Workflow actions in the Splunk Add-on for Cisco ISE
The Splunk Add-on for Cisco ISE includes a set of workflow actions that allow you to proactively act on received network security syslog events and quarantine/unquarantine an endpoint from the Splunk platform.
To use the workflow actions, you must either be a Splunk administrator or a user with the appropriate capability:
list_storage_passwords
if you are using Splunk platform 6.5.0 or lateradmin_all_objects
if you are using an earlier version of the Splunk platform
Field or event | Workflow action |
---|---|
EPS_Quarantine_By_Framed_IP_Address
|
EPS quarantine by framed IP address |
EPS_QuarantineByIPAddress
|
EPS quarantine by IP address |
EPS_QuarantineByMAC
|
EPS quarantine by MAC address |
EPS_UnquarantineByIPAddress
|
EPS unquarantine by IP address |
EPS_UnquarantineByMAC
|
EPS unquarantine by MAC address |
pxGrid_QuarantineByIP
|
pxGrid ANC quarantine by IP address |
pxGrid_UnQuarantineByIP
|
pxGrid ANC unquarantine by IP address |
pxGrid_QuarantineByMAC
|
pxGrid ANC quarantine by MAC address |
pxGrid_UnQuarantineByMAC
|
pxGrid ANC unquarantine by MAC address |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!