Splunk is a powerful tool for analyzing information in your organization by collecting, storing, alerting, reporting, and analyzing machine data. With Cisco platform Exchange Grid (pxGrid) Splunk is able to proactively act on received network security syslog events and quarantine/unquarantine an endpoint, by issuing pxGrid Adaptive Network Control (ANC) workflow actions.
The Splunk-for-ISE Add-on 2.1 or higher features an automated setup GUI for ISE EPS (Endpoint Protection Service) RESTFul APIs and pxGrid ANC (Adaptive Network Control) mitigation actions via Splunk workflow actions.
The ISE EPS workflow actions work with ISE 1.2 and with ISE 1.3. The pxGrid ANC mitigation actions work with ISE 1.3.
The initial release of Splunk for ISE Add-on 2.1 for pxGrid operation requires additional Cisco files, please see your Cisco Account team.
In this document ISE will be configured for pxGrid operation in a stand-alone environment using the self-signed ISE identity certificates and creating and generating self-signed certificates for the pxGrid client, Splunk.
All EPS and ANC workflow actions can be customized as illustrated in this document. ISE logging categories have been enabled to trigger the syslog events sent to Splunk. These events contain the real IP or MAC addresses in the Framed_IP_Address, IpAddress, MacAddress field received by Splunk and are defined in the workflow actions.
This document includes the self-signed pxGrid client certificate generation process for Splunk. A use case is also covered whereby Splunk registers to the ISE pxGrid node as a pxGrid client and subscribes to the EndpointProtection capability topic to perform a quarantine mitigation action on the endpoint with results seen in ISE. Please note that ISE will be deployed in a Stand-alone environment.
This document also covers workflow customizations based on the enabled ISE logged categories followed be a troubleshooting and reference section.
i´m playing around with trustsec a little bit and wondering if segmentation inside the same VLAN on the same switch is possible. Lets say i have 2 clients assigned SGT5 by 802.1x in the same boardcast domain on the same switch. In ISE i blocked the client...
Hi, we are in a process of deploying ISE for the organization. recently, we have been told that, we need plus licenses for Cisco Phones to do 802.1X.01. Why do we need special profiling when Phone can initiate 802.1x session02. why can't we use CAPF/...
Dearsi want to renew subscription of TAMC for ASA5525 with firepower services, i have 2 no's with active and standby fail over, when we installed new at that time i purchased a virtual FMC for 2 devices now it is a renewal time do i have to do any renewal...
Hi New to using Cisco ACL's, I have an ASA 5510 (Cisco Adaptive Security Appliance Software Version 9.1(7)13 ) I have nat'd subnets on Ethernet0/1 & Ethernet0/3, security-level 100 and these work correctly. I have a sub interface,...
Hello. My customer is having an issue where one of their public IPs is being blocked by spamhaus. All of their mail servers have their own static NaT setup and are not being blocked, ,so we are trying to identify what other device(s) are sending SMTP traf...