Device Security can work through Cortex XSOAR and an on-premises XSOAR engine to retrieve information about the network from network devices like switches and routers. To do this, XSOAR uses SNMP. The engine begins by establishing trust with an entry switch by sending it an SNMP community string for read-only access. A good choice for an entry switch is one at the L2-to-L3 conversion point, which is usually at the core or aggregation layer, because its position allows it to get information from downstream switches. After making a connection, the engine queries the switch for information about the network to which it’s connected:

Device Security also works with Cortex XSOAR to fetch the following information about switches on the network learned through Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP):

As the XSOAR engine learns the IP addresses of neighboring switches from the entry switch, it next collects network information from them, including a list of their neighboring switches as well. XSOAR continues collecting network information and learning about other switches until it has queried them all.

After collecting information through SNMP, Device Security adds newly discovered details about the network to the Networks page and details about devices to the Devices and Device Details pages.

Cortex XSOAR runs a recurring job to query switches. Running the job daily is recommended although you can set the interval between jobs to occur more or less frequently as you want.

Using SNMP to collect informaiton from network switches requires either a full-featured Cortex XSOAR™ server or the activation of a Device Security free cohosted Cortex XSOAR instance.

Alternatively, you can use the free Network Discovery plugin to do SNMP crawling. You can download the plugin onto a supported firewall without needing to integrate with Cortex XSOAR.