On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Quarantine Endpoint

Workflow #0027

Response Workflow

This workflow quarantines an endpoint in Cisco Identity Services Engine (ISE) by applying an Adaptive Network Control (ANC) policy. Supported observables: mac_address, ip

Note: When applying an ANC policy using an IP address as the observable, the endpoint must have an active session with an IP address associated with it. Depending on your network configuration, this may not always be the case.


Change Log

Date Notes
May 26, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Sep 1, 2022 - Updated to support IP addresses in addition to MAC addresses

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • ISE - ERS - ANC Policy - Apply to Endpoint
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Identity Services Engine (ISE)

Workflow Steps

  1. Make sure the observable type provided is supported
  2. Apply the ANC policy to the endpoint depending on which type of observable was provided


  • Set the ANC Policy Name local variable to the name of the ANC policy to apply
  • If you want to change the name of this workflow in the pivot menu, change its display name


Note: If your Cisco ISE deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use ISE with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Cisco ISE ERS HTTP Endpoint Protocol: HTTPS
Host: ISE Primary Admin Node
Port: 9060
Path: None

Account Keys

Account Key Name Type Details Notes
ISE_ERS_Credentials HTTP Basic Authentication Username: ISE Username
Password: ISE Password
Must have ERS Admin permission