At-A-Glance
Cisco ISE and Splunk
Integration
Identity and Device Awareness for Splunk Analytics
Cisco ISE + Splunk Delivers
Identity/Device Aware Security & Threat Response
Identity/Device Context from ISE
Cisco ISE
pxGrid
Context
Sharing
Use Cases
• Prioritize important events: Use Cisco
ISE contextual information to answer
common questions needed to expedite
the Splunk classification of, and
response to, a security event.
• Scrutinize mobile and device network
activity: Splunk uses Cisco ISE devicetype information to create security
analytic policies specific to mobile
devices for a comprehensive view of
their security and performance status.
• Scrutinize important users: Cisco ISE
user information helps enable Splunk
to create security policies for specific
users or groups, such as populations
with access to highly sensitive data or
less trusted populations (for example,
guests).
• Visualize and analyze Cisco ISE
telemetry and event data: Use Splunk
to analyze and create alerts based
on Cisco ISE event data, such as
authentication attempts and network
access trends.
• Turn event analysis into action:
Use Splunk to determine the threat
associated with event data, then use
Cisco ISE to take a network mitigation
action (for example, quarantining or
disconnecting a user).
Splunk
Threat Response via ISE
Overview
Today’s diverse networks require effective security event visibility and
the integration of accurate contextual data such as user identity, user
privilege levels, endpoint device type, and endpoint security posture.
The Cisco® Identity Services Engine (ISE) provides contextual data while
Splunk provides the event visibility. It’s a powerful combination that
provides administrators with a meaningful, easily understandable picture
of security and other events on the network.
Splunk is a machine data platform that allows you to search, report,
alert, and visualize any data that it ingests. Cisco ISE brings an added
dimension to analyzing all this data. It attaches key contextual data (for
example, username, location, network policy status) to events and data
analyzed by Splunk. Meanwhile, Splunk brings an added dimension
to Cisco ISE event monitoring: It helps enable user-driven analysis of
that data to create customizable dashboards and reports. Furthermore,
Splunk administrators may also use Cisco ISE as a conduit for taking
mitigation actions on users or devices within the Cisco network
infrastructure in response to an event in Splunk.
Integrating Cisco ISE and Splunk data and analysis provides IT
operations with the context they need to quickly assess the significance
of network and security events. They can answer critical questions (for
example, Who is this event associated with? What level of access does
the user have?) all within the Splunk system. For Cisco ISE, Splunk
analysis of Cisco ISE data enables administrators to answer other key
questions (for example, How many users have been accessing the
network over the past six months? Are there noticeable trends?)
© 2014 Cisco and/or its affiliates. All rights reserved.
nce
At-A-Glance
Use Cases
How the Solution Works
• Create customizable monitoring and
reporting dashboards for Cisco ISE
data: Employ Splunk analytics and
display functions to monitor any Cisco
ISE user, device, location, group,
authorization or authentication data
and correlate with data from other
Splunk sources.
• Mine your historical data: Analyze
network access, users, and device
trends from any perspective to
conduct network capacity planning,
simplify compliance reporting, or
perform security forensics.
Cisco ISE delivers contextual data to Splunk by means of the free
Splunk for Cisco ISE Add-On, which can be found by searching on
“Cisco ISE” at http://apps.splunk.com/. Key Cisco ISE contextual data
collected by Splunk includes the following:
• User: user name, IP address, authentication status, location
• User class: authorization group, guest, quarantine status
• Device: manufacturer, model, OS, OS version, MAC address, IP
address, network connection method (wired or wireless), location
• Posture: posture compliance status, antivirus installed, antivirus
version, OS patch level, mobile device posture compliance status
(through mobile device management [MDM] ecosystem partners)
The use cases outlined in this document are accomplished through the
following:
• Cisco ISE provides its user identity and device information to Splunk
through the Splunk for Cisco ISE Add-On.
• This contextual data is used to create new security analysis classes
for high-risk user populations or devices. A common application is
to create analytic policies specific to mobile devices or users with
access to highly sensitive information.
• Cisco ISE contextual data is also appended to other platform data
in the Splunk system to provide the additional context of the user,
device, and access level. The correlation of all this data helps analysts
better understand the significance of an event.
• Cisco ISE contextual data can serve as an additional source of
security insight. Splunk platforms can trend Cisco ISE data to discover
abnormal, important, or suspicious activity.
• Cisco ISE can serve as a conduit for taking mitigation actions within
the Cisco network infrastructure. Threat event results from Splunk
can be distilled into mitigation action by using Cisco ISE to undertake
quarantine or access-block actions on users and devices.
• All functions can be logged, reported, and alerted upon within Splunk
to provide a unified network-wide view of important events and
historical data for reporting.
Next Steps
For More Information
• Cisco ISE-specific Collateral by Splunk at Cisco Marketplace:
https://marketplace.cisco.com/catalog/products/4178
• Cisco ISE+SIEM/Threat-Defense Integration Video: http://www.cisco.
com/en/US/prod/collateral/vpndevc/ps5712/ps11640/protect.html
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-732928-00 10/14