Day 117 – Cisco ISE Mastery Training: Automated Incident Response via SIEM

[Day 117] Cisco ISE Mastery Training: Automated Incident Response via SIEM

Post Views: 60

Table of Contents

Introduction

When seconds matter, your SOC can’t wait for humans to swivel-chair between alerts, switches, and identity stores. Automated incident response connects your SIEM detections to Cisco ISE enforcement so the moment Splunk/QRadar/ArcSight confirms a threat, ISE isolates the endpoint (ANC/DACL/SGT), revokes access (CoA), or moves the device to a remediation VLAN—with full, audit-grade evidence.

In this Article you will implement:

  • SIEM → ISE action pipelines (ERS & pxGrid),
  • Quarantine playbooks (ANC + DACL + CoA),
  • Rollback (clear ANC) & safety guardrails,
  • End-to-end GUI + CLI validations (ISE, switches/WLC, SIEM).

Problem Statement

Typical gaps you’ll close today:

  • Alerts fire in SIEM but nothing changes on the network (manual triage delay).
  • NAC teams lack a repeatable, auditable way to quarantine from SOC tools.
  • Quarantine actions break users because rollbacks aren’t built.
  • Field extraction and identity enrichment are inconsistent, so playbooks can’t target the right endpoint (MAC/IP/username/port).

Goal: Deterministic, tested pipelines from SIEM detection → ISE enforcement (ANC/CoA/SGT/DACL) → validation → rollback, with CLI evidence.

Solution Overview

Control plane:

  • ISE ERS API for actions: Apply/Clear ANC, trigger CoA, manage Endpoint attributes.
  • pxGrid for live session lookup (map IP → MAC → username, NAD, port, SGT, posture).

Enforcement options:

  • ANC policy → Authorization Profile with Quarantine DACL or SGT (TrustSec).
  • CoA to force reauth & apply new policy.
  • SGT rewrite to push scalable, fabric-wide segmentation (SDA/TrustSec).
  • WebAuth redirect to remediation portal (optional).

Automation hooks (per SIEM):

  • Splunk: Alert Action (Python/Webhook) calling ISE ERS; optional pxGrid enrichment lookup.
  • QRadar: Rule → Custom Action / Webhook / Script on App Host → ISE ERS.
  • ArcSight ESM: Rule → Command Action (runs script on connector/manager) → ISE ERS.

Sample Lab Topology

Platform: VMware/EVE-NG

  • ISE: PAN+MnT+PSN (3.x/2.7+).
  • SIEM: Splunk Enterprise (or QRadar CE / ArcSight ESM dev).
  • Switch: Catalyst 9300 (IOS-XE) for 802.1X/MAB + DACL/SGT.
  • WLC (optional) for WLAN tests.
  • Endpoint(s): Windows 11 client (AnyConnect optional).
  • SOAR (optional): Splunk SOAR / QRadar SOAR.

Topology diagram:

Step-by-Step GUI Configuration Guide

PRECHECKS (Run before integration)

  • NTP/DNS aligned across ISE, SIEM, switches. # Jump host nslookup ise.pan.lab nslookup splunk.lab date -u
  • PKI ready (CA trust on ISE & SIEM if using TLS and for ERS cert validation).
  • Network reachability (ISE → SIEM & SIEM → ISE 9060/ers, 8910/pxgrid). # From SIEM host curl -k https://ise.pan.lab:9060/ers/sdk --head # From ISE (if shell permitted) or jump host nc -vz splunk.lab 6514

A) ISE — Build Enforcement Objects (ANC, DACL/SGT, CoA)

  1. Create Quarantine DACL
  • ISE GUI → Policy > Policy Elements > Results > Authorization > Downloadable ACLs > Add
    • Name: DACL-QUARANTINE
    • ACL Content: deny ip any any permit tcp any host 10.10.10.50 eq 443 # remediation portal permit udp any any eq 53 # DNS
  • Save.
  1. (Option) Create Quarantine SGT
  • Work Centers > TrustSec > Components > Security Groups > Add
    • Name: SGT-QUARANTINE (e.g., tag ID 50)
  1. Authorization Profile for Quarantine
  • Policy > Policy Elements > Results > Authorization > Authorization Profiles > Add
    • Name: AUTH-QUARANTINE-DACL
    • Common Tasks: Check Downloadable ACL → select DACL-QUARANTINE
    • CoA Type: Reauthenticate (or Port Bounce as needed)
  • Save.
  1. Define ANC Policies
  • ISE 2.x: Operations > Adaptive Network Control
  • ISE 3.x: Context Visibility > Endpoints > ANC or Policy > Policy Elements > Results > ANC Policy(paths vary; use search for “ANC”)
    • ANC Policy Name: ANC-APPLY-QUARANTINE → Action = Quarantine → Assign AUTH-QUARANTINE-DACL (or map to SGT).
    • ANC Policy Name: ANC-CLEAR → Action = Clear ANC.

Validation (Live Test)

  • Connect a test endpoint → normal access.
  • ISE Live Logs: Operations > RADIUS > Live Logs shows Access-Accept.
  • Switch CLI (C9300): show authentication sessions interface Gi1/0/10 details # Expect: Status Authorized; DACL none (pre-quarantine)

B) ISE — Enable ERS & pxGrid (for API actions & enrichment)

  1. Enable ERS
  • Administration > System > Settings > ERS Settings > Enable ERS
  • Create ERS admin: Administration > Admin Access > Administrators > Add (select ERS permissions).
  1. Enable pxGrid (for IP→MAC→User lookups)
  • Administration > System > Settings > pxGrid Services > Enable
  • (Optional) Approve SIEM pxGrid client after first connect.

Validation (API Reachability)

# From SIEM host
curl -k -u ers_user:ers_pwd https://ise.pan.lab:9060/ers/config/ancendpoint -I
# Expect HTTP/1.1 200 OK (or 401 if creds wrong)

C) Splunk — Build Alert → ISE Action (Webhook/Python)

Goal: When a detection fires (e.g., “High-fidelity malware on host 10.10.10.55”), Splunk calls ISE ERS to quarantine the MAC, then triggers CoA.

  1. Create Saved Search / Correlation Rule
  • Splunk Web → Search & Reporting → craft detection SPL; example: index=edr sourcetype=malware severity=high | stats latest(host_ip) as src_ip, values(user) as user, values(hostname) as host by signature
  • Save as Alert: Trigger = Once per Result.
  1. Create Custom Alert Action (Webhook or Script)
    Option A – Webhook (simple):
  • Configure Webhook URL to a small middleware on Splunk HF that runs a Python script (recommended for auth & certs).

Option B – Python Alert Action:

  • Deploy an Alert Action app that runs a Python script ise_quarantine.py.
  • Script (template): #!/usr/bin/env python3 import requests, json, sys, os ISE = os.environ.get("ISE_HOST","https://ise.pan.lab:9060") ERS_USER = os.environ.get("ERS_USER","ers_user") ERS_PASS = os.environ.get("ERS_PASS","ers_pwd") src_ip = sys.argv[1] # passed from alert # 1) Resolve IP -> MAC via pxGrid or SIEM lookup table (assume provided): mac = lookup_mac_from_ip(src_ip) # implement via pxGrid or Splunk KVstore # 2) Apply ANC (Quarantine) body = {"OperationAdditionalData":{"additionalData":[ {"name":"macAddress","value":mac}, {"name":"policyName","value":"ANC-APPLY-QUARANTINE"}]}} r = requests.post(f"{ISE}/ers/config/ancendpoint/apply", auth=(ERS_USER,ERS_PASS), headers={"Content-Type":"application/json"}, data=json.dumps(body), verify=False) print("ANC apply:", r.status_code, r.text)
  • Pass token(s)/creds via Splunk secure storage or environment variables.
  1. (Optional) pxGrid Enrichment
  • Before ANC, resolve MAC for the IP:
    • Use a pxGrid client (cert-auth) to query Session Directory topic and return MAC, username, NAD, port.
    • Cache mapping in Splunk KV Store for quick lookup.
  1. Create Rollback Alert Action
  • A paired alert (or same action with param) to Clear ANC: curl -k -u ers_user:ers_pwd -H "Content-Type: application/json" \ -X POST https://ise.pan.lab:9060/ers/config/ancendpoint/clear \ -d '{"OperationAdditionalData":{"additionalData":[{"name":"macAddress","value":"AA:BB:CC:DD:EE:FF"}]}}'

Validation (End-to-End)

  • Fire test alert manually (Splunk → Trigger Alert).
  • ISE GUI: Context Visibility > Endpoints > [endpoint] > ANC Status = Quarantined.
  • Switch CLI: show authentication sessions interface Gi1/0/10 details # Expect: DACL= DACL-QUARANTINE (or SGT=SGT-QUARANTINE), Method=dot1x/mac, Status=Authorized show access-lists | include DACL-QUARANTINE
  • Client validation: Browsing blocked except remediation allowed; reauth occurred (link flap or CoA seen in logs).

D) QRadar — Rule → Custom Action → ISE

  1. Correlation Rule
  • QRadar Offenses/Rules → Create rule: When events where and identity present.
  1. Custom Action
  • Add Webhook / Script action on App Host that calls ISE ERS Apply ANC with MAC/IP (use pxGrid lookup as needed).
  1. Rollback Action
  • Second custom action to Clear ANC.

Validation

  • Fire test offense → Action logs show HTTP 200/202 to ISE.
  • ISE endpoint shows ANC applied; switch shows DACL/SGT enforced.

E) ArcSight ESM — Rule → Command Action → ISE

  1. Rule
  • Condition matches high-confidence event; aggregation provides sourceAddress or deviceCustomString1=MAC.
  1. Command Action
  • Runs a local script (on connector/manager) that performs the same ERS POST apply/clear.

Validation

  • ESM Rule fires → Command action logs successful exit code; ISE shows ANC.

F) Safety Guardrails & RBAC

  • Two-person approval (optional): use SIEM notable → SOAR playbook with approval step → ISE action.
  • Allowlist: refuse quarantine for critical assets (domain controllers, core infra).
  • Max hold time: auto-rollback after X minutes if incident closed as false positive.
  • RBAC: ERS user limited to ANC/Session read; no full admin rights.

G) Evidence Pack (export these)

  • Splunk/QRadar/ArcSight alert firing]
  • ISE ANC policy page]
  • ISE Endpoint page – ANC=Quarantined]
  • Switch CLI output (pre- and post-quarantine): show authentication sessions interface Gi1/0/10 details show cts role-based sgt-map all | include <MAC or IP> # if SGT used
  • ISE ERS API response (HTTP 202 + jobId).
  • Rollback evidence: ANC cleared; client restored.

Expert-Level Use Cases

  1. IOC-Driven Quarantine: EDR “High” + DNS tunneling anomaly → SIEM alert → ISE ANC + DACL + CoA → ticket + Slack notification → auto-rollback if EDR clears.
  2. Ransomware Blast-Radius Control: Lateral movement detector fires → SIEM tags subnet → ISE bulk-ANC on matching MACs via ERS; TrustSec matrix denies east-west.
  3. Privileged Abuse Throttle: Impossible travel + PAM anomaly → move user to restricted SGT with just-enough access; SOAR requests approval, then auto-rollback after 60 min.
  4. BYOD Non-Compliant Posture: Splunk receives posture non-compliant + EDR off → ISE assigns remediation portal DACL; CoA to force captive flow.
  5. Branch Wide Containment: QRadar offense on branch NAT IP → pxGrid resolves per-host sessions on that PSN → mass ANC only for active infected MACs.
  6. Wireless Rogue AP Client Herding: WLC rogue event → ArcSight rule → ISE applies VLAN redirect to cleanup SSID for affected MACs.
  7. Data Exfil Spike: DLP alert for userX → ISE reauth userX sessions to SGT-MONITOR; NetFlow & decryption policies intensify inspection.
  8. Critical Asset Ring-Fence: IDS alert near Tier-0 → ISE raises SGT QUAR-EDGE for untrusted endpoints; fabric matrix blocks Tier-0 adjacency.
  9. Guest Abuse Auto-Expire: SIEM sees DoS from Guest VLAN → ISE ERS revokes sponsor account + clears active sessions.
  10. OT/IoT Anomaly: NBAR/Stealthwatch reports protocol drift → ISE maps MAC OUI to IoT-SGT with deny-write DACL; CoA on affected ports.

FAQs: Automated Incident Response via SIEM & Cisco ISE

Q1. How does Cisco ISE receive incident data from SIEM platforms like Splunk, QRadar, or ArcSight?

Answer:

  • Cisco ISE integrates with SIEM via Syslog feeds, APIs, or pxGrid.
  • SIEM platforms analyze logs from multiple sources (firewalls, endpoints, servers) and push enriched alerts to ISE for policy enforcement.
  • Validation:
    • CLI: show logging application ise-psc.log (for pxGrid session updates).
    • GUI: Navigate to Operations → Radius → Live Logs to see incidents mapped to endpoint sessions.

Q2. What types of incidents can be automatically acted upon by ISE through SIEM integration?

Answer:

  • Malware Infections (from AMP, EDR, Firepower logs).
  • Data Exfiltration Attempts (from DLP integration).
  • Brute Force / Authentication Attacks (from Splunk security rules).
  • Command & Control Communication Detection (from Stealthwatch or QRadar).
  • ISE then triggers context-based quarantine (VLAN change, dACL, SGT assignment).

Q3. How do I configure ISE to take automated action (quarantine/block) when SIEM detects an incident?

Answer:

  1. In ISE Admin GUI, go to Work Centers → TrustSec → Adaptive Network Control (ANC).
  2. Create ANC Policies (e.g., “Quarantine”, “Monitor”, “Block”).
  3. On SIEM side (Splunk/QRadar): configure pxGrid/REST API call to apply ANC policy.
    • Example API Call: curl -k -u pxgrid-client:pxgridpass \ -X POST https://<ISE-IP>:8910/ers/config/ancendpoint/apply \ -H "Content-Type: application/json" \ -d '{"OperationAdditionalData":[{"name":"macAddress","value":"AA:BB:CC:DD:EE:FF"},{"name":"policyName","value":"Quarantine"}]}'
  4. Validate in ISE → Operations → ANC → Policy Hits.

Q4. How do I test if ANC Quarantine works properly after SIEM triggers?

Answer:

  • Use a test endpoint MAC address.
  • Push ANC policy from SIEM manually via API.
  • In ISE GUI → Context Visibility → Endpoints, check that endpoint’s ANC Status = Quarantine.
  • On switch CLI: show authentication sessions interface Gig1/0/2 show access-session mac AA:BB:CC:DD:EE:FF details → Should show Quarantine SGT/dACL applied.

Q5. Can ISE differentiate between false positives vs confirmed threats when receiving events from SIEM?

Answer:

  • Yes, SIEM rules should define confidence levels (High, Medium, Low).
  • Best practice:
    • High confidence → Auto-quarantine.
    • Medium confidence → Restricted access (SGT-based segmentation).
    • Low confidence → Alert only, no enforcement.
  • This prevents unnecessary endpoint disruptions.

Q6. What happens if pxGrid or API communication between SIEM and ISE fails?

Answer:

  • Incidents will not reach ISE, meaning no quarantine action occurs.
  • Troubleshooting:
    • ISE CLI: show application status ise | include pxgrid show logging application ise-psc.log
    • SIEM logs: Check API call failures (HTTP 401, 403, timeout).
  • Mitigation: Always configure syslog-based fallback for redundancy.

Q7. How can I audit or confirm that an endpoint was quarantined due to a SIEM-triggered incident?

Answer:

  • ISE GUI: Operations → Reports → Endpoint → ANC Report.
  • ISE Live Logs: Filter for endpoint MAC/Username.
  • Switch CLI validation: show access-session mac <endpoint-mac> → Will show applied ANC or dACL policy.
  • Splunk/QRadar dashboards should also show ISE enforcement confirmation logs.

Q8. Is it possible to automatically release an endpoint from quarantine once it is clean?

Answer:

  • Yes, automation works both ways.
  • Workflow:
    1. AMP/EDR detects malware removed → updates SIEM.
    2. SIEM calls ISE API → clear-ancendpoint policy.
    3. Endpoint reverts to normal network access.
  • Validation:
    • ISE GUI → Endpoint no longer shows ANC applied.
    • CLI: show access-session interface g1/0/2 should show original SGT/VLAN.

Q9. How scalable is automated incident response with ISE + SIEM?

Answer:

  • Cisco ISE can handle 100,000+ endpoints with pxGrid scaling across distributed deployments.
  • SIEM (e.g., Splunk Enterprise Security, QRadar) can ingest millions of EPS (Events per Second).
  • Best Practice:
    • Deploy ISE PSN nodes close to network devices.
    • Use pxGrid Pub/Sub for high-volume event forwarding.

Q10. What are common misconfigurations engineers face during ISE-SIEM integration for automation?

Answer:

  1. Incorrect pxGrid certificate trust → API calls fail with SSL errors.
  2. Missing ANC policy mapping in ISE → SIEM push ignored.
  3. Improper endpoint ID (e.g., IP vs MAC) used in API request → No enforcement applied.
  4. ISE not enabled for pxGrid services → SIEM cannot subscribe to sessions.
  5. Switch not configured for CoA → Quarantine dACL never applied.
    • CLI Fix: aaa authorization network default group radius radius-server attribute 8 include-in-access-req ip device tracking

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes (Key takeaways)

  • Automate detection → enforce with ISE (ANC/DACL/SGT + CoA).
  • Enrich alerts using pxGrid/ERS to target precisely the right session.
  • Prove every step with CLI, and pair every action with a rollback.
  • Harden with guardrails, RBAC, allowlists, and rate-limits.

Upgrade Your Skills – Start Today

For hands-on labs, production-grade playbooks, and ready-to-use Splunk/QRadar/ArcSight connectors, subscribe to Network Journey on YouTube and enroll in 4-month instructor-led CCIE Security Mastery.

Get the Automated ISE Response Pack (ANC/DACL objects, Splunk Alert Action app, QRadar Webhook script, ArcSight command scripts, pxGrid session resolver).
Course & outline: https://course.networkjourney.com/ccie-security/ — join to get mentored, lab access, and lead-ready templates.

Fast-Track to Cisco ISE Mastery Pro

  • Who it’s for: SOC/NOC engineers, NAC architects, SecOps leads.
  • What you’ll build: End-to-end ISE automations (pxGrid, ERS, TrustSec/SGT, SOAR playbooks), HA & DR, large-scale policy sets, fabric segmentation, zero-trust enforcement.
  • Deliverables: 25+ runbooks, 60+ labs, Splunk/QRadar/ArcSight integrations, posture & threat-based quarantine, rollback patterns.
  • Outcome: Production-ready automated SOC→NAC controls with measurable MTTR reduction.
    Enroll now to reserve a seat and receive pre-class lab prep + interview-ready project briefs.

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088

Trainer Sagar Dhawan
Hi all, Good to see you here. I'm your Trainer for CCIE, CCNP, CCNA, Firewall batches and many more courses coming up! Stay tuned for latest updates! Keep me posted over Whatsapp/Email about your experience learning from us. Thanks for being part of - "Network Journey - A journey towards packet-life!!!"

Related Posts

Day 118 – Cisco ISE Mastery Training: REST API Advanced – Automating User Onboarding

[Day 118] Cisco ISE Mastery Training: REST API Advanced — Automating User Onboarding

  • Posted on
    • Day 149 – Cisco ISE Mastery Training: Troubleshooting Deep Dive (TAC Level)

    [Day 149] Cisco ISE Mastery Training: Troubleshooting Deep Dive (TAC Level)

  • Posted on
    • Day 93 – Cisco ISE Mastery Training: Multi‑Admin & RBAC

    [Day 93] Cisco ISE Mastery Training: Multi-Admin & RBAC

  • Posted on