Cisco ISE Response Integration

Overview

The Cisco ISE integration is a containment (response) integration that is called from playbook action blocks. It lets you contain a suspicious or malicious endpoint on the network by quarantining it, removing it from quarantine, or terminating its active session.

Setting Up the Integration

Add a Cisco ISE asset from the Integrations / Assets screen and fill in the following fields.

FieldRequiredDescription
HostYesIP address or hostname of the Cisco ISE device
PortYesCisco ISE API port (depends on your environment, typically 9060 or 443)
UsernameYesCisco ISE API user name
PasswordYesPassword for the API user (stored encrypted)

Prerequisites on the Cisco ISE Side

Before using the integration, make sure the following are enabled on Cisco ISE:

  • External RESTful Services (ERS) API and Monitoring (MNT) API access.
  • Endpoint Protection Service (EPS), which is used by the quarantine and unquarantine actions.
  • An authorized API user that can perform these operations.

Testing the Connection

When you save the asset, a connection test runs automatically. A successful test confirms that the host, port, and credentials are correct.

Available Methods and the Address Field

The integration provides three action methods. Important: the "Address" field expects a different type of value depending on the method you select.

 

MethodWhat to enter in the Address field
Terminate-SessionMAC address only
QuarantineMAC address or IP address (detected automatically)
UnquarantineMAC address or IP address (detected automatically)

 

Terminate-Session

This method locates the active session of an endpoint by its MAC address and terminates it.

  • The Address field must contain a valid MAC address, for example BC:6E:E2:EF:69:2E.
  • This method does not support IP addresses.
  • If an IP address is entered, Cisco ISE cannot find a matching session and the action fails (shown as CANT_COMPLETE).

Quarantine

This method places an endpoint into quarantine on Cisco ISE.

  • You can enter either a MAC address or an IP address.
  • The system automatically detects whether the value is a MAC or an IP and uses the correct operation.
  • If the value is neither a valid MAC nor a valid IP, the action returns an error indicating that the IP or MAC parameter is missing.

Unquarantine

This method removes an endpoint from quarantine. It accepts the Address field exactly like the Quarantine method, so you can enter either a MAC address or an IP address.

Frequently Asked Questions

What should I enter in the Address field?

  • If you selected Terminate-Session, enter a MAC address. IP addresses are not accepted for this method.
  • If you selected Quarantine or Unquarantine, enter a MAC address or an IP address. The system detects which one you provided.

What happens if I enter an IP address for Terminate-Session?

The session is looked up by MAC address, so Cisco ISE cannot find the session and the action fails with a CANT_COMPLETE result. Always use a MAC address for Terminate-Session.

For Quarantine, both MAC and IP are accepted. Which should I use?

Both are valid. We recommend using the value that most reliably identifies the endpoint in your environment, which is usually the MAC address. If your environment tracks endpoints by IP, an IP address works as well.

Common Result Messages

MessageMeaning
IP or MAC parameter is missingThe Address value entered for Quarantine or Unquarantine is neither a valid MAC nor a valid IP.
Disconnect errorTerminate-Session could not end the session, for example the session was not found.
Quarantine errorThe quarantine operation failed on Cisco ISE.
Unquarantine errorThe remove-from-quarantine operation failed on Cisco ISE.
Unknown errorCisco ISE returned an unexpected response.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.