Cisco Identity Services Engine
LAST UPDATED: APRIL 28, 2025
Overview
The Cisco Identity Services Engine (ISE) is a one-stop solution to streamline security policy management and allows the organization to see users and devices controlling access across wired, wireless, and VPN connections to the corporate network.
D3 SOAR is providing REST operations to function with Cisco Identity Services Engine.
Cisco Identity Services Engine is available for use in:
D3 SOAR | V12.7.0+ |
Category | Identity & Access Management |
Deployment Options |
Connection
To connect to Cisco Identity Services Engine from D3 SOAR, follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The URL of the Cisco Identity Services Engine server. The default port is 9060. Adjust the port as necessary based on the environment. | https://***.***.***.***:9060 |
User Name | The username for authenticating with the Cisco Identity Services Engine server. | admin |
Password | The password for authenticating with the Cisco Identity Services Engine server. | ***** |
Configuring Cisco Identity Services Engine to Work with D3 SOAR
Enabling ERS (port 9060)
ERS operates on HTTPS port 9060, which is closed by default. Clients attempting to access this port without first enabling ERS will encounter a server timeout. Follow the steps below to enable ERS using the Cisco Identity Services Engine UI.
Log into the Cisco Identity Services Engine UI.
Hover over the Administration option in the navigation menu, then select the Settings link in the System category.
Navigate to the ERS Settings tab, select the Enable ERS for Read/Write radio option, then click the Save button to apply the changes.
Creating ERS Admin
To use the integration, create a Cisco ISE administrator assigned to the ERS-Admin group.
Hover over the Administration option in the navigation menu, then select the Admin Access link in the System category.
Expand the Administrators accordion, open the Admin Users tab.
Click the + Add button, then choose the Create an Admin User option.
Create an administrator account.
Enter the name.
This is the login username. Refer to step 2 in Configuring D3 SOAR to Work with Cisco Identity Services Engine.Enter and confirm the password.
This is the login password. Refer to step 3 in Configuring D3 SOAR to Work with Cisco Identity Services Engine.Select the ERS admin option in the Admin Groups section.
Click the Submit button to create the user.
Configuring D3 SOAR to Work with Cisco Identity Services Engine
Log in to D3 SOAR.
Find the Cisco Identity Services Engine integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Cisco Identity Services Engine in the search box to find the integration, then click it to select it.
Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Cisco Identity Services Engine.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add a description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users have the option to choose the specific tenant sites to share the connection with. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the checkbox to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL. Ensure to append the port number to the URL (e.g., https: https://192.168.45.123:9060).
2. Input the User Name. Refer to step 4a in Creating ERS Admin.
3. Input the Password. Refer to step 4b in Creating ERS Admin.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Cisco Identity Services Engine includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Cisco Identity Services Engine API, refer to the Cisco Identity Services Engine API reference.
Assign Endpoints to Blacklist
Adds endpoints to the blacklist using their MAC addresses.
Input
Input Parameter | Required/Optional | Description | Example |
Endpoint Mac Addresses | Required | The MAC addresses of the endpoints to add to the blacklist. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Assign Endpoint to Blacklist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Mac Address **:*:*:*:*:** does not exist. |
Error Sample Data Assign Endpoint to Blacklist failed. Status Code: 404. Message: Mac Address **:*:*:*:*:** does not exist. |
Create User
Creates a new internal user. The user can be viewed and modified by navigating to Administration > Identities under Identity Management in the Cisco Identity Services Engine user interface.
READER NOTE
If user creation is successful, the user can be viewed and modified (if necessary) by navigating to Administration > Identities under Identity Management in the Cisco Identity Services Engine user interface.
Input
Input Parameter | Required/Optional | Description | Example |
User Name | Required | The username for the new internal user. | jdoe |
Password | Required | The password for the new internal user in plain text. | ***** |
Optional | The email address of the new internal user. | jdoe@gmail.com | |
Enable Password | Optional | The enable password for the new internal user in plain text. | ***** |
First Name | Optional | The first name of the new internal user. | Jane |
Last Name | Optional | The last name of the new internal user. | Doe |
Description | Optional | The description for the internal new user. | A new analyst. |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 409. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Validation Error. A User with that name already exists. |
Error Sample Data Create User failed. Status Code: 409. Message: Validation Error. A User with that name already exists. |
Delete User
Deletes internal users using their usernames.
READER NOTE
User Name is a required parameter to run this command.
Run the List All Users command to obtain the User Name. User Names can be found in the raw data at the path $.SearchResult.resources[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
User Name | Required | The usernames of the internal users to be deleted. User Name can be obtained using the List All Users command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: User Name ***** does not exist. |
Error Sample Data Delete User failed. Status Code: 404. Message: User Name ***** does not exist. |
Disable User
Disables an internal user using their username.
READER NOTE
User Name is a required parameter to run this command.
Run the List All Users command to obtain the User Name. User Names can be found in the raw data at the path $.SearchResult.resources[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
User Name | Required | The username of the internal user to be disabled. User Name can be obtained using the List All Users command. | D3user2 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Disable User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: User Name ***** does not exist. |
Error Sample Data Disable User failed. Status Code: 404. Message: User Name ***** does not exist. |
Enable User
Enables an internal user who has been disabled using their username.
READER NOTE
User Name is a required parameter to run this command.
Run the List All Users command to obtain the User Name. User Names can be found in the raw data at the path $.SearchResult.resources[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
User Name | Required | The username of the internal user to be enabled. User Name can be obtained using the List All Users command. | jdoe |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Enable User failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: User Name ***** does not exist. |
Error Sample Data Enable User failed. Status Code: 404. Message: User Name ***** does not exist. |
List All Users
Lists all internal users.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List All Users failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data List All Users failed. Status Code: 401. Message: Unauthorized. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
More details about an error can be viewed in the Error tab. | String |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Identity Services Engine portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 401. Message: Unauthorized. |