Put a Device in Quarantine Using Cisco ISE
Table of Contents
Put a Device in Quarantine Using Cisco ISE
Use the IoT Security integration with Cisco ISE to quarantine
IoT devices of concern.
If you want to quarantine a device because
you saw an alert that concerns you, use the quarantine option on
the page. You can also do this in the
Action menu in the Risks and Alerts sections on the Device Details
page.
- Select an alert on in the IoT Security portal.Click .
![]()
Add a comment.After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.![]()
Click Send.IoT Security sends PanwIoTAlertSeverity and PanwIoTAlertType attributes, together with the MAC address of the impacted device, through Cortex XSOAR to all configured Cisco ISE instances. The instance or instances that have an endpoint with a matching MAC address apply the quarantine. The next time the device disconnects from the network and then reconnects, it requests access permission from Cisco ISE. If you configured an exception rule to put devices with a security alert into the quarantine VLAN, Cisco ISE will assign the device to that VLAN instead of its usual VLAN. While it’s in the quarantine VLAN, which has no connection to the rest of the network, you can investigate the alert. When it’s resolved, you can then release a device from quarantine.After you click Send, a link appears. When you click it, a new browser window opens to the XSOAR playbook for this action.![]()
To confirm that the quarantine command was sent, click the link to the XSOAR playbook for this action.For the link in IoT Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.
