I am not sure, but C looks fine.
Quarantine endpoints is the job of ISE.
https://www.cisco.com/c/ja_jp/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23-1_chapter_01101.html# ID173.
"This integration allows you to create content policies on FMC based on the information that is shared by ISE and their published topics (related to the endpoint activity)."
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-32/220856-configure-and-troubleshoot-ise-3-2-with.html
Should be A. Cisco ISE instructs Cisco AMP to contain the infected endpoint.
When Cisco ISE detects an infected endpoint, it can instruct Cisco AMP to take actions directly on that specific endpoint to contain the threat.
Given the specific keyword "endpoint," the scenario where Cisco ISE instructs Cisco AMP to contain the infected endpoint is more directly relevant and specific choice.
RTC w/ FMC & ISE is the ability for the FMC to quarantine end points through ISE. So, when the FMC sees some indicators of compromise, certain Snort IPS signatures are fired, or malware is discovered through AMP, the FMC can trigger actions to occur through ISE. ISE, in turn, can determine what to do when that trigger occurs.
When an infected endpoint is identified in the network, the RTC (Rapid Threat Containment) workflow involves isolating the endpoint to prevent further spread of the threat. In this workflow, Cisco ISE (Identity Services Engine) identifies the infected endpoint and instructs Cisco FMC (Firepower Management Center) to contain the endpoint. Cisco FMC then applies the appropriate policy to contain the endpoint, such as isolating it on a separate VLAN or blocking its traffic altogether.
Note that Cisco AMP (Advanced Malware Protection) can also play a role in threat containment, but in this specific RTC workflow, the instruction to contain the endpoint comes from Cisco ISE and is executed by Cisco FMC.
RTC w/ FMC & ISE is the ability for the FMC to quarantine end points through ISE. So, when the FMC sees some indicators of compromise, certain Snort IPS signatures are fired, or malware is discovered through AMP, the FMC can trigger actions to occur through ISE. ISE, in turn, can determine what to do when that trigger occurs. ISE could kick the user off the network or change the context of the user and endpoint so that different actions are taken within the network infrastructure.
RTC w/ FMC & ISE is the ability for the FMC to quarantine end points through ISE. So, when the FMC sees some indicators of compromise, certain Snort IPS signatures are fired, or malware is discovered through AMP, the FMC can trigger actions to occur through ISE. ISE, in turn, can determine what to do when that trigger occurs. ISE could kick the user off the network or change the context of the user and endpoint so that different actions are taken within the network infrastructure.
Ok, I wrote at 206 that this has to be right for it to be FMC and Stealthwatch. Upon further research I think AMP and Stealthwatch (aka AMP for Networks) are the only ones able to contain an Endpoint in case of Files and Malware. (Not any other case!!)
upvoted 1 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
tinyJoe
2 weeks, 5 days agorbrain
1 month agoKris92
4 months, 2 weeks agolittlewilly
6 months, 2 weeks agoKris92
4 months, 2 weeks agoz6st2a1jv
8 months, 1 week agoAbetong
10 months, 3 weeks agoAbetong
10 months, 2 weeks agoCokamaniako
1 year, 2 months agoInitial14
1 year, 3 months agoInitial14
1 year, 3 months agoJoe_Blue
1 year, 4 months agoJoe_Blue
1 year, 4 months agouedemdog
1 year, 4 months agoMilan82
1 year, 4 months agoBaumb
1 year, 5 months ago