Solved: Re: TC-NAC with AMP ANC/EPS

matthen · ‎07-10-2019

Is there a way to apply an automated EPS or ANC policy when an AMP4E event is sent to ISE? Also, when I look in the threat category in my policy set condition attributes, I see attributes for vulnerability scanners, but I don't see any AMP attributes. The use case I'm working on is to have ISE take an automated response to an AMP4E event.

Thanks,

Matt

paul · ‎07-10-2019

I don't believe there is a way to do an automated response for AMP events in ISE. The only attributes that are supported are:

Threat:Qualys-CVSS_Base_Score
Threat:Qualys-CVSS_Temporal_Score
Rapid7 Nexpose-CVSS_Base_Score
Tenable Security Center-CVSS_Base_Score
Tenable Security Center-CVSS_Temporal_Score

I know at Live they demonstrated this working but I believe it was with FMC in the mix. FMC/FTD would learn about the vulnerable endpoint and issue a quarantine to ISE. I think Aaron presented on that two years ago, but I may not be remembering that correctly.

View solution in original post

paul · ‎07-10-2019

I don't believe there is a way to do an automated response for AMP events in ISE. The only attributes that are supported are:

Threat:Qualys-CVSS_Base_Score
Threat:Qualys-CVSS_Temporal_Score
Rapid7 Nexpose-CVSS_Base_Score
Tenable Security Center-CVSS_Base_Score
Tenable Security Center-CVSS_Temporal_Score

I know at Live they demonstrated this working but I believe it was with FMC in the mix. FMC/FTD would learn about the vulnerable endpoint and issue a quarantine to ISE. I think Aaron presented on that two years ago, but I may not be remembering that correctly.