From the Custom Response page, you can create and manage a custom response configuration. A custom response configuration allows you to direct suspicious traffic to a machine in your network where activity is recorded. Information about the user device that made the request is captured to discover the internal IP addresses of infected machines on the corporate network.
Data collected by a custom response device is not recorded in SIA. Only the information and events gathered from Enterprise Security Connector are available for analysis in SIA.
In a policy, you can select to use a custom response with the block action. This means that blocked traffic is directed to the custom response. If the proxy is not enabled and you are configuring AVC, you can associate a custom response to a block action. For more information, see Application visibility and control.
When configuring a custom response, you enter the IP address information of the machine that you plan to use.
In addition to creating a custom response, SIA allows you to download Enterprise Security Connector, software that you can deploy as a VM in your network to receive malicious traffic and identify machines that are infected with malware. Security Connector records information about the machine that made the request and unlike a custom response, communicates this information to SIA. For more information see Security Connector as a DNS sinkhole.
You need to be an SIA administrator to perform this task.
To configure a custom response:
In the Threat Protection menu of Enterprise Center, select Policies > Custom Responses.
Click the plus sign icon. The Add Custom Response dialog appears.
In the Name field, enter a name for the custom response.
In the Description field, enter a description.
In the IP V4 and IP V6 fields, enter the IP address information for the custom response device or machine.
Updated 6 months ago