Before we get started, lets define both Splunk & Cisco ISE.
Splunk: lets you gather log data from systems and devices and run queries on that data to find issues and debug problems. Splunk's capabilities also include reporting and alerting, pushing it every-so-slightly into the world of SIEM. (Security Information & Event Management.)
Cisco’s ISE: (Identity Service Engine) Is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless and VPN connectivity.
As we get introduced to new customer environments, we are starting to see a common issue among most of them. Diverse networks that have limited security event visibility and integration of accurate contextual data such as user identity, user privilege levels, endpoint device type, and endpoint security levels.
By integrating Cisco’s ISE and Splunk's data and analysis provides IT operations with the context they need to quickly assess the significance of network and security events. They can answer critical questions for example, Who is this event associated with? What level of access does the user have? all within the Splunk system. For Cisco ISE, Splunk analysis of Cisco’s ISE data enables administrators to answer other key questions for example, How many users have been accessing the network over the past six months? Are there noticeable trends?
Key Use Cases:
- Prioritize important events
- Scrutinize mobile and device network activity
- Scrutinize important users
- Turn event analysis into action
- Create customizable monitoring and reporting dashboards
- Mine your historical data