Cisco ISE
This Integration is part of the Cisco ISE Pack.#
Use the Cisco ISE integration to get endpoint data, and to manage and update endpoints and ANC policies.
Configure Cisco ISE on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Cisco ISE.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Cisco ISE server URL (e.g., https://123.123.123.65 )
- Server port (e.g., 9060)
- Cisco ISE username
- Use system proxy settings
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get an endpoint ID: cisco-ise-get-endpoint-id
- Get information for an endpoint: cisco-ise-get-endpoint-details
- Re-authenticate an endpoint: cisco-ise-reauthenticate-endpoint
- Get data for all existing endpoints: cisco-ise-get-endpoints
- Update custom attributes of an endpoint: cisco-ise-update-endpoint-custom-attribute
- Update the group of an endpoint: cisco-ise-update-endpoint-group
- Get a collection of endpoint identity groups: cisco-ise-get-groups
- Get all ANC policies: cisco-ise-get-policies
- Get a single ANC policy: cisco-ise-get-policy
- Create an ANC policy: cisco-ise-create-policy
- Assign an ANC policy to an endpoint: cisco-ise-assign-policy
- Get all endpoints on block list: cisco-ise-get-blacklist-endpoints
1. Get an endpoint ID
Returns an endpoint ID, by its MAC address.
Base Command
cisco-ise-get-endpoint-id
Input
| Argument Name | Description | Required |
|---|---|---|
| macAddress | MAC address of the endpoint (format: 11:22:33:44:55:66). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.ID | string | Endpoint ID. |
| Endpoint.MACAddress | string | Endpoint MAC address. |
Command Example
!cisco-ise-get-endpoint-id macAddress=00:0E:35:D4:D8:51
Human Readable Output
The endpoint ID is: 327b0120-4ba1-11e8-93bd-000c296ec148
2. Get information for an endpoint
Returns details for a specified endpoint.
Base Command
cisco-ise-get-endpoint-details
Input
| Argument Name | Description | Required |
|---|---|---|
| endpointID | The ID of the endpoint for which to return details. | Optional |
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.ID | string | Endpoint ID. |
| CiscoISE.Endpoint.Description | string | Endpoint description. |
| CiscoISE.Endpoint.MACAddress | string | Endpoint MAC address. |
| CiscoISE.Endpoint.Group | string | Endpoint group name |
| Endpoint.ID | string | Endpoint ID. |
| Endpoint.MACAddress | string | Endpoint MAC address. |
| CiscoISE.Endpoint.CustomAttributes | string | Endpoint custom attributes. |
| CiscoISE.Endpoint.StaticGroupAssignment | boolean | True if the endpoint has a static group assignment. |
| CiscoISE.Endpoint.StaticProfileAssignment | boolean | Whether the endpoint has a static profile assignment. |
| CiscoISE.Endpoint.User | string | Profile of the user associated with the endpoint. |
Command Example
!cisco-ise-get-endpoint-details endpointID=327b0120-4ba1-11e8-93bd-000c296ec148
Context Example
{
"CiscoISE.Endpoint": {
"MACAddress": "00:0E:35:D4:D8:51",
"Group": "Internal Dev",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148",
"StaticProfileAssignment": false,
"StaticGroupAssignment": false
},
"Endpoint": {
"MACAddress": "00:0E:35:D4:D8:51",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148"
}
}
Human Readable Output
Endpoint details - 327b0120-4ba1-11e8-93bd-000c296ec148
| Group | ID | MACAddress | StaticGroupAssignment | StaticProfileAssignment |
|---|---|---|---|---|
| Internal Dev | 327b0120-4ba1-11e8-93bd-000c296ec148 | 00:0E:35:D4:D8:51 | false | false |
3. Re-authenticate an endpoint
Re-authenticates an endpoint (Change of Authorization - CoA).
Base Command
cisco-ise-reauthenticate-endpoint
Input
| Argument Name | Description | Required |
|---|---|---|
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.MACAddress | string | MAC address of the endpoint. |
| CiscoISE.Endpoint.reauthenticateResult | boolean | Re-authentication result. |
Command Example
!cisco-ise-reauthenticate-endpoint macAddress=00:0E:35:D4:D8:51
Human Readable Output
'Activation result was : True
4. Get data for all existing endpoints
Returns data for existing endpoints.
Base Command
cisco-ise-get-endpoints
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.ID | string | Endpoint ID. |
| Endpoint.MACAddress | string | Endpoint MAC address. |
| CiscoISE.Endpoint.ID | string | Endpoint ID. |
| CiscoISE.Endpoint.MACAddress | string | Endpoint MAC address. |
Command Example
!cisco-ise-get-endpoints
Context Example
{
"CiscoISE.Endpoint": [
{
"MACAddress": "00:0A:35:11:A9:00",
"ID": "50080fc0-a07a-11e8-808e-000c295fdd32"
},
{
"MACAddress": "00:0E:35:D4:D8:51",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148"
},
{
"MACAddress": "11:22:33:AA:BB:CC",
"ID": "7d5e0530-133c-11e9-a5db-02420d3c5249"
}
],
"Endpoint": [
{
"MACAddress": "00:0A:35:11:A9:00",
"ID": "50080fc0-a07a-11e8-808e-000c295fdd32"
},
{
"MACAddress": "00:0E:35:D4:D8:51",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148"
},
{
"MACAddress": "11:22:33:AA:BB:CC",
"ID": "7d5e0530-133c-11e9-a5db-02420d3c5249"
}
]
}
Human Readable Output
Cisco ISE Endpoints
| ID | MACAddress |
|---|---|
| 50080fc0-a07a-11e8-808e-000c295fdd32 | 00:0A:35:11:A9:00 |
| 327b0120-4ba1-11e8-93bd-000c296ec148 | 00:0E:35:D4:D8:51 |
| 7d5e0530-133c-11e9-a5db-02420d3c5249 | 11:22:33:AA:BB:CC |
5. Update custom attributes of an endpoint
Updates the custom attributes of an endpoint.
Base Command
cisco-ise-update-endpoint-custom-attribute
Input
| Argument Name | Description | Required |
|---|---|---|
| id | Endpoint ID. | Optional |
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Optional |
| attributeName | A CSV list of attributes, for example, "attributeName=firstAttribute,secondAttribute". | Required |
| attributeValue | A CSV list of attribute values, for example, "attributeValue=firstValue,secondValue". | Required |
Context Output
There is no context output for this command.
Command Example
!cisco-ise-update-endpoint-custom-attribute macAddress=00:0E:35:D4:D8:51 attributeName=mytest attributeValue=test1=testing
Human Readable Output
Successfully updated endpoint 327b0120-4ba1-11e8-93bd-000c296ec148, the new custom fields are: "{test1=testing}"
6. Update the group of an endpoint
Updates the group of an endpoint.
Base Command
cisco-ise-update-endpoint-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupId | The group ID to assign to this endpoint, e.g. 1 | Optional |
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Optional |
| id | Endpoint ID of the endpoint to update. | Optional |
| groupName | Name of the group to update for the endpoint. | Optional |
Context Output
There is no context output for this command.
Command Example
!cisco-ise-update-endpoint-group groupName=Blacklist id=7d5e0530-133c-11e9-a5db-02420d3c5249
Human Readable Output
Endpoint 7d5e0530-133c-11e9-a5db-02420d3c5249 updated successfully
7. Get a collection of endpoint identity groups
Retrieves a collection of endpoint identity groups.
Base Command
cisco-ise-get-groups
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Group.Description | String | The description of the endpoint identity groups. |
| CiscoISE.Group.ID | String | The ID of the endpoint identity groups. |
| CiscoISE.Group.Name | String | The name of the endpoint identity groups. |
Command Example
!cisco-ise-get-groups
Context Example
{
"CiscoISE.Group": [
{
"Name": "Sony-Device",
"Description": "Identity Group for Profile: Sony-Device",
"ID": "38a73670-8c00-11e6-996c-525400b48521"
},
{
"Name": "Cisco-Meraki-Device",
"Description": "Identity Group for Profile: Cisco-Meraki-Device",
"ID": "1e2700a0-8c00-11e6-996c-525400b48521"
},
{
"Name": "Apple-iDevice",
"Description": "Identity Group for Profile: Apple-iDevice",
"ID": "0a4a50f0-8c00-11e6-996c-525400b48521"
},
{
"Name": "BlackBerry",
"Description": "Identity Group for Profile: BlackBerry",
"ID": "0cc7ad00-8c00-11e6-996c-525400b48521"
},
{
"Name": "Android",
"Description": "Identity Group for Profile: Android",
"ID": "ffa36b00-8bff-11e6-996c-525400b48521"
},
{
"Name": "Axis-Device",
"Description": "Identity Group for Profile: Axis-Device",
"ID": "0c4eac70-8c00-11e6-996c-525400b48521"
},
{
"Name": "Juniper-Device",
"Description": "Identity Group for Profile: Juniper-Device",
"ID": "2b07d100-8c00-11e6-996c-525400b48521"
},
{
"Name": "Epson-Device",
"Description": "Identity Group for Profile: Epson-Device",
"ID": "22c6c780-8c00-11e6-996c-525400b48521"
},
{
"Name": "Profiled",
"Description": "Profiled Identity Group",
"ID": "aa10ae00-8bff-11e6-996c-525400b48521"
},
{
"Name": "Blacklist",
"Description": "Blacklist Identity Group",
"ID": "aa000c30-8bff-11e6-996c-525400b48521"
},
{
"Name": "GuestEndpoints",
"Description": "Guest Endpoints Identity Group",
"ID": "aa178bd0-8bff-11e6-996c-525400b48521"
},
{
"Name": "Synology-Device",
"Description": "Identity Group for Profile: Synology-Device",
"ID": "3a1b38d0-8c00-11e6-996c-525400b48521"
},
{
"Name": "Vizio-Device",
"Description": "Identity Group for Profile: Vizio-Device",
"ID": "3b113190-8c00-11e6-996c-525400b48521"
},
{
"Name": "Trendnet-Device",
"Description": "Identity Group for Profile: Trendnet-Device",
"ID": "3a88eec0-8c00-11e6-996c-525400b48521"
},
{
"Name": "RegisteredDevices",
"Description": "Asset Registered Endpoints Identity Group",
"ID": "aa13bb40-8bff-11e6-996c-525400b48521"
},
{
"Name": "Cisco-IP-Phone",
"Description": "Identity Group for Profile: Cisco-IP-Phone",
"ID": "14f5cac0-8c00-11e6-996c-525400b48521"
},
{
"Name": "Unknown",
"Description": "Unknown Identity Group",
"ID": "aa0e8b20-8bff-11e6-996c-525400b48521"
},
{
"Name": "Workstation",
"Description": "Identity Group for Profile: Workstation",
"ID": "3b76f840-8c00-11e6-996c-525400b48521"
}
]
}
Human Readable Output
Cisco pxGrid ISE Groups
| ID | Name | Description |
|---|---|---|
| 38a73670-8c00-11e6-996c-525400b48521 | Sony-Device | Identity Group for Profile: Sony-Device |
| 1e2700a0-8c00-11e6-996c-525400b48521 | Cisco-Meraki-Device | Identity Group for Profile: Cisco-Meraki-Device |
| 0a4a50f0-8c00-11e6-996c-525400b48521 | Apple-iDevice | Identity Group for Profile: Apple-iDevice |
| 0cc7ad00-8c00-11e6-996c-525400b48521 | BlackBerry | Identity Group for Profile: BlackBerry |
| ffa36b00-8bff-11e6-996c-525400b48521 | Android | Identity Group for Profile: Android |
| 0c4eac70-8c00-11e6-996c-525400b48521 | Axis-Device | Identity Group for Profile: Axis-Device |
| 2b07d100-8c00-11e6-996c-525400b48521 | Juniper-Device | Identity Group for Profile: Juniper-Device |
| 22c6c780-8c00-11e6-996c-525400b48521 | Epson-Device | Identity Group for Profile: Epson-Device |
| aa10ae00-8bff-11e6-996c-525400b48521 | Profiled | Profiled Identity Group |
| aa000c30-8bff-11e6-996c-525400b48521 | Blacklist | Blacklist Identity Group |
| aa178bd0-8bff-11e6-996c-525400b48521 | GuestEndpoints | Guest Endpoints Identity Group |
| 3a1b38d0-8c00-11e6-996c-525400b48521 | Synology-Device | Identity Group for Profile: Synology-Device |
| 3b113190-8c00-11e6-996c-525400b48521 | Vizio-Device | Identity Group for Profile: Vizio-Device |
| 3a88eec0-8c00-11e6-996c-525400b48521 | Trendnet-Device | Identity Group for Profile: Trendnet-Device |
| aa13bb40-8bff-11e6-996c-525400b48521 | RegisteredDevices | Asset Registered Endpoints Identity Group |
| 14f5cac0-8c00-11e6-996c-525400b48521 | Cisco-IP-Phone | Identity Group for Profile: Cisco-IP-Phone |
| aa0e8b20-8bff-11e6-996c-525400b48521 | Unknown | Unknown Identity Group |
| 3b76f840-8c00-11e6-996c-525400b48521 | Workstation | Identity Group for Profile: Workstation |
8. Get all ANC policies
Returns all Adaptive Network Control policies.
Base Command
cisco-ise-get-policies
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Policy.Description | String | The description of the ANC policy. |
| CiscoISE.Policy.ID | String | The ID of the ANC policy. |
| CiscoISE.Policy.Name | String | The name of the ANC policy. |
Command Example
!cisco-ise-get-policies
Context Example
{
"CiscoISE.Policy": [
{
"ID": "ANCPortBounce",
"Name": "ANCPortBounce"
},
{
"ID": "ANCQuarantine",
"Name": "ANCQuarantine"
},
{
"ID": "ANCShutdown",
"Name": "ANCShutdown"
},
{
"ID": "azoce",
"Name": "azoce"
},
{
"ID": "dpkef",
"Name": "dpkef"
},
{
"ID": "dvgoy",
"Name": "dvgoy"
},
{
"ID": "gfibg",
"Name": "gfibg"
},
{
"ID": "jzbhh",
"Name": "jzbhh"
},
{
"ID": "last-test",
"Name": "last-test"
},
{
"ID": "ljnba",
"Name": "ljnba"
},
{
"ID": "mhxab",
"Name": "mhxab"
},
{
"ID": "mxiiw",
"Name": "mxiiw"
},
{
"ID": "ncxer",
"Name": "ncxer"
},
{
"ID": "phzbe",
"Name": "phzbe"
},
{
"ID": "pjrgp",
"Name": "pjrgp"
},
{
"ID": "policy0",
"Name": "policy0"
},
{
"ID": "policy09",
"Name": "policy09"
},
{
"ID": "policy1",
"Name": "policy1"
},
{
"ID": "policy2",
"Name": "policy2"
},
{
"ID": "policy3",
"Name": "policy3"
}
]
}
Human Readable Output
CiscoISE Adaptive Network Control Policies
| ID | Name |
|---|---|
| ANCPortBounce | ANCPortBounce |
| ANCQuarantine | ANCQuarantine |
| ANCShutdown | ANCShutdown |
| azoce | azoce |
| dpkef | dpkef |
| dvgoy | dvgoy |
| gfibg | gfibg |
| jzbhh | jzbhh |
| last-test | last-test |
| ljnba | ljnba |
| mhxab | mhxab |
| mxiiw | mxiiw |
| ncxer | ncxer |
| phzbe | phzbe |
| pjrgp | pjrgp |
| policy0 | policy0 |
| policy09 | policy09 |
| policy1 | policy1 |
| policy2 | policy2 |
| policy3 | policy3 |
9. Get a single ANC policy
Returns a single Adaptive Network Control policy.
Base Command
cisco-ise-get-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_name | The name of the ANC policy to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Policy.Action | String | The action of the policy. Can be "QUARANTINE", "PORTBOUNCE", or "SHUTDOWN". |
| CiscoISE.Policy.ID | String | The ID of the ANC policy. |
| CiscoISE.Policy.Link | String | The link for the ANC policy (GUI). |
| CiscoISE.Policy.Name | String | The name of the ANC policy. |
Command Example
!cisco-ise-get-policy policy_name=policy3
Context Example
{
"CiscoISE.Policy": [
{
"Action": [
"QUARANTINE"
],
"Name": "policy3"
}
]
}
Human Readable Output
CiscoISE Policy
| Action | Name |
|---|---|
| QUARANTINE | policy3 |
10. Create an ANC policy
Creates an ANC policy.
Base Command
cisco-ise-create-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_actions | The actions of the policy. Can be "QUARANTINE", "PORTBOUNCE", or "SHUTDOWN". | Required |
| policy_name | The name of the new adaptive network control policy. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Policy.Action | String | The actions of the ANC policy. |
| CiscoISE.Policy.Name | String | The name of the new ANC policy. |
Command Example
!cisco-ise-create-policy policy_name=quarantinePolicy policy_actions=QUARANTINE
Context Example
{
"CiscoISE.Policy": {
"Action": [
"QUARANTINE"
],
"Name": "quarantinePolicy"
}
}
Human Readable Output
The policy "quarantinePolicy" has been created successfully
11. Assign an ANC policy to an endpoint
Assigns an Adapative Network Control policy to an endpoint.
Base Command
cisco-ise-assign-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| mac_address | The MAC address to which to apply the policy. | Required |
| policy_name | The name of the policy to assign to the endpoint. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.MACAddress | String | The MAC address of the endpoint. |
| CiscoISE.Endpoint.PolicyName | String | The policy name that was applied to the endpoint. |
Command Example
!cisco-ise-assign-policy mac_address=50080fc0-a07a-11e8-808e-000c295fdd32 policy_name=policy3
Human Readable Output
The policy "policy3" has been applied successfully
12. Get all endpoints on block list.
Returns all blacklisted endpoints.
Base Command
cisco-ise-get-blacklist-endpoints
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.ID | String | The endpoint ID. |
| CiscoISE.Endpoint.Name | String | The name of the endpoint. |
| CiscoISE.Endpoint.Description | String | The endpoint description. |
| CiscoISE.Endpoint.Link | String | The link for the endpoint |
Command Example
!cisco-ise-get-blacklist-endpoints
Context Example
{
"CiscoISE.Endpoint": [
{
"GroupName": "Blacklist",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148",
"Name": "00:0E:35:D4:D8:51"
}
]
}
Human Readable Output
CiscoISE Blacklist Endpoints
| GroupName | ID | Name |
|---|---|---|
| Blacklist | 327b0120-4ba1-11e8-93bd-000c296ec148 | 00:0E:35:D4:D8:51 |