cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
280
Views
1
Helpful
2
Replies

Cisco ISE - ANC leveraging integrated AMP - Isolation

Script Kiddie
Level 1
Level 1

Dear community,

I have integrated Cisco ISE and AMP with intention to leverage threat centric data in authorization rules.

I can see threat centric data and compromised endpoint within the ISE after executing false-exploit, like status "Painful", etc. but I don't see any attributes to leverage this in authorization policy.
I'm able to trigger manual ANC based on this event, which is okay, but I need automated response and I thought this will work.

My idea is (for example): Endpoint is being exploited and has Cisco AMP installed, Cisco AMP sends this threat centric data to ISE, ISE has authorization policy says "if threat level = painful & endpoint in Admin Lan" Endpoint will be assigned to quarantine VLAN or ANC will be triggered.

My problem is that I don't see attributes above as threat level = painful or anything related to this AMP threat centric data that I can utilize in authorization policies to Isolate automatically.

2 Replies 2

Arne Bier
VIP
VIP

This might be a question also to the Cisco TAC. I don't have AMP integration and I think one needs that integration to populate the ISE RADIUS Dictionary. If ISE Policy Set Authorization conditions are based on what is contained in the Dictionary. Have a look around in

Policy -> Policy Elements > Dictionaries > System        and explore any folders regarding ANC/AMP etc.

Greg Gibbs
Cisco Employee
Cisco Employee

The following list of Dictionaries/Attributes was shared as a reference for the ISE Webinar on the ISE Threat Centric NAC Service. These are the only attributes that can be used within ISE policies. If you have not done so already, I would suggest reviewing that Webinar for more information on the capabilities.

Screenshot 2024-05-14 at 12.08.52 PM.png