Cisco pxGrid Integration

Rapid Response Capabilities using Cisco pxGrid

Cisco pxGrid

With Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

Please Note:

The integration is for pxGrid 2.0 and compatible with Cisco ISE 2.4 and above.
The below configuration works without certs for now. Support for Certs will be added soon.

Blusapphire integration with Cisco pxGrid

1. Provide contextual information in BluSapphire UI, using session information provided by Cisco ISE.

2. Provide quarantine action on an end-point using the ANC policy.

Configuration

Registration using username and password.

1. Open Blusapphire UI, From Settings →Integrations open Cisco pxGrid registration page.

2. Enter the client hostname in Client Node, Enter pxGrid Nodes in the pxGrid Nodes text area and click on submit button to save the Client Name and pxGrid Nodes.

3. HA failover can be done by entering two pxGrid Nodes. BluSapphire connects with both the nodes simultaneously. Initially, the first node/primary node is considered the active node. If the primary node goes offline, the secondary node is marked as the active node. If the primary node comes back online then it will be automatically marked as the active node. Data will be processed from the current active node only to avoid deduplication.

4. Click on Register button to Initiate client registration using username/password in Cisco ISE.

5. Click on the Registration status button to view the status of registration.

6. If the registration status is shown as Pending, seek approval from Cisco ISE Administrator. If the registration status is shown as Enabled then the registration process has completed successfully.

7. For approving client on Cisco ISE, Login as Administrator and Open the Cisco ISE --> pxGrid page to approve the pending registration.

8. Look for the client registration detail in Cisco ISE -> pxGrid with the status show as pending.

9. Now, select the client and click on approve.

10. Once approved, go to Cisco ISE -> pxGrid -> Web Clients and verify the client status is shown ON.

11. Go back to Blusapphire UI and check the Registration Status. The status would show Enabled if registration was successful.

Create ANC Policy

To create ANC Policy, Login to Cisco ISE as an administrative user and do the following activities

a. Open Operations -> Adaptive Network Control -> Policy List.

b. Click on Add, to create a new Policy with required actions.

c. After click on Add, it will display the following form.

d. enter a Unique policy Name and Select an QUARANTINE action from given list.

e. After Selecting the action, click on submit to save changes.

f. If the submit is successful, the new Policy is shown in the Policy List.

Scenarios

Contextual Information

BluSapphire takes contextual information feed from Cisco ISE and uses that to show any device/host’s contextual information. You can see them as shown below:

1. Open BluSapphire WebUI and go to Network Behavior -> Intrusions page

2. Get view the intrusion in detail, double click on the intrusion

3. This will open the intrusion alert details as shown below.

4. Now Click on Triage (Tr) link at the top right corner beside the previous and next entries.

5. The triage page opens in a new tab, as shown below. Double click on the right panel entry, to fetch the host details from session details captured from Cisco pxGrid.

6. Host details are shown in the below panels

Quarantine / Response Action

1. Open BluSapphire WebUI and go to Network Behavior -> Intrusions page

2. Get view the intrusion in detail, double click on the intrusion

3. This will open the intrusion alert details as shown below.

4. Now Click on Triage (Tr) link at the top right corner beside the previous and next entries.

5. The triage page opens in a new tab, as shown below. Double click on the right panel entry, to fetch the host details from session details captured from Cisco pxGrid.

6. Host information is shown as in below panel.

7. To Quarantine the selected host, click on the red lock at top right on Host Information.

8. Now, to verify – you may go to Cisco ISE -> Operations -> Adaptive Network Control -> Endpoint Assignments. You can find the MAC address of the Quarantined system.

Troubleshooting

1. Contextual Information/ Host Information does not display anything.

Solution:

Please check if you completed all the Registration Steps shown in the Registration section above.

Check that the Registration Status shows "Enabled".

If the registration status shows "Pending" or "Disabled". Login to Cisco ISE console go to Cisco ISE -> pxGrid -> Web Clients and verify the client status is shown ON.

2. Quarantine does not work.

Solution: Please follow the troubleshooting steps described above. Additionally check if an ANC policy has been defined as described in "Create ANC Policy" section above.

PreviousIntegration NextMITRE ATT&CK

Last updated 2 years ago