04-27-2017 05:46 PM
Testing TC- NAC. Have established ISE - AMP Console communication. I have three questions.
1) My 2.2 ISE is registered to the AMP console and shows status of connected. When I look at the AMP console, the URL for my ISE is defined as the internal name ise240.metlab.local. Does the AMP console reach out to my ISE or does ISE reach out to the AMP console? In other words, is notification a push or a pull method? Does it matter that my ISE is not routeable/reachable directly from the Internet. It does have outbound Internet, just not inbound from the Internet.
2) Is there any automatic action to take when this happens? I see there are Threat Centric attributes available in the AuthZ policy config but nothing that reflect a compromised host. Is there an attribute I can set to True, similar to how Anomalous Behavior works. In the documentation it talks about manually applying an ANC policy.
3) Does this work when the malware notification comes after a ThreatGrid analysis or is retrospective? Meaning that the file was executed as unknown and then marked as malware after ThreatGrid analysis.
Thanks.
Sam
Solved! Go to Solution.
04-27-2017 11:11 PM
1) My 2.2 ISE is registered to the AMP console and shows status of connected. When I look at the AMP console, the URL for my ISE is defined as the internal name ise240.metlab.local. Does the AMP console reach out to my ISE or does ISE reach out to the AMP console? In other words, is notification a push or a pull method? Does it matter that my ISE is not routeable/reachable directly from the Internet. It does have outbound Internet, just not inbound from the Internet.
ISE receives IOC (Indicators of Compromise) events and “Threat Detected” events from AMP. During the AMP adapter configuration, you can specify which subset of events you want to subscribe to, that is used to send a POST request to AMP for those event types. Once ISE registers to the events, it will create a SSL connection to the AMP Queue and hear for any notification there after from AMP.
2) Is there any automatic action to take when this happens? I see there are Threat Centric attributes available in the AuthZ policy config but nothing that reflect a compromised host. Is there an attribute I can set to True, similar to how Anomalous Behavior works. In the documentation it talks about manually applying an ANC policy.
No, the action cannot be automated today. The following are the ‘Threat’ options today (in ISE 2.2), you can author a policy on:
3) Does this work when the malware notification comes after a ThreatGrid analysis or is retrospective? Meaning that the file was executed as unknown and then marked as malware after ThreatGrid analysis.
The analysis on AMP is retrospective (more of an AMP/Threatgrid feature). I believe, there needs to be an active session on the PSN for the threat indices to be concatenated, which then gets published to the Policy Admin Node to be shown under 'Context Visibility'. (Copying jeppich and imbashir to keep me honest)
Cheers!
-Hari
04-27-2017 11:11 PM
1) My 2.2 ISE is registered to the AMP console and shows status of connected. When I look at the AMP console, the URL for my ISE is defined as the internal name ise240.metlab.local. Does the AMP console reach out to my ISE or does ISE reach out to the AMP console? In other words, is notification a push or a pull method? Does it matter that my ISE is not routeable/reachable directly from the Internet. It does have outbound Internet, just not inbound from the Internet.
ISE receives IOC (Indicators of Compromise) events and “Threat Detected” events from AMP. During the AMP adapter configuration, you can specify which subset of events you want to subscribe to, that is used to send a POST request to AMP for those event types. Once ISE registers to the events, it will create a SSL connection to the AMP Queue and hear for any notification there after from AMP.
2) Is there any automatic action to take when this happens? I see there are Threat Centric attributes available in the AuthZ policy config but nothing that reflect a compromised host. Is there an attribute I can set to True, similar to how Anomalous Behavior works. In the documentation it talks about manually applying an ANC policy.
No, the action cannot be automated today. The following are the ‘Threat’ options today (in ISE 2.2), you can author a policy on:
3) Does this work when the malware notification comes after a ThreatGrid analysis or is retrospective? Meaning that the file was executed as unknown and then marked as malware after ThreatGrid analysis.
The analysis on AMP is retrospective (more of an AMP/Threatgrid feature). I believe, there needs to be an active session on the PSN for the threat indices to be concatenated, which then gets published to the Policy Admin Node to be shown under 'Context Visibility'. (Copying jeppich and imbashir to keep me honest)
Cheers!
-Hari
04-28-2017 01:53 PM
... Does the AMP console reach out to my ISE or does ISE reach out to the AMP console? In other words, is notification a push or a pull method? Does it matter that my ISE is not routeable/reachable directly from the Internet. It does have outbound Internet, just not inbound from the Internet. ...
ISE will reach out to AMP. It would work and quite normal that ISE not reachable from Internet while allowing to Internet.
04-28-2017 03:01 PM
Thanks for the info. I am good to go.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide