1.46 - Configuring pxGrid on Splunk for Rapid Threat Containment with ISE

In this video, we’re going to configure pxGrid on Splunk. Once that’s completed, you’ll be able to quarantine endpoints from Splunk using ISE. This requires a bit more setup that your usual pxGrid configuration so I’ll include the commands I used in this post so one may copy and paste for the Linux portion of this. Whether or not you’re using CA-signed certs for pxGrid or self-signed in your ISE environment, this configuration should work for both.

BIG shoutout to my co-worker John Eppich who helped me out with the workflow part of this video. He’s the one who writes all the official pxGrid guides and is an awesome guy.

Concatenating the ISE certificates:

cat CertificateServicesEndpointSubCA-ise_.cer CertificateServicesRootCA-ise_.cer CertificateServicesNodeCA-ise_.cer securitydemo-AD1-CA_.cer > CA1.cer


Creating the mac.p12 file:

openssl pkcs12 -export -out mac.p12 -inkey splunk_10.1.100.20.key -in splunk_10.1.100.20.cer -chain -CAfile CA1.cer


Changing the keystore type:

keytool -importkeystore -srckeystore mac.jks -destkeystore mac.jks -deststoretype pkcs12


Creating the “mac” Java keystore:

keytool -importkeystore -srckeystore mac.p12 -destkeystore mac.jks -srcstoretype PKCS12


Changing the combined cert format:

openssl x509 -outform der -in CA1.cer -out CA1.der


Creating the new caroot1.jks keystore and importing the new combined cert into it:

keytool -import -alias CAroot -keystore caroot1.jks -file CA1.der


Importing the pxGrid client certificate into the mac.jks keystore:

keytool -import -alias splunk -keystore mac.jks -file splunk_10.1.100.20.cer


Importing the new combined cert into the mac.jks keystore:

keytool -import -alias CAroot -keystore mac.jks -file CA1.cer


Importing the ISE Certificate Services Root CA cert into the caroot1.jks keystore:

keytool -import -alias cert1 -keystore caroot1.jks -file CertificateServicesRootCA-ise_.cer


Importing the Active Directory root cert into the caroot1.jks keystore:

keytool -import -alias cert2 -keystore caroot1.jks -file securitydemo-AD1-CA_.cer


Moving both files to the appropriate Splunk ISE app directory:

mv ./mac.jks /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks

mv ./caroot1.jks /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks


Testing keystores with pxGrid using a buildin script:

java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar 10.1.100.21 splunktest /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks ISEisC00L /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks ISEisC00L 192.168.1.10 quarantine_ip

The format for the above is:

java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar ise-ip-address pick-a-test-name /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks keystore-password /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks keystore-password pick-any-ip-address quarantine_ip