Integrate IoT Security with Network Switches for SNMP Discovery

IoT Security and Cortex XSOAR use SNMP to learn device details from network switches.
IoT Security can work through Cortex XSOAR and an on-premises XSOAR engine to retrieve information from switches about the devices connected to them. To do this, XSOAR uses SNMP. The engine begins by establishing trust with an entry switch—usually at the edge or aggregation layer—by sending it an SNMP community string for read-only access. After this, the engine queries the switch for information about the devices connected to it; specifically, it learns the switch name and IP address, device MAC address and IP address, and (for Cisco Catalyst switches) the name of the physical port on the switch to which a device connects. The XSOAR engine also queries the entry switch for the IP addresses of neighboring switches on the network. It collects device information from them next and also gets a list of their neighboring switches as well. XSOAR continues collecting device information and learning about other switches until it has queried them all.
After collecting information through SNMP, IoT Security adds newly discovered details about existing devices in its inventory and also adds newly discovered devices to its inventory. When IoT Security learns of a new device through SNMP, it displays
Discovered via snmp
in the Source column for it on the Devices page.
You can also filter the inventory to display only those devices learned through SNMP. Click the
Filter
icon (   ) above the inventory table, choose Source and SNMP, optionally click the
Save changes
icon (   ) if you want to save the filter for future use, and then
Apply
.
IoT Security then displays only devices that match the filter; that is, devices discovered through SNMP.
To retrieve this information, the XSOAR engine does an SNMP walk for the following object identifiers (OIDs):
OID
Comment
1.3.6.1.2.1.1.5
This OID gets the switch name.
1.3.6.1.2.1.4.22.1.2
This gets the ARP table on the switch, which contains device MAC address/IP address pairs.
1.3.6.1.2.1.17.4.3.1.2, 1.3.6.1.2.1.17.1.4.1.2, 1.3.6.1.2.1.31.1.1.1.1
These three OIDs combine together to get device MAC address/physical port on the switch pairs. (Only Cisco Catalyst switches return this information.)
1.3.6.1.4.1.9.9.23.1.2.1.1.4, 1.0.8802.1.1.2.1.4.2.1
These OIDs provide the IP addresses of neighboring switches learned through Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP).
Make sure the switches on your network allow read-only access from the Cortex engine to these OIDs.
When you look at the Device Details page for a device learned through SNMP, you’ll only see fields for which IoT Security has data. If a switch provides partial data for a device, then IoT Security shows the data it received and hides the fields for which it wasn't sent anything.
Cortex XSOAR runs a recurring job to query switches. Running the job on a daily basis is recommended although you can set the interval between jobs to occur more or less frequently as you want.
SNMP v2 and v3 are supported.
Using SNMP to collect information from network switches requires the purchase and activation of a third-party integration add-on. The basic integration plan includes a license for three integration add-ons, one of which can be used for SNMP discovery. The advanced plan includes a license for all supported third-party integrations.

Recommended For You