1.46 - Configuring pxGrid on Splunk for Rapid Threat Containment with ISE

In this video, we’re going to configure pxGrid on Splunk. Once that’s completed, you’ll be able to quarantine endpoints from Splunk using ISE. This requires a bit more setup that your usual pxGrid configuration so I’ll include the commands I used in this post so one may copy and paste for the Linux portion of this. Whether or not you’re using CA-signed certs for pxGrid or self-signed in your ISE environment, this configuration should work for both.

BIG shoutout to my co-worker John Eppich who helped me out with the workflow part of this video. He’s the one who writes all the official pxGrid guides and is an awesome guy.

Concatenating the ISE certificates:

cat CertificateServicesEndpointSubCA-ise_.cer CertificateServicesRootCA-ise_.cer CertificateServicesNodeCA-ise_.cer securitydemo-AD1-CA_.cer > CA1.cer

Creating the mac.p12 file:

openssl pkcs12 -export -out mac.p12 -inkey splunk_10.1.100.20.key -in splunk_10.1.100.20.cer -chain -CAfile CA1.cer

Changing the keystore type:

keytool -importkeystore -srckeystore mac.jks -destkeystore mac.jks -deststoretype pkcs12

Creating the “mac” Java keystore:

keytool -importkeystore -srckeystore mac.p12 -destkeystore mac.jks -srcstoretype PKCS12

Changing the combined cert format:

openssl x509 -outform der -in CA1.cer -out CA1.der

Creating the new caroot1.jks keystore and importing the new combined cert into it:

keytool -import -alias CAroot -keystore caroot1.jks -file CA1.der

Importing the pxGrid client certificate into the mac.jks keystore:

keytool -import -alias splunk -keystore mac.jks -file splunk_10.1.100.20.cer

Importing the new combined cert into the mac.jks keystore:

keytool -import -alias CAroot -keystore mac.jks -file CA1.cer

Importing the ISE Certificate Services Root CA cert into the caroot1.jks keystore:

keytool -import -alias cert1 -keystore caroot1.jks -file CertificateServicesRootCA-ise_.cer

Importing the Active Directory root cert into the caroot1.jks keystore:

keytool -import -alias cert2 -keystore caroot1.jks -file securitydemo-AD1-CA_.cer

Moving both files to the appropriate Splunk ISE app directory:

mv ./mac.jks /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks

mv ./caroot1.jks /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks

Testing keystores with pxGrid using a buildin script:

java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar splunktest /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks ISEisC00L /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks ISEisC00L quarantine_ip

The format for the above is:

java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar ise-ip-address pick-a-test-name /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks keystore-password /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks keystore-password pick-any-ip-address quarantine_ip