Integrate IoT Security with Network Switches for SNMP Discovery
IoT Security and Cortex XSOAR use SNMP to learn device
details from network switches.
IoT Security can work through Cortex XSOAR
and an on-premises XSOAR engine to retrieve information from switches
about the devices connected to them. To do this, XSOAR uses SNMP.
The engine begins by establishing trust with an entry switch—usually
at the edge or aggregation layer—by sending it an SNMP community
string for read-only access. After this, the engine queries the
switch for information about the devices connected to it; specifically,
it learns the switch name and IP address, device MAC address and
IP address, and (for Cisco Catalyst switches) the name of the physical
port on the switch to which a device connects. The XSOAR engine
also queries the entry switch for the IP addresses of neighboring
switches on the network. It collects device information from them
next and also gets a list of their neighboring switches as well.
XSOAR continues collecting device information and learning about
other switches until it has queried them all.
After collecting
information through SNMP, IoT Security adds newly discovered details
about existing devices in its inventory and also adds newly discovered
devices to its inventory. When IoT Security learns of a new device
through SNMP, it displays
Discovered via snmp
in
the Source column for it on the Devices page.
You
can also filter the inventory to display only those devices learned
through SNMP. Click the 
) above the inventory table, choose Source
and SNMP, optionally click the 
) if you want to save
the filter for future use, and then
Filter
icon (
) above the inventory table, choose Source
and SNMP, optionally click the Save changes
icon
(
) if you want to save
the filter for future use, and then Apply
.
IoT Security
then displays only devices that match the filter; that is, devices
discovered through SNMP.
To
retrieve this information, the XSOAR engine does an SNMP walk for
the following object identifiers (OIDs):
OID | Comment |
|---|---|
1.3.6.1.2.1.1.5 | This OID gets the switch name. |
1.3.6.1.2.1.4.22.1.2 | This gets the ARP table on the switch, which contains device
MAC address/IP address pairs. |
1.3.6.1.2.1.17.4.3.1.2, 1.3.6.1.2.1.17.1.4.1.2, 1.3.6.1.2.1.31.1.1.1.1 | These three OIDs combine together to get device MAC address/physical
port on the switch pairs. (Only Cisco Catalyst switches return this
information.) |
1.3.6.1.4.1.9.9.23.1.2.1.1.4, 1.0.8802.1.1.2.1.4.2.1 | These OIDs provide the IP addresses of neighboring switches learned
through Cisco Discovery Protocol (CDP) and Link Layer Discovery
Protocol (LLDP). |
Make sure the switches on your network allow read-only
access from the Cortex engine to these OIDs.
When you
look at the Device Details page for a device learned through SNMP,
you’ll only see fields for which IoT Security has data. If a switch
provides partial data for a device, then IoT Security shows the
data it received and hides the fields for which it wasn't sent anything.
Cortex
XSOAR runs a recurring job to query switches. Running the job on
a daily basis is recommended although you can set the interval between
jobs to occur more or less frequently as you want.
SNMP
v2c and v3 are supported.
Using SNMP to collect information
from network switches requires the purchase and activation of
a third-party integration add-on. The basic integration plan includes
a license for three integration add-ons, one of which can be used
for SNMP discovery. The advanced plan includes a license for all
supported third-party integrations.
