Put a Device in Quarantine Using Forescout

Use IoT Security integration with Forescout to quarantine devices of concern.
If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the
Security Alerts
page. You can also do this in the Action menu in the Alerts section on a Device Details page.
Putting a device in quarantine requires IoT Security owner or administrator privileges.
  1. Select an alert on
    Security Alerts
    in the IoT Security portal.
  2. Click
    Send to
    Quarantine via Forescout
    IoT Security sets the PanwIoTQuarantine host property to
    and the XSOAR engine sends it to all configured Forescout instances using the Forescout API:
    The instance or instances that have an endpoint with a matching MAC address then take action based on how Forescout administrators choose to use the host property. For example, they might configure Forescout to send a
    message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, Forescout assigns the device to a quarantine VLAN where it remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the
    Release via Forescout

Recommended For You