

Attributes for anomalous behaviour

Mannyteck
Level 1
Level 1

One of my client requested for implementing anomalous behavior on Endpoints, however I have gone through Cisco documentation on this but still have unclear explanation.

The default condition on  ISE for anomalous behavior states: 

Endpoints:AnomalousBehaviourEQUALStrue AND Device:LocationEQUALSAllLocations

Is there any other attributes that can be added to enforce anomalous behavior based on the the three major attributes provided so has not to deny legitimate endpoints or user access on the network. 

NAS-Port-Type 

DHCP Class ID 

Endpoint Policy

Also I have about more than 500 endpoints on the network that anomalous behaviour = true, How do I narrow down to endpoints that are malicious or illegitimate. 

 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee