Hello Community friends!
Just was wondering if anyone had ever used the following Cisco ISE action in a workflow before?
Query Endpoint
This action is used to query an endpoint for more information.
Input
| Name | Type | Default | Required | Description | Enum |
|---|---|---|---|---|---|
| hostname | string | None | True | The host name | None |
Output
| Name | Type | Required | Description |
|---|---|---|---|
| ers_endpoint | ERSEndPoint | False | Returns a JSON containing information on the host |
Example output:
{
"ers_endpoint": {
"id": "82e2b6d0-546b-11e8-bc94-12d1173c5b91",
"name": "00:0E:35:D4:D8:52",
"description": "",
"mac": "00:0E:35:D4:D8:52",
"profileId": "2ac6a950-8c00-11e6-996c-525400b48521",
"staticProfileAssignment": false,
"groupId": "aa10ae00-8bff-11e6-996c-525400b48521",
"staticGroupAssignment": false,
"portalUser": "",
"identityStore": "",
"identityStoreId": "",
"link": {
"rel": "self",
"href": "https://10.4.22.225:9060/ers/config/endpoint/name/00:0E:35:D4:D8:52",
"type": "application/xml"
}
}
}
We have been working on a rogue asset procedure and setup a custom alert when a device fails to authenticate to the network. We are then trying to use the SOAR platform to query ISE for more information about the device, IE any details ISE can provide beyond the mac address and place them on the IDR investigation.
When I run our workflow in our environment, it successfully returns a url for the mac, but no other data. Should we then have to step to another plugin to read and parse the data? When I try to access the link in a web browser ISE, I just get a generic 400 error