cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1302
Views
11
Helpful
1
Replies

How to tell what triggered Anomalous Behaviour / Anomaly Detection ?

Arne Bier
VIP
VIP

Hello 

 

ISE 3.0 patch 3 - enabled Anomaly detection and I am seeing a growing list of Windows 10 workstations in the Anomalous Endpoints. These endpoints have never authenticated via ISE and the endpoints have been learned via DHCP profiling. This is from Cisco switches

 

I deleted a whole bunch of endpoints today and the list is growing again - is there a way to easily see WHY ISE considers this endpoint anomalous?  I think there is a log somewhere, but that seems like a brutal approach.  

 

I have not enable enforcement.

 

anomaly.png

 

1 Reply 1

Arne Bier
VIP
VIP

update

 

DHCP Class Identifier is the cause. But I don't know why a Windows 10 machine would send out two different DHCP Discovery messages

 

anomaly2.png

 

I found this via the show logging application profiler.log

 

Anyone else find Anomaly Detection  useful?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: