: Put a Device in Quarantine Using Forescout
Focus
Focus

Put a Device in Quarantine Using Forescout

Table of Contents

Put a Device in Quarantine Using Forescout

Use
IoT Security
integration with Forescout to quarantine devices of concern.
If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the
Alerts
Security Alerts
page. You can also do this in the Action menu in the Alerts section on a Device Details page.
Putting a device in quarantine requires
IoT Security
owner or administrator privileges.
  1. Select an alert on
    Alerts
    Security Alerts
    in the IoT Security portal.
  2. Click
    More
    Send to
    Quarantine via Forescout
    .
  3. Add a comment.
    After you enter a comment, the
    Send
    button changes from gray to blue, indicating that you can proceed.
  4. Click
    Send
    .
    IoT Security
    sets the
    PanwIoTQuarantine
    host property to
    on
    and the XSOAR engine sends it to all configured Forescout instances using the Forescout API:
    https://<Forescout_IP_address>/fsapi/niCore/Hosts
    The instance or instances that have an endpoint with a matching MAC address then take action based on how Forescout administrators choose to use the host property. For example, they might configure Forescout to send a
    Disconnect-Request
    message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, Forescout assigns the device to a quarantine VLAN where it remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Forescoutoption.
    After you click
    Send
    , a link appears. When you click it, a new browser window opens to the XSOAR playbook for this action.
    To confirm that the command was sent, click the link to the XSOAR playbook for this action.
    For the link in
    IoT Security
    to open the corresponding playbook in
    Cortex XSOAR
    , you must already be logged in to your XSOAR instance before clicking it.
    The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

Recommended For You