cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
752
Views
0
Helpful
1
Replies
Redman1804
Beginner

Stealthwatch - How to quarantine a host when custom security event policy alarms

Hello

I've created a custom security event policy in Stealthwatch that will  alarm when a single flow matches the condition I specified.

However, I don't want the event to simply be reported, I want an action whereby Stealthwatch triggers a request for ISE to quarantine the host.

 

My Stealthwatch installation is integrated with ISE via PxGrid and I've added my SMC to the ANC (adaptive network control) group in ISE as well as created an ANC quarantine policy in ISE to deny access.

 

I can see how to manually select the host in Stealthwatch and under ISE ANC Policy,  select the policy I created in ISE to kick the host off the network.

The piece that I am struggling with is how to get Stealthwatch to automatically trigger the ISE policy once the  CSE policy alarm is triggered.

I'd be most grateful for an assistance.

 

 

 

1 REPLY 1
g-b
Beginner
Beginner

I need assistance with this also; I can only quarantine manually. Is an auto-quarantine action possible from Stealthwatch?

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad