cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How To: Splunk and ISE pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions

5838
Views
2
Helpful
2
Comments

May 2016

Splunk is a powerful tool for analyzing information in your organization by collecting, storing, alerting, reporting, and analyzing machine data. With Cisco platform Exchange Grid (pxGrid) Splunk is able to proactively act on received network security syslog events and quarantine/unquarantine an endpoint, by issuing pxGrid Adaptive Network Control (ANC) workflow actions.

The Splunk-for-ISE Add-on 2.1 or higher features an automated setup GUI for ISE EPS (Endpoint Protection Service) RESTFul APIs and pxGrid ANC (Adaptive Network Control) mitigation actions via Splunk workflow actions.

The ISE EPS workflow actions work with ISE 1.2 and with ISE 1.3. The pxGrid ANC mitigation actions work with ISE 1.3.

The initial release of Splunk for ISE Add-on 2.1 for pxGrid operation requires additional Cisco files, please see your Cisco Account team.

In this document ISE will be configured for pxGrid operation in a stand-alone environment using the self-signed ISE identity certificates and creating and generating self-signed certificates for the pxGrid client, Splunk.

All EPS and ANC workflow actions can be customized as illustrated in this document. ISE logging categories have been enabled to trigger the syslog events sent to Splunk. These events contain the real IP or MAC addresses in the Framed_IP_Address, IpAddress, MacAddress field received by Splunk and are defined in the workflow actions.

This document includes the self-signed pxGrid client certificate generation process for Splunk. A use case is also covered whereby Splunk registers to the ISE pxGrid node as a pxGrid client and subscribes to the EndpointProtection capability topic to perform a quarantine mitigation action on the endpoint with results seen in ISE. Please note that ISE will be deployed in a Stand-alone environment.

This document also covers workflow customizations based on the enabled ISE logged categories followed be a troubleshooting and reference section.

Comments

The guide works well for 2.1 and below but in 2.2 if using the self signed certificates generated by the ISE CA for pxgrid you will need to include the Root, Node, Endpoint, and ISE identity certs into the mac.jks and caroot1.jks files.  Otherwise the client will not trust the cert chain sent by ISE (Verified in a PCAP and the pxgrid-cm.log).  Currently the guide only says to import the identity certificate.

Cisco Employee

Hey Sebastian, his depends on what version of ISE is used and how the certificates are deployed, and also if in productional environments,  For ISE 2.1 + please see:ISE Design & Integration Guides

Thanks,

John

jeppich@cisco.com