End-to-End Protection and Threat Mitigation for Cisco Network Environments via Splunk, ISE, and pxGrid

In our previous post, and the subsequent Cisco article, we delved into how Cisco Identity Services Engine can be used to enrich operational analytics with Splunk with personal data. Let’s look at a real-world example plus explore the latest Splunk and security integration.

At Cisco Live Cisco product manager Kevin Guidinger delivered a great session detailing how Cisco Cloud and Managed Services (CMS) uses Splunk to manage more than 2.5 BILLION security events per day across Cisco security and third-party security products. That is nearly 30,000 events per second, and no trivial matter.

Kevin highlighted a financial services organization his team works with that requires deep visibility into their BYOD deployment. It’s critical that the team can easily identify and investigate rogue network access, even coming from company issued devices, and then quickly re-mediate or handle any device on their network that doesn’t adhere to an established policy.

The combination of Splunk and ISE enables a holistic environment view via at-a-glance ³ISE MAC Authentication Bypass Dashboard² that flags rouge devices, shows owners, physical address, etc. The team has the ability to rapidly drill down to raw logs for supporting evidence/incident analysis.  Once a device has been identified as rouge, the SOC admin can click a single button from the Splunk dashboard to launch a workflow action and have ISE take the devices off the network.

Cool, eh? This is the power of Splunk + ISE for Cisco network environments.


In today’s BYOD environments, network and security administrators need as much visibility into their environment as possible. It simply isn’t good enough to look at single events, or a single point solution, the modern enterprise requires visibility in all layers, and above and beyond that, the ability to correlate disparate data sources and then take action immediately.

Recognizing this, Splunk and Cisco have collaborated to build the powerful addition of enhanced workflow and remediation into the Splunk for Identity Services app.

Splunk Cisco Identity Services quarantine

Out of the box, the integration allows for Splunk to communicate with ISE -or – Cisco pxGrid, from any Splunk dashboard. The quarantine workflow allows for bi-directional communication between Splunk and ISE.  In a single click, security operators can quarantine a device by MAC address, instantly understand who the owner is, where they are physically located, and capture all of the information one would need to mitigate a threat.

In short, Splunk and ISE enables complete workflow detection, analysis, corrective action, and ongoing monitoring all from a single interface across your entire dataset.  To see what this looks like from an operators point of view, take a look at the following example of what our current users are doing.


To learn more about this app and how it works, please visit the download page on and be sure to read the thorough documentation.

Dennis Bourg

Posted by