Put a Device in Quarantine Using Aruba ClearPass

Use IoT Security integration with Aruba ClearPass to quarantine devices of concern.
If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the
Security Alerts
page. You can also do this in the Action menu in the Alerts section on a Device Details page.
  1. Select an alert on
    Security Alerts
    in the IoT Security portal.
  2. Click
    Send to
    Quarantine via Aruba ClearPass
  3. Add a comment.
    After you enter a comment, the Send button changes from gray to blue, indicating that you can proceed.
  4. Click
    IoT Security sends a command through Cortex XSOAR to all configured Aruba ClearPass instances to assign the device to a quarantine VLAN. The instance or instances that have an endpoint with a matching MAC address apply the quarantine. The device remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the Release via Aruba ClearPass option.
    After you click
    , a link appears. When you click it, a new browser window opens to the XSOAR playbook for this action.
    To confirm that the quarantine command was sent, click the link to the XSOAR playbook for this action.
    For the link in IoT Security to open the corresponding playbook in Cortex XSOAR, you must already be logged in to your XSOAR instance before clicking it.
    The green boxes in the playbook indicate that a particular step was successfully performed. Following the path through the playbook gives you feedback about whether an action was carried out successfully or, if not, where the process changed course.

Recommended For You