Put a Device in Quarantine Using Forescout

Use IoT Security integration with Forescout to quarantine devices of concern.
If you want to quarantine a device because you saw an alert that concerns you, use the quarantine option on the
Alerts
Security Alerts
page. You can also do this in the Action menu in the Alerts section on a Device Details page.
Putting a device in quarantine requires IoT Security owner or administrator privileges.
  1. Select an alert on
    Alerts
    Security Alerts
    in the IoT Security portal.
  2. Click
    More
    Send to
    Quarantine via Forescout
    .
    IoT Security sets the PanwIoTQuarantine host property to
    on
    and the XSOAR engine sends it to all configured Forescout instances using the Forescout API:
    https://<Forescout_IP_address>/fsapi/niCore/Hosts
    The instance or instances that have an endpoint with a matching MAC address then take action based on how Forescout administrators choose to use the host property. For example, they might configure Forescout to send a
    Disconnect-Request
    message to the switch through which the impacted device accesses the network and disconnects it. When the device reconnects, Forescout assigns the device to a quarantine VLAN where it remains in quarantine while you investigate the cause of the alert. Once it’s resolved, you can then use the
    Release via Forescout
    option.

Recommended For You