Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8383
Views
2
Helpful
2
Comments

How To: Splunk and ISE pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions

thomas
Cisco Employee
Cisco Employee

on ‎09-18-2020 11:19 AM

May 2016

Splunk is a powerful tool for analyzing information in your organization by collecting, storing, alerting, reporting, and analyzing machine data. With Cisco platform Exchange Grid (pxGrid) Splunk is able to proactively act on received network security syslog events and quarantine/unquarantine an endpoint, by issuing pxGrid Adaptive Network Control (ANC) workflow actions.

The Splunk-for-ISE Add-on 2.1 or higher features an automated setup GUI for ISE EPS (Endpoint Protection Service) RESTFul APIs and pxGrid ANC (Adaptive Network Control) mitigation actions via Splunk workflow actions.

The ISE EPS workflow actions work with ISE 1.2 and with ISE 1.3. The pxGrid ANC mitigation actions work with ISE 1.3.

The initial release of Splunk for ISE Add-on 2.1 for pxGrid operation requires additional Cisco files, please see your Cisco Account team.

In this document ISE will be configured for pxGrid operation in a stand-alone environment using the self-signed ISE identity certificates and creating and generating self-signed certificates for the pxGrid client, Splunk.

All EPS and ANC workflow actions can be customized as illustrated in this document. ISE logging categories have been enabled to trigger the syslog events sent to Splunk. These events contain the real IP or MAC addresses in the Framed_IP_Address, IpAddress, MacAddress field received by Splunk and are defined in the workflow actions.

This document includes the self-signed pxGrid client certificate generation process for Splunk. A use case is also covered whereby Splunk registers to the ISE pxGrid node as a pxGrid client and subscribes to the EndpointProtection capability topic to perform a quarantine mitigation action on the endpoint with results seen in ISE. Please note that ISE will be deployed in a Stand-alone environment.

This document also covers workflow customizations based on the enabled ISE logged categories followed be a troubleshooting and reference section.

Preview file
3171 KB
Comments
Sebastian Szykier
Level 1
Level 1
‎02-13-2018 10:22 AM

The guide works well for 2.1 and below but in 2.2 if using the self signed certificates generated by the ISE CA for pxgrid you will need to include the Root, Node, Endpoint, and ISE identity certs into the mac.jks and caroot1.jks files.  Otherwise the client will not trust the cert chain sent by ISE (Verified in a PCAP and the pxgrid-cm.log).  Currently the guide only says to import the identity certificate.

jeppich
Cisco Employee
Cisco Employee
‎02-19-2018 10:36 AM

Hey Sebastian, his depends on what version of ISE is used and how the certificates are deployed, and also if in productional environments,  For ISE 2.1 + please see:ISE Design & Integration Guides

Thanks,

John

jeppich@cisco.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents