Cisco ISE
This Integration is part of the Cisco ISE Pack.#
Supported versions
Available on Cortex XSOAR and Cortex XSIAM.
Use the Cisco ISE integration to get endpoint data, and to manage and update endpoints and ANC policies.
Configure Cisco ISE on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Cisco ISE.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Cisco ISE server URL (e.g., https://123.123.123.65 )
- Server port (e.g., 9060)
- Cisco ISE username
- Use system proxy settings
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get an endpoint ID: cisco-ise-get-endpoint-id
- Get information for an endpoint: cisco-ise-get-endpoint-details
- Re-authenticate an endpoint: cisco-ise-reauthenticate-endpoint
- Get data for all existing endpoints: cisco-ise-get-endpoints
- Update custom attributes of an endpoint: cisco-ise-update-endpoint-custom-attribute
- Update the group of an endpoint: cisco-ise-update-endpoint-group
- Get a collection of endpoint identity groups: cisco-ise-get-groups
- Get all ANC policies: cisco-ise-get-policies
- Get a single ANC policy: cisco-ise-get-policy
- Create an ANC policy: cisco-ise-create-policy
- Assign an ANC policy to an endpoint: cisco-ise-assign-policy
- Get all endpoints on block list: cisco-ise-get-blacklist-endpoints
1. Get an endpoint ID
Returns an endpoint ID, by its MAC address.
Base Command
cisco-ise-get-endpoint-id
Input
| Argument Name | Description | Required |
|---|---|---|
| macAddress | MAC address of the endpoint (format: 11:22:33:44:55:66). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.ID | string | Endpoint ID. |
| Endpoint.MACAddress | string | Endpoint MAC address. |
Command Example
!cisco-ise-get-endpoint-id macAddress=00:0E:35:D4:D8:51
Human Readable Output
The endpoint ID is: 327b0120-4ba1-11e8-93bd-000c296ec148
2. Get information for an endpoint
Returns details for a specified endpoint.
Base Command
cisco-ise-get-endpoint-details
Input
| Argument Name | Description | Required |
|---|---|---|
| endpointID | The ID of the endpoint for which to return details. | Optional |
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.ID | string | Endpoint ID. |
| CiscoISE.Endpoint.Description | string | Endpoint description. |
| CiscoISE.Endpoint.MACAddress | string | Endpoint MAC address. |
| CiscoISE.Endpoint.Group | string | Endpoint group name |
| Endpoint.ID | string | Endpoint ID. |
| Endpoint.MACAddress | string | Endpoint MAC address. |
| CiscoISE.Endpoint.CustomAttributes | string | Endpoint custom attributes. |
| CiscoISE.Endpoint.StaticGroupAssignment | boolean | True if the endpoint has a static group assignment. |
| CiscoISE.Endpoint.StaticProfileAssignment | boolean | Whether the endpoint has a static profile assignment. |
| CiscoISE.Endpoint.User | string | Profile of the user associated with the endpoint. |
Command Example
!cisco-ise-get-endpoint-details endpointID=327b0120-4ba1-11e8-93bd-000c296ec148
Context Example
{
"CiscoISE.Endpoint": {
"MACAddress": "00:0E:35:D4:D8:51",
"Group": "Internal Dev",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148",
"StaticProfileAssignment": false,
"StaticGroupAssignment": false
},
"Endpoint": {
"MACAddress": "00:0E:35:D4:D8:51",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148"
}
}
Human Readable Output
Endpoint details - 327b0120-4ba1-11e8-93bd-000c296ec148
| Group | ID | MACAddress | StaticGroupAssignment | StaticProfileAssignment |
|---|---|---|---|---|
| Internal Dev | 327b0120-4ba1-11e8-93bd-000c296ec148 | 00:0E:35:D4:D8:51 | false | false |
3. Re-authenticate an endpoint
Re-authenticates an endpoint (Change of Authorization - CoA).
Base Command
cisco-ise-reauthenticate-endpoint
Input
| Argument Name | Description | Required |
|---|---|---|
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.MACAddress | string | MAC address of the endpoint. |
| CiscoISE.Endpoint.reauthenticateResult | boolean | Re-authentication result. |
Command Example
!cisco-ise-reauthenticate-endpoint macAddress=00:0E:35:D4:D8:51
Human Readable Output
'Activation result was : True
4. Get data for all existing endpoints
Returns data for existing endpoints.
Base Command
cisco-ise-get-endpoints
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.ID | string | Endpoint ID. |
| Endpoint.MACAddress | string | Endpoint MAC address. |
| CiscoISE.Endpoint.ID | string | Endpoint ID. |
| CiscoISE.Endpoint.MACAddress | string | Endpoint MAC address. |
Command Example
!cisco-ise-get-endpoints
Context Example
{
"CiscoISE.Endpoint": [
{
"MACAddress": "00:0A:35:11:A9:00",
"ID": "50080fc0-a07a-11e8-808e-000c295fdd32"
},
{
"MACAddress": "00:0E:35:D4:D8:51",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148"
},
{
"MACAddress": "11:22:33:AA:BB:CC",
"ID": "7d5e0530-133c-11e9-a5db-02420d3c5249"
}
],
"Endpoint": [
{
"MACAddress": "00:0A:35:11:A9:00",
"ID": "50080fc0-a07a-11e8-808e-000c295fdd32"
},
{
"MACAddress": "00:0E:35:D4:D8:51",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148"
},
{
"MACAddress": "11:22:33:AA:BB:CC",
"ID": "7d5e0530-133c-11e9-a5db-02420d3c5249"
}
]
}
Human Readable Output
Cisco ISE Endpoints
| ID | MACAddress |
|---|---|
| 50080fc0-a07a-11e8-808e-000c295fdd32 | 00:0A:35:11:A9:00 |
| 327b0120-4ba1-11e8-93bd-000c296ec148 | 00:0E:35:D4:D8:51 |
| 7d5e0530-133c-11e9-a5db-02420d3c5249 | 11:22:33:AA:BB:CC |
5. Update custom attributes of an endpoint
Updates the custom attributes of an endpoint.
Base Command
cisco-ise-update-endpoint-custom-attribute
Input
| Argument Name | Description | Required |
|---|---|---|
| id | Endpoint ID. | Optional |
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Optional |
| attributeName | A CSV list of attributes, for example, "attributeName=firstAttribute,secondAttribute". | Required |
| attributeValue | A CSV list of attribute values, for example, "attributeValue=firstValue,secondValue". | Required |
Context Output
There is no context output for this command.
Command Example
!cisco-ise-update-endpoint-custom-attribute macAddress=00:0E:35:D4:D8:51 attributeName=mytest attributeValue=test1=testing
Human Readable Output
Successfully updated endpoint 327b0120-4ba1-11e8-93bd-000c296ec148, the new custom fields are: "{test1=testing}"
6. Update the group of an endpoint
Updates the group of an endpoint.
Base Command
cisco-ise-update-endpoint-group
Input
| Argument Name | Description | Required |
|---|---|---|
| groupId | The group ID to assign to this endpoint, e.g. 1 | Optional |
| macAddress | MAC address of the endpoint (format 11:22:33:44:55:66). | Optional |
| id | Endpoint ID of the endpoint to update. | Optional |
| groupName | Name of the group to update for the endpoint. | Optional |
Context Output
There is no context output for this command.
Command Example
!cisco-ise-update-endpoint-group groupName=Blacklist id=7d5e0530-133c-11e9-a5db-02420d3c5249
Human Readable Output
Endpoint 7d5e0530-133c-11e9-a5db-02420d3c5249 updated successfully
7. Get a collection of endpoint identity groups
Retrieves a collection of endpoint identity groups.
Base Command
cisco-ise-get-groups
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Group.Description | String | The description of the endpoint identity groups. |
| CiscoISE.Group.ID | String | The ID of the endpoint identity groups. |
| CiscoISE.Group.Name | String | The name of the endpoint identity groups. |
Command Example
!cisco-ise-get-groups
Context Example
{
"CiscoISE.Group": [
{
"Name": "Sony-Device",
"Description": "Identity Group for Profile: Sony-Device",
"ID": "38a73670-8c00-11e6-996c-525400b48521"
},
{
"Name": "Cisco-Meraki-Device",
"Description": "Identity Group for Profile: Cisco-Meraki-Device",
"ID": "1e2700a0-8c00-11e6-996c-525400b48521"
},
{
"Name": "Apple-iDevice",
"Description": "Identity Group for Profile: Apple-iDevice",
"ID": "0a4a50f0-8c00-11e6-996c-525400b48521"
},
{
"Name": "BlackBerry",
"Description": "Identity Group for Profile: BlackBerry",
"ID": "0cc7ad00-8c00-11e6-996c-525400b48521"
},
{
"Name": "Android",
"Description": "Identity Group for Profile: Android",
"ID": "ffa36b00-8bff-11e6-996c-525400b48521"
},
{
"Name": "Axis-Device",
"Description": "Identity Group for Profile: Axis-Device",
"ID": "0c4eac70-8c00-11e6-996c-525400b48521"
},
{
"Name": "Juniper-Device",
"Description": "Identity Group for Profile: Juniper-Device",
"ID": "2b07d100-8c00-11e6-996c-525400b48521"
},
{
"Name": "Epson-Device",
"Description": "Identity Group for Profile: Epson-Device",
"ID": "22c6c780-8c00-11e6-996c-525400b48521"
},
{
"Name": "Profiled",
"Description": "Profiled Identity Group",
"ID": "aa10ae00-8bff-11e6-996c-525400b48521"
},
{
"Name": "Blacklist",
"Description": "Blacklist Identity Group",
"ID": "aa000c30-8bff-11e6-996c-525400b48521"
},
{
"Name": "GuestEndpoints",
"Description": "Guest Endpoints Identity Group",
"ID": "aa178bd0-8bff-11e6-996c-525400b48521"
},
{
"Name": "Synology-Device",
"Description": "Identity Group for Profile: Synology-Device",
"ID": "3a1b38d0-8c00-11e6-996c-525400b48521"
},
{
"Name": "Vizio-Device",
"Description": "Identity Group for Profile: Vizio-Device",
"ID": "3b113190-8c00-11e6-996c-525400b48521"
},
{
"Name": "Trendnet-Device",
"Description": "Identity Group for Profile: Trendnet-Device",
"ID": "3a88eec0-8c00-11e6-996c-525400b48521"
},
{
"Name": "RegisteredDevices",
"Description": "Asset Registered Endpoints Identity Group",
"ID": "aa13bb40-8bff-11e6-996c-525400b48521"
},
{
"Name": "Cisco-IP-Phone",
"Description": "Identity Group for Profile: Cisco-IP-Phone",
"ID": "14f5cac0-8c00-11e6-996c-525400b48521"
},
{
"Name": "Unknown",
"Description": "Unknown Identity Group",
"ID": "aa0e8b20-8bff-11e6-996c-525400b48521"
},
{
"Name": "Workstation",
"Description": "Identity Group for Profile: Workstation",
"ID": "3b76f840-8c00-11e6-996c-525400b48521"
}
]
}
Human Readable Output
Cisco pxGrid ISE Groups
| ID | Name | Description |
|---|---|---|
| 38a73670-8c00-11e6-996c-525400b48521 | Sony-Device | Identity Group for Profile: Sony-Device |
| 1e2700a0-8c00-11e6-996c-525400b48521 | Cisco-Meraki-Device | Identity Group for Profile: Cisco-Meraki-Device |
| 0a4a50f0-8c00-11e6-996c-525400b48521 | Apple-iDevice | Identity Group for Profile: Apple-iDevice |
| 0cc7ad00-8c00-11e6-996c-525400b48521 | BlackBerry | Identity Group for Profile: BlackBerry |
| ffa36b00-8bff-11e6-996c-525400b48521 | Android | Identity Group for Profile: Android |
| 0c4eac70-8c00-11e6-996c-525400b48521 | Axis-Device | Identity Group for Profile: Axis-Device |
| 2b07d100-8c00-11e6-996c-525400b48521 | Juniper-Device | Identity Group for Profile: Juniper-Device |
| 22c6c780-8c00-11e6-996c-525400b48521 | Epson-Device | Identity Group for Profile: Epson-Device |
| aa10ae00-8bff-11e6-996c-525400b48521 | Profiled | Profiled Identity Group |
| aa000c30-8bff-11e6-996c-525400b48521 | Blacklist | Blacklist Identity Group |
| aa178bd0-8bff-11e6-996c-525400b48521 | GuestEndpoints | Guest Endpoints Identity Group |
| 3a1b38d0-8c00-11e6-996c-525400b48521 | Synology-Device | Identity Group for Profile: Synology-Device |
| 3b113190-8c00-11e6-996c-525400b48521 | Vizio-Device | Identity Group for Profile: Vizio-Device |
| 3a88eec0-8c00-11e6-996c-525400b48521 | Trendnet-Device | Identity Group for Profile: Trendnet-Device |
| aa13bb40-8bff-11e6-996c-525400b48521 | RegisteredDevices | Asset Registered Endpoints Identity Group |
| 14f5cac0-8c00-11e6-996c-525400b48521 | Cisco-IP-Phone | Identity Group for Profile: Cisco-IP-Phone |
| aa0e8b20-8bff-11e6-996c-525400b48521 | Unknown | Unknown Identity Group |
| 3b76f840-8c00-11e6-996c-525400b48521 | Workstation | Identity Group for Profile: Workstation |
8. Get all ANC policies
Returns all Adaptive Network Control policies.
Base Command
cisco-ise-get-policies
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Policy.Description | String | The description of the ANC policy. |
| CiscoISE.Policy.ID | String | The ID of the ANC policy. |
| CiscoISE.Policy.Name | String | The name of the ANC policy. |
Command Example
!cisco-ise-get-policies
Context Example
{
"CiscoISE.Policy": [
{
"ID": "ANCPortBounce",
"Name": "ANCPortBounce"
},
{
"ID": "ANCQuarantine",
"Name": "ANCQuarantine"
},
{
"ID": "ANCShutdown",
"Name": "ANCShutdown"
},
{
"ID": "azoce",
"Name": "azoce"
},
{
"ID": "dpkef",
"Name": "dpkef"
},
{
"ID": "dvgoy",
"Name": "dvgoy"
},
{
"ID": "gfibg",
"Name": "gfibg"
},
{
"ID": "jzbhh",
"Name": "jzbhh"
},
{
"ID": "last-test",
"Name": "last-test"
},
{
"ID": "ljnba",
"Name": "ljnba"
},
{
"ID": "mhxab",
"Name": "mhxab"
},
{
"ID": "mxiiw",
"Name": "mxiiw"
},
{
"ID": "ncxer",
"Name": "ncxer"
},
{
"ID": "phzbe",
"Name": "phzbe"
},
{
"ID": "pjrgp",
"Name": "pjrgp"
},
{
"ID": "policy0",
"Name": "policy0"
},
{
"ID": "policy09",
"Name": "policy09"
},
{
"ID": "policy1",
"Name": "policy1"
},
{
"ID": "policy2",
"Name": "policy2"
},
{
"ID": "policy3",
"Name": "policy3"
}
]
}
Human Readable Output
CiscoISE Adaptive Network Control Policies
| ID | Name |
|---|---|
| ANCPortBounce | ANCPortBounce |
| ANCQuarantine | ANCQuarantine |
| ANCShutdown | ANCShutdown |
| azoce | azoce |
| dpkef | dpkef |
| dvgoy | dvgoy |
| gfibg | gfibg |
| jzbhh | jzbhh |
| last-test | last-test |
| ljnba | ljnba |
| mhxab | mhxab |
| mxiiw | mxiiw |
| ncxer | ncxer |
| phzbe | phzbe |
| pjrgp | pjrgp |
| policy0 | policy0 |
| policy09 | policy09 |
| policy1 | policy1 |
| policy2 | policy2 |
| policy3 | policy3 |
9. Get a single ANC policy
Returns a single Adaptive Network Control policy.
Base Command
cisco-ise-get-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_name | The name of the ANC policy to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Policy.Action | String | The action of the policy. Can be "QUARANTINE", "PORTBOUNCE", or "SHUTDOWN". |
| CiscoISE.Policy.ID | String | The ID of the ANC policy. |
| CiscoISE.Policy.Link | String | The link for the ANC policy (GUI). |
| CiscoISE.Policy.Name | String | The name of the ANC policy. |
Command Example
!cisco-ise-get-policy policy_name=policy3
Context Example
{
"CiscoISE.Policy": [
{
"Action": [
"QUARANTINE"
],
"Name": "policy3"
}
]
}
Human Readable Output
CiscoISE Policy
| Action | Name |
|---|---|
| QUARANTINE | policy3 |
10. Create an ANC policy
Creates an ANC policy.
Base Command
cisco-ise-create-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| policy_actions | The actions of the policy. Can be "QUARANTINE", "PORTBOUNCE", or "SHUTDOWN". | Required |
| policy_name | The name of the new adaptive network control policy. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Policy.Action | String | The actions of the ANC policy. |
| CiscoISE.Policy.Name | String | The name of the new ANC policy. |
Command Example
!cisco-ise-create-policy policy_name=quarantinePolicy policy_actions=QUARANTINE
Context Example
{
"CiscoISE.Policy": {
"Action": [
"QUARANTINE"
],
"Name": "quarantinePolicy"
}
}
Human Readable Output
The policy "quarantinePolicy" has been created successfully
11. Assign an ANC policy to an endpoint
Assigns an Adapative Network Control policy to an endpoint.
Base Command
cisco-ise-assign-policy
Input
| Argument Name | Description | Required |
|---|---|---|
| mac_address | The MAC address to which to apply the policy. | Required |
| policy_name | The name of the policy to assign to the endpoint. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.MACAddress | String | The MAC address of the endpoint. |
| CiscoISE.Endpoint.PolicyName | String | The policy name that was applied to the endpoint. |
Command Example
!cisco-ise-assign-policy mac_address=50080fc0-a07a-11e8-808e-000c295fdd32 policy_name=policy3
Human Readable Output
The policy "policy3" has been applied successfully
12. Get all endpoints on block list.
Returns all blacklisted endpoints.
Base Command
cisco-ise-get-blacklist-endpoints
Input
There are no arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CiscoISE.Endpoint.ID | String | The endpoint ID. |
| CiscoISE.Endpoint.Name | String | The name of the endpoint. |
| CiscoISE.Endpoint.Description | String | The endpoint description. |
| CiscoISE.Endpoint.Link | String | The link for the endpoint |
Command Example
!cisco-ise-get-blacklist-endpoints
Context Example
{
"CiscoISE.Endpoint": [
{
"GroupName": "Blacklist",
"ID": "327b0120-4ba1-11e8-93bd-000c296ec148",
"Name": "00:0E:35:D4:D8:51"
}
]
}
Human Readable Output
CiscoISE Blacklist Endpoints
| GroupName | ID | Name |
|---|---|---|
| Blacklist | 327b0120-4ba1-11e8-93bd-000c296ec148 | 00:0E:35:D4:D8:51 |