Cisco Cisco Identity Services Engine 1.2 Guía De Introducción
How the Solution Works
Cisco ISE delivers contextual data to Splunk by means of the free
Splunk for Cisco ISE Add-On, which can be found by searching on
“Cisco ISE” at
Splunk for Cisco ISE Add-On, which can be found by searching on
“Cisco ISE” at
. Key Cisco ISE contextual data
collected by Splunk includes the following:
• User: user name, IP address, authentication status, location
• User class: authorization group, guest, quarantine status
• Device: manufacturer, model, OS, OS version, MAC address, IP
• User class: authorization group, guest, quarantine status
• Device: manufacturer, model, OS, OS version, MAC address, IP
address, network connection method (wired or wireless), location
• Posture: posture compliance status, antivirus installed, antivirus
version, OS patch level, mobile device posture compliance status
(through mobile device management [MDM] ecosystem partners)
(through mobile device management [MDM] ecosystem partners)
The use cases outlined in this document are accomplished through the
following:
following:
• Cisco ISE provides its user identity and device information to Splunk
through the Splunk for Cisco ISE Add-On.
• This contextual data is used to create new security analysis classes
for high-risk user populations or devices. A common application is
to create analytic policies specific to mobile devices or users with
access to highly sensitive information.
to create analytic policies specific to mobile devices or users with
access to highly sensitive information.
• Cisco ISE contextual data is also appended to other platform data
in the Splunk system to provide the additional context of the user,
device, and access level. The correlation of all this data helps analysts
better understand the significance of an event.
device, and access level. The correlation of all this data helps analysts
better understand the significance of an event.
• Cisco ISE contextual data can serve as an additional source of
security insight. Splunk platforms can trend Cisco ISE data to discover
abnormal, important, or suspicious activity.
abnormal, important, or suspicious activity.
• Cisco ISE can serve as a conduit for taking mitigation actions within
the Cisco network infrastructure. Threat event results from Splunk
can be distilled into mitigation action by using Cisco ISE to undertake
quarantine or access-block actions on users and devices.
can be distilled into mitigation action by using Cisco ISE to undertake
quarantine or access-block actions on users and devices.
• All functions can be logged, reported, and alerted upon within Splunk
to provide a unified network-wide view of important events and
historical data for reporting.
Next Steps
For More Information
• Cisco ISE-specific Collateral by Splunk at Cisco Marketplace:
• Cisco ISE-specific Collateral by Splunk at Cisco Marketplace:
• Cisco ISE+SIEM/Threat-Defense Integration Video:
At-A-Glance
At-A-Glance
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-732928-00 10/14
Use Cases
• Create customizable monitoring and
reporting dashboards for Cisco ISE
data: Employ Splunk analytics and
display functions to monitor any Cisco
ISE user, device, location, group,
authorization or authentication data
and correlate with data from other
Splunk sources.
ISE user, device, location, group,
authorization or authentication data
and correlate with data from other
Splunk sources.
• Mine your historical data: Analyze
network access, users, and device
trends from any perspective to
conduct network capacity planning,
simplify compliance reporting, or
perform security forensics.
trends from any perspective to
conduct network capacity planning,
simplify compliance reporting, or
perform security forensics.