Cisco ISE Integration with Splunk

Cisco ISE TME Pavan Gupta shares his experiences in integrating ISE and Splunk. 00:00 Intro & Agenda 01:15 Overview of Splunk 08:36 Splunk Installation & Capabilities 09:14 Demo: Install Splunk Enterprise on Windows 12:20 Demo: Install Splunk Enterprise on Linux 15:15 Splunk for ISE 18:30 ISE Configuration: Send Syslogs to Splunk 20:00 Demo: Splunk for Cisco Identity Services (ISE) 20:15 - Remote Logging Target 23:00 - Logging Categories 24:16 - Collection Filters 25:10 - Install Splunk 26:50 - Authentication Events: 802.1X + Posture on Linux and Windows 28:57 - Splunk 32:40 Syslog Data Collection: https://docs.splunk.com/Documentation/SVA/current/Architectures/Syslog 33:18 Demo: Searching Splunk for Passed vs Failed Authentications 39:05 - Find endpoints by TLS versions 42:03 - BYOD RegisteredEndpoints 42:54 - MDM Endpoints 43:49 - Endpoints per SSID 44:38 Splunk for Cisco Enterprise Networking App 46:30: Demo: Enterprise Networking App 51:05 Splunk DB Connect App with ISE Data Connect 52:44 Demo: Splunk DB Connect + ISE Data Connect 59:53 Splunk SOAR (Security Orchestration, Automation, and Response) 1:04:29 Demo: Splunk SOAR 1:20:39 Resources - Splunk with ISE : https://cs.co/ise-berg#splunk - Splunk for Cisco Identity Services (ISE) : https://splunkbase.splunk.com/app/1589 - Splunk Add-on for Cisco Identity Services : https://splunkbase.splunk.com/app/1915 - Splunk DB Connect: https://splunkbase.splunk.com/app/2686 - Splunk DBX Add-on for Oracle DB JDBC: https://splunkbase.splunk.com/app/6151 - Identity Services Engine and Splunk Apps Configuration Guide - ISE Syslogs: https://cs.co/ise-berg#syslog - Syslog Data Collection: https://docs.splunk.com/Documentation/SVA/current/Architectures/Syslog Splunk Queries: ``` source="udp:514" OR source="udp:515" eventtype="cisco-ise-authentication* eventtype="*" MESSAGE_CLASS="Failed-Attempt OR MESSAGE_CLASS="Passed-Authentication" | stats count by MESSAGE_CLASS source="udp:515* eventtype="cisco-ise" TLSVersion=* | timechart count by TLSVersion source="udp:515" eventtype="cisco-ise" TLSVersion=* Calling_Station_ID="*" TLSCipher="*" | stats count by Calling_Station_ID TLSVersion TLSCipher IdentityGroup="Endpoint Identity Groups:RegisteredDevices" EndPointMACAddress="*" | fields EndPointMACAddress | stats count by EndPointMACAddress source="udp:515" MESSAGE_CLASS="MDM" MDMCompliantStatus EndPointMACAddress="*" | stats values(*) as * by EndPointMACAddress | stats count by MDMCompliantStatus eventtype="cisco-ise-authentication" NAS_Port_Type="wireless - IEEE 802.11" NAS_Identifier="*" | stats values(*) as * by NAS_Identifier | fields NAS_Identifier Calling_Station_ ID ```