Set up Integration with Cisco ISE pxGrid
Table of Contents
Expand all | Collapse all
-
- Integrate IoT Security with AIMS
- Set up AIMS for Integration
- Set up IoT Security and XSOAR for AIMS Integration
- Send Work Orders to AIMS
- Integrate IoT Security with Microsoft SCCM
- Set up Microsoft SCCM for Integration
- Set up IoT Security and XSOAR for SCCM Integration
- Integrate IoT Security with Nuvolo
- Set up Nuvolo for Integration
- Set up IoT Security and XSOAR for Nuvolo Integration
- Send Security Alerts to Nuvolo
- Send Vulnerabilities to Nuvolo
- Integrate IoT Security with ServiceNow
- Set up ServiceNow for Integration
- Set up IoT Security and XSOAR for ServiceNow Integration
- Send Security Alerts to ServiceNow
- Send Vulnerabilities to ServiceNow
-
- Integrate IoT Security with Cortex XDR
- Set up Cortex XDR for Integration
- Set up IoT Security and XSOAR for XDR Integration
- Integrate IoT Security with CrowdStrike
- Set up CrowdStrike for Integration
- Set up IoT Security and XSOAR for CrowdStrike Integration
- Integrate IoT Security with Tanium
- Set up Tanium for Integration
- Set up IoT Security and XSOAR for Tanium Integration
-
- Integrate IoT Security with Aruba AirWave
- Set up Aruba AirWave for Integration
- Set up IoT Security and Cortex XSOAR for Aruba AirWave Integration
- View Device Location Information
- Integrate IoT Security with Aruba Central
- Set up Aruba Central for Integration
- Set up IoT Security and XSOAR for Aruba Central Integration
- Integrate IoT Security with Cisco DNA Center
- Set up Cisco DNA Center to Connect with XSOAR Engines
- Set up IoT Security and XSOAR for DNA Center Integration
- Integrate IoT Security with Cisco Meraki Cloud
- Set up Cisco Meraki Cloud for Integration
- Set up IoT Security and XSOAR for Cisco Meraki Cloud
- Integrate IoT Security with Cisco Prime
- Set up Cisco Prime to Accept Connections from IoT Security
- Set up IoT Security and XSOAR for Cisco Prime Integration
- Integrate IoT Security with Network Switches for SNMP Discovery
- Set up IoT Security and Cortex XSOAR for SNMP Discovery
- Integrate IoT Security with Switches for Network Discovery
- Set up IoT Security and Cortex XSOAR for Network Discovery
-
- Integrate IoT Security with Aruba WLAN Controllers
- Set up Aruba WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Aruba WLAN Controllers
- Integrate IoT Security with Cisco WLAN Controllers
- Set up Cisco WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Cisco WLAN Controllers
-
- Integrate IoT Security with Aruba ClearPass
- Set up Aruba ClearPass for Integration
- Set up IoT Security and XSOAR for ClearPass Integration
- Put a Device in Quarantine Using Aruba ClearPass
- Release a Device from Quarantine Using Aruba ClearPass
- Integrate IoT Security with Cisco ISE
- Set up Cisco ISE to Identify IoT Devices
- Set up Cisco ISE to Identify and Quarantine IoT Devices
- Configure ISE Servers as an HA Pair
- Set up IoT Security and XSOAR for Cisco ISE Integration
- Put a Device in Quarantine Using Cisco ISE
- Release a Device from Quarantine Using Cisco ISE
- Apply Access Control Lists through Cisco ISE
- Integrate IoT Security with Cisco ISE pxGrid
- Set up Integration with Cisco ISE pxGrid
- Put a Device in Quarantine Using Cisco ISE pxGrid
- Release a Device from Quarantine Using Cisco ISE pxGrid
- Integrate IoT Security with Forescout
- Set up Forescout for Integration
- Set up IoT Security and XSOAR for Forescout Integration
- Put a Device in Quarantine Using Forescout
- Release a Device from Quarantine Using Forescout
-
- Integrate IoT Security with Qualys
- Set up QualysGuard Express for Integration
- Set up IoT Security and XSOAR for Qualys Integration
- Perform a Vulnerability Scan Using Qualys
- Get Vulnerability Scan Reports from Qualys
- Integrate IoT Security with Rapid7
- Set up Rapid7 InsightVM for Integration
- Set up IoT Security and XSOAR for Rapid7 Integration
- Perform a Vulnerability Scan Using Rapid7
- Get Vulnerability Scan Reports from Rapid7
- Integrate IoT Security with Tenable
- Set up Tenable for Integration
- Set up IoT Security and XSOAR for Tenable Integration
- Perform a Vulnerability Scan Using Tenable
- Get Vulnerability Scan Reports from Tenable
Set up Integration with Cisco ISE pxGrid
Set up
IoT Security
, Cortex XSOAR
, Cisco pxGrid, and
Cisco ISE for integration.To set up the integration, perform the following
steps:
- () Install aIoT SecurityandCortex XSOAR
- (Cisco ISE) Enable pxGrid on the ISE node
- (Cisco ISE) Add custom
- (Cisco ISE) Import an endpoint profiler policy
- (Cisco ISE) Restart pxGrid Profiling
- (Cisco ISE, OpenSSL,) Set up the XSOAR engine to connect with Cisco ISE through pxGridIoT Security,Cortex XSOAR
- (Cisco ISE) Connect the XSOAR engine to Cisco ISE pxGrid
- () Send IoT device attributes fromCortex XSOAR
Note: These
instructions are based on Cisco pxGrid 2.0 and Identity Services
Engine 2.4 with a Cisco Plus license.
- () Install aandIoT SecurityCortex XSOARCortex XSOARengine.You must install an XSOAR engine on site to facilitate communications between the Cisco pxGrid controller and ISE system and theCortex XSOARcloud. Although it's possible to install an XSOAR engine on machines running Windows, macOS, and Linux operating systems, only an engine on a Linux machine supportsIoT Securityintegrations. For more information about operating system and hardware requirements, see theCortex XSOAR.We recommend downloading the XSOAR engine using the shell installer script and installing it on a Linux machine. This simplifies the deployment by automatically installing all required dependencies and also enables remote engine upgrades.When placing the XSOAR engine on your network, make sure it can form connections to your pxGrid controller/ISE system on TCP 8910 and resolve its FQDN to an IP address.The firewall must also allow the engine to form HTTPS connections on TCP port 443 to the Cortex cloud at https://<your-domain>.iot.demisto.live/. You can see the URL of your XSOAR instance when you log in to theportal and clickIoT Security. It’s visible in the address bar of the web page displaying the XSOAR interface.IntegrationsLaunchCortex XSOARFor installation instructions, see Install .For help troubleshootingCortex XSOARengines, including installations, upgrades, connectivity, and permissions, see Troubleshoot and Troubleshoot Integrations Running on Engines.
- (Cisco ISE) Enable pxGrid on the ISE node.Cisco pxGrid runs as a module inside ISE, but before you can start using pxGrid, you must first enable it in the general and profiling settings on the ISE node.Log in to the Cisco ISE UI, clickAdministrationSystemDeployment>node_name, select the pxGrid check boxes on the General Settings and Profiling Configuration tabs, and thenSave.
- (Cisco ISE) Add customIoT Securityattributes.IoT Securitydiscovers, classifies, and identifies IoT devices and reports them through pxGrid to ISE using a set of custom attributes. For example, to send IoT device profiles to Cisco ISE, configure a custom endpoint attribute for device profiles called PanwIoTProfile on your Cisco ISE instance:
- Log in to the Cisco ISE UI, click, enterAdministrationIdentity ManagementSettingsEndpoint Custom AttributesPanwIoTProfilein the Attribute name field, chooseStringfrom the Type drop-down list, and thenSave.
- To add the ZingboxProfile attribute, click+, enterZingboxProfilein the Attribute name field and chooseStringfor Type. (This attribute is required because the profiler policy, which will be added later, references it.)
- Repeat this procedure to add other custom attributes. The following is the complete set of custom attributes.PanwIoTProfile and ZingboxProfile are required. All the others are optional.Custom Attribute NameTypeNotesPanwIoTProfileStringThe IoT device profile, which identifies devices at a more granular level than Category does. Example: Pyxis MedStationZingboxProfileStringThe same as PanwIoTProfile. It’s used in the profiler policy.PanwIoTCategoryStringThe device category to which an IoT device belongs. Example: Medication DispensingPanwIoTIPIPThe IP address of an IoT devicePanwIoTRiskScoreIntegerThe daily calculated risk score for a device based on alerts, vulnerabilities, behavioral anomalies, and threat intelligence.PanwIoTConfidenceIntegerA score from 0 to 100 indicating the confidence in identifying a device and assigning it a device profile, 100 being the most confident.PanwIoTTagStringThe asset tag of a device. Note: This comes from an integrated CMMS (computerized maintenance management system).PanwIoTHostnameStringThe hostname of a device, if available. If not, its MAC address appears here.PanwIoTOSStringThe type of operating system running on a devicePanwIoTModelStringThe device modelPanwIoTVendorStringThe device vendor or manufacturerPanwIoTSerialStringThe serial number of a device, when availablePanwIoTEPPStringThe endpoint protection (EPP) solutions deployed on a device. If this is blank, no EPP was observed.PanwIoTAETStringThe application entity title (AET) if it’s available for the following types of medical devices: X-ray machine, ultrasound machine, PACS server, DICOM-workstation, and DICOM-viewerPanwIoTInternetAccessStringWhether or not a device can and does access the Internet
- (Cisco ISE) Import an endpoint profiler policy.
- In the Cisco ISE UI, navigate to, selectAdministrationSystemSettingsProfilingEnable Custom Attribute for Profiling Enforcement, and thenSave.
- Copy the following text and paste it into a text file.<?xml version="1.0" encoding="ISO-8859-1"?><CPMProfilerPolicies> <Policies> <Policy description="" isEnabled="true" matchingIdentityGroup="false" minimumCertaintyMetric="10" name="ZingboxUpdate" version="2"> <PolicyRules> <PolicyRule certaintyFactor="65535" name="ZingboxRule53739030-b54e-415e-802a-e1ff2d44c67d"/> </PolicyRules> </Policy> </Policies> <Rules> <Rule description="CUSTOMATTRIBUTE_ZingboxProfile_EQUALS_ZingboxUpdate" expression="ZingboxRule53739030-b54e-415e-802a-e1ff2d44c67dCheck62932c59-12df-42d1-9bef-6e3efced33c9" name="ZingboxRule53739030-b54e-415e-802a-e1ff2d44c67d" ruleType="Regular"/> </Rules> <Checks> <Check attributeName="ZingboxProfile" attributeValue="ZingboxUpdate" description="CUSTOMATTRIBUTE ZingboxProfile EQUALS ZingboxUpdate" name="ZingboxRule53739030-b54e-415e-802a-e1ff2d44c67dCheck62932c59-12df-42d1-9bef-6e3efced33c9" operator="Equals" type="CUSTOMATTRIBUTE"/> </Checks> <Actions/> <ScanActions/> </CPMProfilerPolicies>Save the file as ZingboxUpdate.txt and then change its extension from .txt to .xml.The IoT device attribute updates that the XSOAR engine sends to ISE will affect the policy, triggering ISE to apply the updates to the IoT device attributes in its system.In the Cisco ISE UI, click, and then clickPolicyProfilingImport.Navigate to the .xml file, select it, and then clickSubmit.To confirm that the file was successfully imported, check that the imported policy (named ZingboxUpdate) appears in the profiling policies list.
(Cisco ISE) Restart pxGrid Profiling.To enable pxGrid to start profiling devices based on the input it receives from the XSOAR engine, it is necessary to restart profiling services.- ClickAdministrationSystemDeployment>ISE_hostname.
- In the Edit Node dialog box, click theProfiling Configurationtab.
- Clear the check box forpxGridand clickSave.
- Select the check box forpxGridand clickSave.
(Cisco ISE, OpenSSL,) Set up the XSOAR engine to connect with Cisco ISE through pxGrid.IoT Security,Cortex XSOARBefore the XSOAR engine can communicate with ISE through pxGrid, it must first authenticate itself. The authentication can use either digital certificates or passwords. The ISE pxGrid controller automatically approves certificate-based SSL authentication but not the password-based method. Both authentication methods are described here:Your choice of authentication method will determine the settings in the integration instance.Certificate-based Authentication- (Cisco ISE) Click, selectAdministrationpxGrid ServicesSettingsAutomatically approve new certificate-based accounts, and thenSave.
- When prompted to confirm the configuration change, clickYes.
- To generate a certificate for the XSOAR engine, click, fill in the fields like the example below, and then clickAdministrationpxGrid ServicesCertificatesCreate.The certificate password must be between 8 and 15 characters and contain at least 6 letters, 1 uppercase letter, and 1 number. It can also contain underscores ( _ ) and hashtags ( # ). Record the common name (CN) and certificate password. For example, xsoar-engine-10.1.1.215 and Zingbox123.When you clickCreate, pxGrid generates a PKCS #12 file and saves it in a .zip file to your management system. In the example here, the PKCS#12 file name is xsoar-engine-10.1.1.215_.p12.For the next part, your management system must be running a Linux-based OS with OpenSSL installed.
- (OpenSSL) Generate a certificate file and key file.Open a terminal window, navigate to the folder with the .p12 file, and run the following two OpenSSL commands, substituting “xsoar-engine-10.1.1.215” and “Zingbox123” for the common name and password you used:openssl pkcs12 -in xsoar-engine-10.1.1.215_.p12 -passin "pass:Zingbox123" -passout "pass:Zingbox123" > xsoar-engine-10.1.1.215_.cerThe first command usesxsoar-engine-10.1.1.215_.p12andZingbox123(the password you used when generating the certificate request) to generate the certificate file calledxsoar-engine-10.1.1.215_.cer, which you then reference in the second command.openssl rsa -in xsoar-engine-10.1.1.215_.cer -out xsoar-engine-10.1.1.215_.key -passin "pass:Zingbox123"This command uses thexsoar-engine-10.1.1.215_.cerfile generated in the first command and the same password (Zingbox123) to generate the key filexsoar-engine-10.1.1.215_.key.When done, open the two files you generated with a text editor.
- () Log in to theIoT SecurityIoT Securityportal, clickIntegrations, and then clickLaunch.Cortex XSOARIoT SecurityusesCortex XSOARto integrate with Cisco ISE with pxGrid, and the settings you must configure to integrate with it are in the XSOAR interface.TheCortex XSOARinterface opens in a new browser window.
- () ClickCortex XSOARSettingsin the left navigation menu, clickCredentialsin the menu bar near the top, and then click+ New. Enter the following and thenSave:Credential Name: Enter a name for the credentials configuration. You will reference this name when configuring an ISE pxGrid integration instance.Password: Copy all the text in the key file (in this example:xsoar-engine-10.1.1.215_.key) and paste it in the Password field.Certificate: Copy all the text in the certificate file (xsoar-engine-10.1.1.215_.cer) and paste it in the Certificate field.
Password-based Authentication(Cisco ISE) Click, selectAdministrationpxGrid ServicesSettingsAllow password based account creation, and thenSave.Integration InstanceCortex XSOARsupports a single Cisco ISE pxGrid integration instance.- () ClickCortex XSOARand search forSettingsServers & Servicespxgridin the Settings section to locate it among other instances.
- Click the integration instance settings icon (Name: Use the default name of the instance or enter a new one.ISE Server URL: Enter IP address or domain name of the ISE server. For example:https://10.1.1.155When using certificate-based authentication, clickSwitch to credentialsto see the Credentials drop-down list and choose the credential name you defined earlier. SelectCertificate-based Account.orWhen using password-based authentication, clickSwitch to username and passwordif necessary (it’s displayed by default) to see the Authentication and Password fields. Leave both fields empty and selectPassword Based Account.You do not define a username and password with which the XSOAR engine authenticates itself. Cisco pxGrid creates them automatically when the engine contacts it.Run on Single engine: Choose the XSOAR engine that you previously installed.or
- When finished, clickRun testorTest.If the test is successful for certificate-based authentication, a Success message appears. If not, check that the settings for the integration instance and credentials were entered correctly and then test the configuration again.When you use password-based authentication, a Cisco ISE pxGrid user must approve the pxGrid client—in this case, the XSOAR engine—before allowing it to connect. When you clickRun testorTest, the following message appears, prompting you to run the pxGrid Account Status job.
- ClickDoneto save your changes and close the settings panel.
- To activate the integration instance, clickEnable.XSOAR automatically runs a preconfigured job for Cisco pxGrid integration and reports the integration instance toIoT Security, which displays it on the Integrations page.
- Click Jobs in the left navigation menu, search for pxgrid to display the relevant jobs, selectpxGrid Account Status, and then clickRun now.The job sends a request to pxGrid using HTTPS on TCP port 8910 to accept the XSOAR engine as a pxGrid client and create an account for it.
(Cisco ISE) Connect the XSOAR engine to Cisco ISE pxGrid.Because Cisco pxGrid runs as a module on Cisco ISE, when an XSOAR engine connects to Cisco pxGrid, it is also connecting through pxGrid to ISE.- Log in to the Cisco ISE UI, clickand note that the XSOAR engine appears in the Client Name list.AdministrationpxGrid ServicesAll ClientsFor a certificate-based account, its status is Offline, which is normal. (This does not indicate its connection status. The status changes to Online during data update sessions.). For a password-based account, its status is Pending because it must still be manually authorized.
- Create a group permitting the XSOAR engine to publish data to the asset attribute topic. Clickand then clickAdministrationpxGrid ServicesPermissionsManage Groups+ Addin the Manage Groups dialog box.
- In the Add Item dialog box, enter a name such as XSOAR-Engine3, and then clickSubmit.
- Close the Manage Groups dialog box, and on thepage, clickAdministrationpxGrid ServicesPermissions+ Add.
- Enter the following and then clickSubmit:Service:com.cisco.ise.pubsubOperation:<CUSTOM>Custom Operation:publish /topic/com.cisco.endpoint.assetGroups: Enter the name of the group you created.
- Return to, select the check box for the pending XSOAR engine, and then clickAdministrationpxGrid ServicesAll ClientsGroupto open the Client Group dialog box.
- Add the engine to the group you created and then clickSave.
- For an XSOAR engine using password-based authentication, select its check box again, and then clickApprove. (The ISE pxGrid controller automatically approves clients authenticating with certificates, but password-based authentication requires manual approval.)The status of the engine changes from Pending to Offline. The client now belongs to the client group you created, and the XSOAR engine and Cisco ISE server are now connected.
() Send IoT device attributes fromCortex XSOARIoT Securityto Cisco ISE.Before starting regular, automated incremental updates, it’s good practice to send ISE a complete device inventory fromIoT Security. This requires a bulk data export fromIoT Securityto ISE that you initiate from the XSOAR interface at a time that’s suitable for network operations. To shorten the time required for the bulk export to complete, plan to run it during off-peak hours on a slow day such as a holiday or weekend. Exporting an inventory of 30,000-40,000 IoT devices takes up to 12 hours when a network is under normal usage. Doing this when network traffic is light can shorten the time needed to complete the job.- To start the bulk export of the entire device inventory, return to theCortex XSOARinterface. ClickJobs, selectPANW IoT Bulk Export to Cisco ISE pxGrid, and then clickRun now.While it’s in progress, its status is shown asRunning.Although it’s possible to run multiple bulk export jobs in parallel, doing so can affect the XSOAR engine performance. Therefore, we advise not running more than one at a time.
- After the bulk export job completes, start the automated incremental update, which will then continue running every 15 minutes by default. (The interval is editable in the job settings.) To start the incremental updates, selectPANW IoT ISE pxGrid Integrationand then clickRun now.