IoT Security can work through Cortex XSOAR and an on-premises XSOAR engine to retrieve information about the network from network devices like switches and routers. To do this, XSOAR uses SNMP. The engine begins by establishing trust with an entry switch by sending it an SNMP community string for read-only access. A good choice for an entry switch is one at the L2-to-L3 conversion point, which is usually at the core or aggregation layer, because its position allows it to get information from downstream switches. After making a connection, the engine queries the switch for information about the network to which it’s connected:

IoT Security also works with Cortex XSOAR to fetch the following information about switches on the network learned through Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP):

As the XSOAR engine learns the IP addresses of neighboring switches from the entry switch, it next collects network information from them, including a list of their neighboring switches as well. XSOAR continues collecting network information and learning about other switches until it has queried them all.

After collecting information through SNMP, IoT Security adds newly discovered details about the network to the Networks page and details about devices to the Devices and Device Details pages.

Cortex XSOAR runs a recurring job to query switches. Running the job on a daily basis is recommended although you can set the interval between jobs to occur more or less frequently as you want.

Using SNMP to collect information from network switches requires either a full-featured Cortex XSOAR server or the purchase and activation of an IoT Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan includes a license for three integration add-ons, one of which can be used for network discovery. The advanced plan includes a license for all supported third-party integrations.