Rapid Threat Containment with ISE 2.1 and Firepower 6.1

In this post, I'm going to go through Rapid Threat Containment utilizing both ISE and Firepower. The pre-requirements in order to do this is to have configured pxGrid between ISE and the Firepower Management Center (FMC) prior. If you would like to know how to do so, I went over how to do it with self-signed certificates in this post here or CA-signed certificates in this post here

In Firepower 5.4, it could be integrated with ISE via pxGrid but it was not native to Firepower and required installing plugins and python scripts. It was only the Firepower 6.1 release that allowed for native pxGrid integration and rapid threat containment. In order to configure this in the Firepower Management Console, we're going to have to start out by creating an instance of the mitigation and then define what that action does. 

Navigate to Policies>Actions>Instances and choose pxGrid Mitigation (v1.0) from the drop-down box and click Add

Name the instance something that makes sense to you and click Create. You will be taken to the pxGrid instance were you can create remediations.

Choose Mitigate Source from the drop-down and click Add

Usually I like to name this QuarantineBySourceIP but you can name it whatever you would like. The mitigation action should be quarantine.

After creating this and saving it, add another remediation and this time have it unquarantine by source. 

After you have created both remediations, click Done and you will be taken back to the following screen. Click Save. 

Now we will create some correlation rules to automate the quarantining and unquarantining of endpoints. Navigate to Policies>Correlation>Rule Management and click Create Rule

Now this is where you can create a rule that should trigger the quarantining or unquarantining of endpoints. Firepower gives you a LOT of flexibility where you can have it match on a certain connection condition or even a certain Snort rule but here are some of the different ideas and things I think would be effective:

  • Intrusion event occurs and it's impact flag is 1 (vulnerable)
  • Impact flag is 1 (vulnerable) and the IOC (Indicator of Compromise) tag is set.


  • Create a rule based off of a retrospective network-based malware detection - basically, if a file comes through initially and is marked as clean or unknown but AMP later finds that it is malware, it will let the Firepower Management Console know. With ISE, you can take action and block the host from the network in the meantime while you mitigate the risk. 
  • Malware was detected by AMP for Endpoints but for some reason quarantine failed. This would be a legitimate reason you would want this endpoint to have it's access to your network limited. 

Whatever the quarantine rule is that you choose, it has to make sense for your business so I leave it up to you to choose. As far as an unquarantine rule, you can create it the same way. An example of a good unquarantine rule is maybe allowing the endpoint to only have access to an internal page that will do a scan of the computer and mitigate the damage. That rule would look something like this. 

After you are done creating these rules, save it and navigate to Policies>Correlation>Policy Management and click Create Policy. 

Create a name for the policy and under Policy Rules, click Add Rules. Add the Quarantine rule you previously created.

Click the red button next to the rule to add a mitigation from the instances you previously created.

After creating the rule, click Save and on the Policy Management screen, click the slider to enable the policy.

Do the same for your unQuarantine rule and enable it as well. 

Now you should be able to test your correlation rules and view them by navigating to Analysis>Correlation>Correlation Events.