Making machine data personal with Splunk and Cisco ISE

Welcome to 2015, year of the hover-board (if you don’t get that reference, you should watch more movies). In the first of a multi-series posts, lets start by taking a look at the goodness Splunk and our partner Cisco have been cooking up to help you understand who is doing what in your environment. We will be covering a series of topics, so be sure to stay tuned.

As a Splunk customer, Cisco uses Splunk Enterprise Security extensively across Cisco IT, Engineering, Advanced Services and Security teams. For example, Cisco’s Computer Security Investigation Response Team (CSIRT) uses Splunk as their de facto standard across all global Cisco datacenters for enterprise-wide security monitoring and incident response.  Splunk and Cisco have also collaborated to deliver out-of-the-box centralized visibility across a range of Cisco-centric environments via more than a dozen free apps and technology add-ons for a host of Cisco products and platforms including Cisco ASA firewalls, web and email security devices, and Sourcefire Advanced Malware Protection.

One area where Cisco and Splunk have focused heavily in the past year involves Cisco Identity Services Engine.  Pronounced like ‘Ice’, it’s cool.

Link: App and technology add-on.


While it isn’t a hover-board, we’ve worked in tandem with Cisco and it’s partners to bring personal (personnel?) information to your machine data, along with some exciting enhancements that we’ll be addressing in future posts. Identity Services Engine is a security policy management platform, which automates and enforces secure access to network resources. While there are obvious implications as to why you would need a solution for this, the policy and user information is a natural complement to machine generated data that is already being consumed by Splunk. Searches across data from various sources can be correlated with ISE data. Wouldn’t it be fantastic if you could put a real name to an IP address? Bob in accounting… you know who you are and what you’ve done.

Out of the box, the Splunk for Cisco ISE app comes with a number of pre-built dashboards, such as BYOD policy reports, profiling of a device, and much more that any Splunk administrator or ISE admin would find useful. Outside of the dashboards, the data indexed from ISE is perfect for augmenting pre-existing and future searches. Lets explore this further with an example of how to add user data to a common search:

Below we see a typical example of network traffic, nothing very note worthy or remarkable jumps out at us;


The search above is simply;

Now lets see what happens when we correlate our network information with data coming from ISE:


(search = (sourcetype=Network:Generic OR eventtype=cisco-ise) MacAddress=24-77-03-C5-C7-90 | stats latest(SystemName) latest(SystemUser) latest(PostureStatus) latest(OperatingSystem) latest(AntiVirusInstalled) latest(AntiSpywareInstalled) by MacAddress )

In this case we chose to focus on a MacAddress, but we could have done this with any identifying information such as an IP. Suddenly 24-77-03-C5-C7-90 becomes ‘sdakers’. By correlating machine data with user information, suddenly we start to see personal interaction across the network, not just numbers floating through the events. If I wished, we could also pull out any other information contained within ISE, such as the user’s email address, location, phone number, etc.

Pretty cool, but this is just the start of what you can do with Splunk and ISE.  Learn more about “Using Cisco ISE Data to Enhanced Event Visibility in Splunk” over at  Stay tuned, in the next part of this series, we’ll preview new integration with Cisco pxGrid and how this enables instant remediation in Cisco environments.

Dennis Bourg

Posted by