cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
1
Replies

TC-NAC with AMP ANC/EPS

matthen
Cisco Employee
Cisco Employee

Is there a way to apply an automated EPS or ANC policy when an AMP4E event is sent to ISE?  Also, when I look in the threat category in my policy set condition attributes, I see attributes for vulnerability scanners, but I don't see any AMP attributes.  The use case I'm working on is to have ISE take an automated response to an AMP4E event.

 

 

Thanks,

 

Matt

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

I don't believe there is a way to do an automated response for AMP events in ISE.  The only attributes that are supported are:

 

  • Threat:Qualys-CVSS_Base_Score

  • Threat:Qualys-CVSS_Temporal_Score

  • Rapid7 Nexpose-CVSS_Base_Score

  • Tenable Security Center-CVSS_Base_Score

  • Tenable Security Center-CVSS_Temporal_Score

I know at Live they demonstrated this working but I believe it was with FMC in the mix.  FMC/FTD would learn about the vulnerable endpoint and issue a quarantine to ISE.  I think Aaron presented on that two years ago, but I may not be remembering that correctly.

View solution in original post

1 Reply 1

paul
Level 10
Level 10

I don't believe there is a way to do an automated response for AMP events in ISE.  The only attributes that are supported are:

 

  • Threat:Qualys-CVSS_Base_Score

  • Threat:Qualys-CVSS_Temporal_Score

  • Rapid7 Nexpose-CVSS_Base_Score

  • Tenable Security Center-CVSS_Base_Score

  • Tenable Security Center-CVSS_Temporal_Score

I know at Live they demonstrated this working but I believe it was with FMC in the mix.  FMC/FTD would learn about the vulnerable endpoint and issue a quarantine to ISE.  I think Aaron presented on that two years ago, but I may not be remembering that correctly.