Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
5
Helpful
4
Replies

Clear Anomalous Behaviour

Go to solution
BrianPersaud
Spotlight
Spotlight

‎10-07-2019 08:40 AM

Hi All

 

I'm running ISE 2.4 Patch 10.  Besides deleting the mac address, is there another way to clear Anomalous Behaviour for the device?

 

Thanks

 

Brian Persaud

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 01:07 PM

There is no way that I am aware of other than deleting the endpoint.  From context visibility, you can export all endpoints to a CSV file.  Massage the CSV file back into the import format.  Delete the anomalous endpoints from ISE.  Import the CSV file to get the endpoints back.  You will lose profiling data but at least you can ensure that you don't lose any static assignments.  It would be nice if they put an option in to reset the Anomalous Behavior attribute.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 01:07 PM

There is no way that I am aware of other than deleting the endpoint.  From context visibility, you can export all endpoints to a CSV file.  Massage the CSV file back into the import format.  Delete the anomalous endpoints from ISE.  Import the CSV file to get the endpoints back.  You will lose profiling data but at least you can ensure that you don't lose any static assignments.  It would be nice if they put an option in to reset the Anomalous Behavior attribute.

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Colby LeMaire

‎10-08-2019 05:10 AM

Hi Colby thanks for the info and for the tip as well. Just out of curiosity, how often do you use anomalous behaviour for deployments. For sure I know there is major security benefits with it but it is worth it operationally?

Thanks
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to BrianPersaud

‎10-08-2019 05:56 AM

I think it can be an indicator that something may not be right and worth digging into a particular endpoint to make sure it is a real issue or not.  But I wouldn't trust it since it only fires in specific situations such as moving from phone to PC or vice versa.  And it has a bug where it marks something anomalous when the DHCP Class Identifier changes.  But it is normal for a Windows PC to present multiple DHCP Class Identifiers depending on what applications are installed.  For example, the PC will send the normal MSFT-5.0 Class Identifier for the OS but then if Skype is installed, it will send another DHCP Class Identifier for Skype that looks like "MSFT-UC-Client".  Some applications use the DHCP Class Identifier to locate resources like SIP servers, proxy configuration files, etc.

So if your environment only shows one or two anomalous endpoints here and there, then certainly dive in and investigate those machines.  But don't automatically assume it is bad behavior.  If you are seeing hundreds or thousands of anomalous machines, then it is likely because of a particular application.

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Colby LeMaire

‎10-08-2019 01:16 PM

Thanks I will definitely dig in some more to get to the bottom of it.  I will start with the DHCP identifier since they are indeed doing Skype for business

0 Helpful
Customers Also Viewed These Support Documents