Quarantine Endpoint
Workflow #0027
Response Workflow
This workflow quarantines an endpoint in Cisco Identity Services Engine (ISE) by applying an Adaptive Network Control (ANC) policy. Supported observables: mac_address, ip
Note: When applying an ANC policy using an IP address as the observable, the endpoint must have an active session with an IP address associated with it. Depending on your network configuration, this may not always be the case.
Change Log
| Date | Notes |
|---|---|
| May 26, 2021 | - Initial release |
| Sep 10, 2021 | - Updated to use the new system atomics |
| Sep 1, 2022 | - Updated to support IP addresses in addition to MAC addresses |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- ISE - ERS - ANC Policy - Apply to Endpoint
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Identity Services Engine (ISE)
Workflow Steps
- Make sure the observable type provided is supported
- Apply the ANC policy to the endpoint depending on which type of observable was provided
Configuration
- Set the
ANC Policy Namelocal variable to the name of the ANC policy to apply - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Note: If your Cisco ISE deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use ISE with orchestration.
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| Cisco ISE ERS | HTTP Endpoint | Protocol: HTTPSHost: ISE Primary Admin NodePort: 9060Path: None | ISE_ERS_Credentials |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| ISE_ERS_Credentials | HTTP Basic Authentication | Username: ISE Username Password: ISE Password | Must have ERS Admin permission |