Put a Device in Quarantine Using Forescout

1. Select an alert on AlertsSecurity AlertsAll Alerts in the Device Security portal.
2. Click MoreSend toQuarantine via Forescout.

3. Add a comment.

   After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.

4. Click Send.

   Device Security sets the PanwIoTQuarantine host property to on and the Cortex XSOAR engine sends it to all configured Forescout instances using the Forescout API:

   https://<Forescout_IP_address>/fsapi/niCore/Hosts

   The instance or instances that have an endpoint with a matching MAC address then take action based on how Forescout administrators choose to use the host property. For example, they might configure Forescout to send a Disconnect-Request message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, Forescout assigns the device to a quarantine VLAN where it remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Forescout option.

   After you click Send, a link appears. When you click it, a new browser window opens to the XSOAR playbook for this action.

   To confirm that the command was sent, click the link to the XSOAR playbook for this action.

   For the link in Device Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.

   The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.