Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA - Rules/Tasks to move computers to specific group

I'm trying to set up some more advanced rules and tasks in CSA, and one of my goals was to make a rule/task to move a host to a group "Rootkit detected computers" when it detects an unauthorized rootkit. Can't really find any way to make this in a rule, and I can't find any tasks that are based off of events or event sets.

Any ideas? We're on CSA 5.0 v187, and we should be upgrading to 5.2 within the next week.

New Member

Re: CSA - Rules/Tasks to move computers to specific group

I've tried to do the same thing with admins enabling/disabling the client for 'troubleshooting'. A task has to move a system record from one existing group to another. So if the system doesn't already exist in that group, then it can't be moved. The only other thing I could come up with is to monitor for a security posture low/medium/high. Monitor for a dynamic process on boot for any rootkit and set the system to high security level. Assign the rule module for network lockdown on the system state of high security. Also to notify you, monitor for the untrusted rootkit detected rule to be triggered and an email will be sent to you for follow up.