Dear community,

I have integrated Cisco ISE and AMP with intention to leverage threat centric data in authorization rules.

I can see threat centric data and compromised endpoint within the ISE after executing false-exploit, like status "Painful", etc. but I don't see any attributes to leverage this in authorization policy.
I'm able to trigger manual ANC based on this event, which is okay, but I need automated response and I thought this will work.

My idea is (for example): Endpoint is being exploited and has Cisco AMP installed, Cisco AMP sends this threat centric data to ISE, ISE has authorization policy says "if threat level = painful & endpoint in Admin Lan" Endpoint will be assigned to quarantine VLAN or ANC will be triggered.

My problem is that I don't see attributes above as threat level = painful or anything related to this AMP threat centric data that I can utilize in authorization policies to Isolate automatically.