In the New Job panel that appears, enter the following and
leave the other settings at their default values:
Recurring:
Select this because you want to periodically export endpoint attributes
to ISE.
Every: Enter a number and set
the interval value (Minutes, Hours, Days, or Weeks) and select the
days on which to run the job. (If you don’t select anything, the
job runs everyday.) This determines how often XSOAR sends data to
ISE. It’s important to set an interval that allows enough time
for the job to complete, considering factors such as the number
of devices involved, the amount of bandwidth and latency in the
connection, and the processing speed of the ISE server. You might
start by running the job every 15 minutes and then increasing it
as necessary until each job completes before the next one starts.
You can see the run status of a recurring job on the Jobs page.
When in progress, its status is Running.
When done, its status changes to Completed.
Name:
Enter a name for the job.
Playbook:
Choose Incremental Export to Cisco ISE - PANW IoT 3rd
Party Integration.
PANW IoT Device
Custom Attributes: By default, Device Security exports
all device attributes through XSOAR to ISE. If you want to export
a subset, clear the Export Attribute check box for the ones you
don’t want to export.
If you defined your own custom endpoint
attribute names in ISE, replace the default names with those.
PANW
IoT In Scope Tag Enforcement: Select
Yes to
filter attributes that
Device Security exports to only devices with
the
Cisco ISE tag type and the
In
Scope tag value. If you don’t want to filter exported
attributes by tagged devices, leave this as
No.
For information about tagging devices in
Device Security, see
Tag Management.
Playbook
Poll Interval: Enter a number (the value, though unspecified,
is minutes) defining the period of time during which Device Security
must see newly discovered devices or changes in any attribute fields
of previously discovered devices to include their attributes in the
list it provides to XSOAR for export. It’s common to use the same
interval as the one for running the recurring job. However, if you
increase the interval between jobs, you can set a shorter interval
for polling than that for the job. If you leave it blank, the default
poll interval is 15 minutes.
Primary Instance Name(s):
Paste the name you copied earlier. When integrating with two primary
ISE servers in an HA pair, return to the duplicate browser window,
copy the name of the primary standby instance, enter a comma after
the primary active instance name, and paste the name of the primary
standby instance.
For a deployment with a single Cisco
ISE instance, you can enter the name you copied in either this field
or the Integration Instance Name field. If there happen to be names
in both fields, the one in the Primary Instance Name field takes
precedence.
Secondary Instance Name(s):
If you configured a secondary integration instance, copy and paste
the secondary active instance name. If there are two secondary ISE
servers in an HA pair, enter a comma and copy and paste the secondary
standby instance name.
Although there’s an automatic failover
between the active and standby nodes in an ISE HA pair, there isn’t
an automatic failover between primary and secondary instances. The
secondary instance provides data redundancy and can only manually
be promoted to primary. Device Security/Cortex XSOAR exports device
attributes to the currently active primary instance and exports
duplicate data to the currently active secondary instance.
Site
Names: Leave the field empty to export device attributes
for all sites. To limit exports to devices at one or more sites,
enter comma-separated site names.
