The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Visibility is the first step towards securing an endpoint. Cisco AI Endpoint Analytics is an endpoint visibility solution
that helps you identify and profile endpoints and Internet of Things (IoT) devices. The Cisco AI Endpoint Analytics engine
enables you to assign labels to endpoints, using the telemetry information received from the network from various sources.
The profiling labels that are available in Cisco AI Endpoint Analytics are endpoint type, hardware model, manufacturer, and
operating system type. This is called multifactor classification.
Cisco AI Endpoint Analytics provides nuanced visibility and enforcement in your network with features like Trust Scores that
allow you to identify and act upon potentially risky endpoints and devices. You can also manage potential risks by applying
ANC policies through Cisco ISE, from the Cisco AI Endpoint Analytics GUI. You can monitor and work around the issue of random
and changing MAC addresses from endpoints in Cisco AI Endpoint Analytics and accurately identify endpoints through a unique
attribute called the DUID instead of MAC addresses.
Cisco AI Endpoint Analytics helps you gather endpoint telemetry from different sources. The primary source is the Network-Based
Application Recognition (NBAR) mechanism. The NBAR mechanism is embedded in Cisco Catalyst 9000 Series switches (access devices)
and performs deep packet inspection (DPI). Cisco AI Endpoint Analytics can also receive telemetry from Cisco DNA Traffic Telemetry
Appliances.
You can gather endpoint context information from various sources such as Cisco ISE, self-registration portals, and configuration
management database (CMDB) software such as ServiceNow.
Cisco AI Endpoint Analytics allows data inflow from a wide range of network devices, expanding your ability to easily identify
and profile endpoints with greater accuracy, and act upon any anomalies. You can aggregate varied endpoint information and
use the data to profile endpoints in Cisco AI Endpoint Analytics. After endpoints are profiled, AI and machine learning algorithms
can also be used to reduce the number of unknown endpoints by intuitively leveraging different methods.
Key Features of Cisco AI Endpoint Analytics
Cisco AI Endpoint Analytics dashboard
The Cisco AI Endpoint Analytics dashboard gives you a comprehensive view of the endpoints that are connected to your network.
You can view the number of known, unknown, profiled, and unprofiled endpoints, endpoints with low Trust Scores, and endpoints
that use random MAC addresses. The AI Proposals dashlet displays intelligent profiling suggestions to enhance endpoint profiling
and management.
Trust Scores to flag potentially risky endpoints
Cisco AI Endpoint Analytics assigns Trust Scores to endpoints to allow you to easily monitor and act on potentially risky
endpoints in your network. Behavioral anomalies are monitored and tracked, and a Trust Score is assigned based on the number
and frequency of the anomalies tracked. See Trust Scores for Endpoints.
Detect endpoints that use random MAC addresses
Cisco AI Endpoint Analytics enables you to handle the issue of random and changing MAC addresses by receiving from Cisco ISE
a unique endpoint identifier called the DUID (also known as GUID in Cisco ISE). Cisco AI Endpoint Analytics then uses the
DUID as the indentifer for an endpoint, instead of its MAC address.
Reduce net unknowns with machine learning capabilities
Cisco AI Endpoint Analytics provides profiling suggestions based on learnings from endpoint groupings. You can use these suggestions
to reduce the number of unknown or unprofiled endpoints in your network.
Manage endpoints with system and custom profiling rules
Use Cisco-provided system rules and custom rules of your design to reliably profile and manage the endpoints connected to
your network.
Registration of endpoints through Cisco AI Endpoint Analytics
You can onboard and profile endpoints using Cisco AI Endpoint Analytics. The endpoint attribute data that is collected through
this registration process is used to profile the endpoints.
Registration of endpoints using external sources
You can connect some external sources of endpoint data, such as Configuration Management Databases (CMDB), to Cisco AI Endpoint
Analytics. This allows you to easily register, manage, and profile endpoints in your network.
Purge endpoints after a defined period of inactivity
Define an Endpoint Purge Policy to remove from your network the endpoints that have been inactive for a defined time. You
can define the period of inactivity after which an endpoint must be removed. You can also customize a purge policy to act
on a particular set of endpoints based on a profiling attribute.
Set Up Cisco AI Endpoint Analytics in Cisco DNA Center
Install Software Updates
Install software updates in Cisco DNA Center to use Cisco AI Endpoint Analytics, as described in the following procedure.
Procedure
Step 1
Log in to Cisco DNA Center.
Step 2
In the Cisco DNA Center GUI, click the Menu icon () and choose System > Software Updates.
Step 3
In the Updates tab displayed, check if Cisco AI Endpoint Analytics, AI Network Analytics, and Application Visibility Service are listed in the Application Updates section. If any of these application updates are visible, click the Install All button.
Install the Cisco AI Endpoint Analytics update to access the endpoint profiling solution in your Cisco DNA Center.
Install the AI Network Analytics update to use machine learning and AI capabilities to receive intelligent profiling suggestions.
Install the Application Visibility Service update to use NBAR and Controller-Based Application Recognition (CBAR) techniques to inform endpoint profiling.
Step 4
If any of these updates are not listed in the Updates tab, click Installed Apps tab to check if the updates are already installed and are available for use. The Installed Apps tab also confirms if the software installation has been successful.
Connect and Enable Data Sources
Note
The data sources that Cisco AI Endpoint Analytics uses may already be connected to your Cisco DNA Center. If the data sources are connected, see the following instructions to ensure that the data sources are available for use
by Cisco AI Endpoint Analytics.
You must add Cisco ISE or Catalyst 9000 Series access devices to Cisco DNA Center for Cisco AI Endpoint Analytics to provide results.
The following Cisco ISE releases support Cisco AI Endpoint Analytics:
2.4 Patch 11 and later
2.6 Patch 5 and later
2.7 Patch 1 and later
3.0 and later releases
In your Cisco ISE administration portal:
Choose Work Centers > Profiler > Settings.
In the Endpoint Analytics Settings area, check the following check boxes:
Publish Endpoint Attributes to AI Endpoint Analytics
Consume Endpoint Profiles from AI Endpoint Analytics
After Cisco ISE authenticates endpoints through 802.1X or MAB authentication methods, the endpoint attributes collected are
made available to Cisco AI Endpoint Analytics.
Connect Cisco 9000 Series access devices to Cisco DNA Center for wired endpoints visibility.
(Optional) Connect Cisco DNA Traffic Telemetry Appliances to Cisco DNA Center for wired and wireless endpoints visibility, and for third-party network device visibility.
Cisco DNA Traffic Telemetry Appliances (DN-APL-TTA-M) generate telemetry from mirrored network traffic for endpoint analytics.
This appliance enables Network-Based Application Recognition (NBAR)-based protocol inspection and endpoint attribute extraction.
To receive endpoint attributes collected through the telemetry appliance in Cisco AI Endpoint Analytics, you must integrate
Cisco ISE with Cisco DNA Center.
See Cisco DNA Traffic Telemetry Appliances for information on installing the appliances, connectivity configurations, and managing the appliances in Cisco DNA Center.
Enable CBAR on Switched Port Analyzer (SPAN)-receiving ports of access switches connected to Cisco DNA Traffic Telemetry Appliances
with the following command:
ip nbar protocol-discovery
Not all endpoints that are connected to the telemetry appliances are visible in Cisco AI Endpoint Analytics. Only endpoints
that are also connected to Network Access Devices (NADs) which are managed in Cisco DNA Assurance, are visible in Cisco AI Endpoint Analytics.
(Optional) Enable ServiceNow in Cisco DNA Center.
After connecting ServiceNow to Cisco DNA Center, click the Menu icon () in Cisco DNA Center and choose Platform > Manage > Bundles.
If the Status of the bundle Endpoint Attribute Retrieval with ITSM (ServiceNow) is New, click Enable for the bundle.
(Optional) Enable Cisco AI Analytics in Cisco DNA Center.
To receive suggestions about AI-based endpoint groupings, automated custom profiling rules, and endpoint labels, and to detect
potentially spoofed devices in your network, you must enable the required settings in the Cisco AI Analytics window.
You must install the AI Network Analytics software to receive these AI-based suggestions.
From the main menu of Cisco DNA Center, choose System > Settings > External Services > Cisco AI Analytics.
Click the toggle button for each of the following services that you want to enable:
AI Endpoint Analytics: AI Network Analytics leverages machine learning to drive intelligence in the network and enables you to effectively improve
network performance and accelerate issue resolution. AI Network Analytics significantly reduces noise and false positives
by analyzing network behavior and adapting to your network environment.
Endpoint Smart Grouping: Using AI and Machine Learning, Endpoint Smart Grouping reduces the number of unknown endpoints in your network by providing
AI-based endpoint groupings, automated custom profiling rules, and crowdsourced endpoint labels.
AI Spoofing Detection: AI Spoofing Detection identifies spoofed endpoints based on behavioral models. Models are currently being built using collected
flow information from devices. You can also enable data collection by Cisco by enabling the Send data to help Cisco improve the model toggle button, to help Cisco further enhance behavioral models.
Endpoint Telemetry Sources
Cisco AI Endpoint Analytics receives telemetry data in the following ways.
Deep Packet Inspection
Deep packet inspection is an advanced method of packet analysis that is carried out by Cisco Catalyst 9000 Series access devices.
These access devices run NBAR, which inspects application traffic and performs protocol analysis to discover, identify, and
profile endpoints with high fidelity.
Deep packet inspection profiling is based on various attributes that are collected from endpoint traffic to the network. These
attributes are collected across multiple protocols, from packet header layers 4 to 7.
Configuration Management Database Connection
Cisco AI Endpoint Analytics receives endpoint data from your Configuration Management Database Connection (CMDB) for greater
accuracy in endpoint profiling. The connection with ServiceNow enables you to receive information from the CMDB to Cisco AI
Endpoint Analytics.
Machine Learning Capabilities
Data collected for profiling is anonymized and sent to a Cisco cloud location that serves as a device data lake. Here, machine
learning algorithms analyze the data available to create profiling rules that you can evaluate and apply, as needed. Smart
profiling rules are suggested through Cisco AI Endpoint Analytics to help make endpoint profiling and management simpler and
more efficient for you. Existing rules too are evaluated and improvement suggestions provided based on this continuous learning.
Cisco AI Endpoint Analytics Overview Window
Choose Policy > AI Endpoint Analytics from the Cisco DNA Center main menu.
The Overview window displays the following dashlets:
Total Endpoints
This dashlet displays the total number of endpoints in your network in two groups, Fully Profiled and Missing Profiles. Cisco AI Endpoint Analytics profiles endpoints based on four factors, Endpoint Type, OS Type, Hardware Model, and Hardware
Manufacturer. If one or more of these factors are missing for an endpoint, it is profiled in the Missing Profiles group.
Click Missing Profiles Labels to view the number of endpoints in your network with missing profiles, categorized by profile label type. To check the endpoints
with a specific missing profile label, click the number next to the profile label. The Endpoint Inventory tab is displayed with the corresponding list of endpoints.
AI Proposals
Cisco AI Endpoint Analytics uses smart grouping algorithms to group unknown endpoints in your network that have similar profiling
data. If you have enabled AI Endpoint Analytics, you will receive the following types of rule proposals. These rule proposals
are based on learnings from endpoint clusters:
New rules for profiling endpoints that may be similar.
Modification proposals for previously accepted rules.
Review of profiling rules that are no longer needed.
Trust Score Sources: Click the toggle buttons to enable or disable Trust Score sources. You cannot disable the Authentication Method source. If an active Cisco ISE integration is configured, the authentication method used by the endpoint will inform the
Trust Score of an endpoint. You can enable or disable sources of Trust Score data, such as AI Spoofing DetectionChange in Profile Labels, NAT Mode Detection, Concurrent MAC Address, and Posture.
Introduce a Cisco AI Endpoint Analytics attributes dictionary in Cisco ISE Release 3.1 and later release through the pxGrid.
The attribute information shared by Cisco AI Endpoint Analytics are then easily accessbile to a Cisco ISE administrator to
create authorization policies in Cisco ISE. The following attribute types are shared with Cisco ISE:
Trust score
CMDB attributes
Multi-factor profiling attributes
If your Cisco DNA Center has an active integration with Cisco ISE Release 3.1 and later releases, and you want to publish
authorization attributes to Cisco ISE, carry out the following tasks.
Enable Attribute Sharing in Cisco DNA Center
In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > ISE Integration.
In the Enable Profile Publishing to ISE area, click the toggle button to enable this feature.
Check the Asset Topic Based Integration or Enhanced Authorization Integration check boxes, or both, depending on which type of topic you want to use to publish attribute information to Cisco ISE.
Enable pxGrid Subscription in Cisco ISE
In the Cisco ISE GUI, click the Menu icon () and choose Work Center > Profiler > Profiler Settings.
In the Endpoint Analytics Settings area, check the PSN Subscriber Publisher check box to enable this setting. When you enable this setting, a new topic subscription is created in each Cisco ISE PSN
node allowing the nodes to receive the attribute information shared by Cisco AI Endpoint Analytics in the connected Cisco
DNA Center deployment.
Verification
After you enable the PSN Subscriber Publisher, from the Cisco ISE main menu, choose Administration > pxGrid Services > Diagnostics > WebSocket > Clients. The newly created subscription containing “com.cisco.ea.data.ise-<Cisco ISE node>” is displayed in the Subscription column of the PSN nodes.
In the Cisco ISE Policy > Policy Sets window, you will now see a new dictionary named Endpoint-Analytics in the Conditions Studio.
In the Cisco ISE Context Visibility > Endpoints window, click the MAC Address for endpoint details, and the attributes area of the details displays attributes that contain "EA-" prefixes for the attributes
that are received from Cisco AI Endpoint Analytics.
Endpoint Purge Policies
Define an Endpoint Purge Policy to remove from your network the endpoints that have been inactive for a defined time. You
can define the period of inactivity after which an endpoint must be removed. You can also customize a purge policy to act
on a particular set of endpoints based on a profiling attribute. Purge policies are executed at 2 A.M. (server time) every
day, and the endpoints that meet the defined purge requirements are removed from your network. The list of MAC addresses of
the affected endpoints is then shared with connected SD-AVC devices as well.
Registered endpoints and static endpoints that are imported into DCS are not affected by endpoint purge policies.
The Backup and Restore operation in your Cisco DNA Center and the endpoint purge activity cannot run simultaneously. If a
Backup and Restore operation is in progress at 2 A.M., the purge activity is not initiated. If a Backup and Restore operation
starts while an endpoint activity is in progress, the endpoint purge stops running, and the purge activity is left incomplete.
The remaining endpoints are not acted on until the next purge is executed at 2 A.M. (server time) the next day.
To view, edit, or add endpoint purge policies, in the Cisco DNA Center GUI, click the Menu icon () and choose Policy > AI Endpoint Analytics > Configurations > Endpoint Purge Policy. The following policies are available by default:
Default
Random MAC Default
You cannot edit these default policies. You can only enable or disable them.
Create A Purge Policy
Procedure
Step 1
In the Cisco DNA Center GUI, click the Menu icon () and choose Policy > AI Endpoint Analytics > Configurations > Endpoint Purge Policy.
Step 2
Click Add Endpoint Purge Policy.
Step 3
In the Add Endpoint Purge Policy dialog box, click Let's Do It to start with the workflow.
Step 4
In the Define Policy Details window:
Enter a name for your policy in the Rule Name field.
From the Select Status drop-down list, choose Enabled or Disabled.
Define the time of inactivity after which an endpoint must be purged. Enter a value (in days) in the Elapsed Greater than or Equal to field. The accepted value range is from 5 to 180 days.
Step 5
Click Next.
Step 6
(Optional) In the Define Additional Policy Conditions window, choose the profiling attributes by which to filter the endpoints that are impacted by this purge policy. Check the
check box next to the attribute you want to select and choose the required values in the drop-down lists displayed for the
attribute.
Step 7
Click Next.
Step 8
The Summary window displays your Purge Policy configuration. Review the details that are displayed and click Done to create the policy.
What to do next
Audit Logs of Endpoint Purge Activities
After you enable an Endpoint Purge Policy and a purge activity is executed, you can view the audit logs of an endpoint purge
activity:
In the Cisco DNA Center GUI, click the Menu icon () and choose Activities > Audit Logs.
Check the description fields of the audit logs to find the logs related to the execution of a purge policy.
Click the appropriate audit logs to view the details of the Purge Policy that was executed.
Configure Endpoint Subnet Inspection
In a deployment, devices at the access layer and devices above the access layer have different IP subnets. In the case of
Cisco TTA devices, endpoint profiling accuracy is optimum when only southbound traffic is analyzed by Cisco AI Endpoint Analytics.
Configure specific IP subnets or subnet ranges that must be analyzed by Cisco AI Endpoint Analytics for southbound traffic,
to allow better endpoint profiling.
This configuration of filtered subnets is then shared with Cisco SD-AVC servers. The configuration is applied on the Cisco
TTA devices though Cisco SD-AVC servers.
Procedure
Step 1
In the Cisco DNA Center GUI, click the Menu icon () and choose Policy > AI Endpoint Analytics > Configurations > Endpoint Subnet Inspection.
Step 2
Enter the required value in the IP Subnet field.
Step 3
Click + to add another IP subnet. You can add multiple subnets or subnet ranges in this window.
Endpoint Inventory
The endpoints that are connected to Cisco AI Endpoint Analytics through the data sources, in the Endpoint Inventory tab. The tab contains two views that you can choose from using the Focus drop-down list:
All Endpoints: This is the default view for the Endpoint Inventory tab. This view displays the profiling information of all the connected
endpoints.
The All Endpoints view displays profiling information such as Endpoint Type, OS Type, Is Random Mac, Trust Score, and so on. To select the profiling information you want to view for the endpoints, click the vertical ellipsis icon at the
top-right corner of the table. Choose one of the following sets of profiling information and click Apply:
All: All the profiling information that are available is displayed. You cannot edit this set.
General: This is a selection of profiling information that gives you a generic view of the endpoints. This is the set of columns
displayed by default. You cannot edit this set.
Detailed: This is a selection of profiling information that provides a deeper view of the endpoints. You cannot edit this set.
Custom: This is the only set that you can edit. Check or uncheck the profiling information you want to view in the Endpoint Inventory window.
You can also filter the list endpoints displayed in the All Endpoints view by clicking the required View Known Profiles buttons. You can filter the list of endpoints by Endpoint Type, Hardware Manufacturer, Hardware Model, and OS Type.
Trust Score: This view filters the endpoint inventory list to display only the endpoints with a Trust Score assigned to them.
The Trust Score view displays columns for the various factors that inform the overall Trust Score of an endpoint. The Trust Score helps you
identify the endpoints in which behavioral anomalies have been detected, so you can examine the details of the endpoint and
take the necessary remediation actions. If you apply an ANC policy to an endpoint to manage its low Trust Score, the Trust
Score view also displays the name of the ANC policy applied and when the policy was applied. See Trust Scores for Endpoints.
You can easily filter a set of endpoints based on your requirement. You can register endpoints, and edit, delete, and profile
registered endpoints. You can select single or multiple endpoints by checking the check box adjacent to the MAC addresses
to filter and perform a particular action on the chosen endpoints from the Actions drop-down list.
To see the complete profiling details of an endpoint, click the MAC Address of the endpoint. A slide-in dialog box is displayed which contains user details, endpoint details, and attribute details
of the endpoint.
In the Details tab, the following new fields are displayed in Cisco DNA Center Release 2.2.2 and later releases, with the details received
from Cisco ISE:
Authentication Status: This field displays Started when an endpoint is authenticated through Cisco ISE, and Disconnected when it is not.
Authorization Profile: The authorization policies configured for an endpoint in Cisco ISE are displayed here.
Scalable Group Tag: The Scalable Group Tags configured for an endpoint in Cisco ISE are displayed here.
In Cisco DNA Center Release 2.2.2 and later releases, the Trust Score tab is available in the slide-in dialog box for endpoint details. This tab displays details of the various factors that inform
trust score of an endpoint. See Trust Scores for Endpoints.
In Cisco DNA Center Release 2.2.3 and later releases, the Details tab contains the Previous MAC Addresses area, which displays the MAC addresses that have been used by an endpoint which has the MAC Randomization feature enabled
on it. See Trust Scores For Endpoints With Random and Changing MAC Addresses.
Export Cisco AI Endpoint Analytics Data
To export a list of endpoints and their details from this window, click Export. If you apply any filters in the Endpoint Inventory window, only the filtered endpoints will be processed for export. To export the details of all the endpoints, ensure that
no filters are applied when you click Export.
When you click Export, a new tab opens with the Reports window. The Generated Reports window contains a list of exports initiated, with the latest export request at the top of the list. A report generated from
the Endpoint Inventory window contains AI Endpoint Analytics in its Template Category column. Report generation takes a few minutes. When a report is ready for download, the value in the Last Run column changes from Not Initiated to a timestamp with a download icon next to it. The timestamp refers to the time at which the export list was generated.
Click the download icon to download a CSV file of the list of endpoints to your system.
You can also export Cisco AI Endpoint Analytics data from the Reports window, through the following steps:
Note
You must run your first export of AI Endpoint Analytics data for endpoints from the Endpoint Inventory window. Then you can generate AI Endpoint Analytics reports directly from the Reports window.
Choose Reports from the main menu.
Click Report Templates, and choose AI Endpoint Analytics from the menu.
Click Let's Do It in the Generate a New Report dialog box.
In the Select Report Template window, the template Endpoint Profiling is applied by default. Click Next.
In the Setup Report Scope window, enter a value in the Report Name field. Define the filters that you want to apply to the list of endpoints to be exported from the Endpoint Inventory window. To export the details of all endpoints, do not choose any values in the Scope area. Click Next.
In the Select File Type window, the Client Details area allows you to review the chosen parameters. Edit the information to be exported by checking or unchecking the check
boxes next to the relevant fields. Click Next.
In the Schedule Report window, click the radio button for Run Now, Run Later (One-Time, or Run Recurring. The Run Later (One-Time and Run Recurring options display scheduling fields to define the time of export. Click Next.
In the Delivery and Notification window, do not check the Email Report check box. Click Next.
In the Summary window, review all the configurations chosen in this workflow. To edit any configurations click the corresponding Edit option. Click Next.
The final window of the workflow informs you that your report is being generated. Click the View Reports link in this window for a list of generated reports. It takes a few minutes for the report to be generated and displayed
in this window.
Filter Endpoints
Using the filter option, you can view and action upon a set of endpoints. These endpoints can you be filtered based their
profiling data, primary profiling labels, known profiles, and health status.
In order to filter the endpoints, follow the below steps:
In the Endpoint Inventory window, click Filter.
Define the following filters by choosing a value from the corresponding drop-down list or clicking the radio button for the
required value, as applicable:
Mac Address
Trust Score
Endpoint Type
Hardware Model
Hardware Manufacturer
OS Type
Registered
Is Random Mac
Click Apply.
You can also filter the profiled endpoints displayed by the four primary profiling labels. Click one or more of the labels
in the View Known Profiles section.
The health status of endpoints is updated every five minutes.
Attribute Glossary
Attribute glossary is a list of all the profiling attributes available from Cisco ISE probe data.
In order to view all the profiling attributes, follow these steps:
In the Endpoint Inventory window, click the MAC address of an endpoint.
In the new area that is displayed on the right side, click View Attribute Glossary.
The Attribute Glossary window displays the following information for each attribute:
Key profiling attributes
Description
Associated Profile Labels
Source
Dictionary
Discovery Method
The glossary gives you a detailed view of all the profiling attributes. If a profiling attribute is frequently used to create
a profile label, the label is listed in the Associated Profile Labels column.
You can also view the attribute glossary in the Choose Attribute Condition window while creating a logical condition for the rules. For more information, see Create a Custom Rule.
Register Endpoints
You can onboard and profile new endpoints by registering them in Cisco AI Endpoint Analytics. The profiling information of
an endpoint is the source of truth for classification. You can also update new profile information for a registered endpoint
using the Register Endpoint option.
Procedure
Step 1
Choose Actions > Register Endpoints.
Step 2
Choose whether you want to register a single endpoint or multiple endpoints, by clicking the Single or Bulk radio button.
Option
Steps
Single
Enter the MAC Address, Endpoint Type, Hardware Model and Hardware Manufacturer for the endpoint.
Bulk
Download a .csv template by clicking the Download .csv Template option.
In the downloaded .csv file, enter the following details for each endpoint you must register: MAC address, endpoint type,
hardware model, and hardware manufacturer. Save this file.
Upload the .csv file using the Choose a File option.
You can register a maximum of 500 endpoints at a time using the Bulk option.
Step 3
Click Next.
Step 4
Review the endpoint details in the Review Endpoint window. You can also edit the endpoint details, if changes are required.
Note
While registering an existing endpoint, the profile label changes of the endpoint are reflected in purple color and can be
edited.
Step 5
Click Next to continue with the registration process.
Step 6
Click Register.
Edit Registered Endpoints
You can update the profiling information of registered endpoints from the Endpoint Inventory window.
Procedure
Step 1
Check the check box adjacent to the MAC address of the endpoint that you want to edit.
Step 2
Click Actions.
Step 3
Click Edit Endpoint.
Step 4
Enter the Endpoint Type, Hardware Model, and Hardware Manufacturer details.
Step 5
Click Save.
Delete Registered Endpoints
If there are registered endpoints that are no a longer part of your network, you can delete them from Cisco AI Endpoint Analytics.
Procedure
Step 1
Check the check box adjacent to the MAC address of the endpoints that you want to delete.
Step 2
Click Actions.
Step 3
Click Delete Endpoint.
The following message is displayed:
Do you really want to delete the selected endpoint(s)?
Step 4
Click Yes to permanently delete the endpoint from Cisco AI Endpoint Analytics.
Trust Scores for Endpoints
Cisco AI Endpoint Analytics assigns Trust Scores to endpoints to allow you to easily monitor and act on potentially risky
endpoints in your network. Behavioral anomalies are monitored and tracked, and a Trust Score is assigned based on the number
and frequency of the anomalies tracked.
To choose the sources that must be included in the calculation of Trust Scores, from the Cisco AI Endpoint Analytics Overview window, choose Configuration > Enable Trust Sources. Click the toggle button for each of the sources you want to enable.
Cisco AI Endpoint Analytics generates historical Trust Scores based on the following factors:
The history of anomalies associated with an endpoint—how many anomalies have been detected for this endpoint?
The severity of each anomaly detected for the endpoint.
In Cisco DNA Center Release 2.2.3 and later, the overall Trust Score calculation for an endpoint factors in the following
anomalies and scores are displayed for each anomaly that is detected (if the corresponding source is enabled):
AI Spoofing Detection
Cisco AI Endpoint Analytics analyzes NetFlow telemetry data, and network probe data from Cisco ISE and SD-AVC devices, to
detect spoofed endpoints. Each endpoint type has a behavior model that is developed using machine learning algorithms. If
an endpoint’s behavior is unexpected of its endpoint type profile, the endpoint is assigned a Trust Score and listed as a
spoofed endpoint. The applications and server ports that are used by an endpoint are analyzed in this spoofing detection process.
For example, if an endpoint profiled as a printer uses a video calling application, it is identified as a spoofed endpoint
and assigned a Trust Score.
Changed Profile Labels
When a device joins a network, and then through periodic probing while the device is active, the profiling data for an endpoint
is continuously monitored and updated. Certain changes in the profiling data received from an endpoint are flagged as anomalies
in Cisco AI Endpoint Analytics. For example, if an endpoint was first profiled as a Linux device and is then profiled as a
macOS device, this is flagged as a high-severity anomaly. A score is assigned in the Changed Profile Label column for the
endpoint and the endpoint’s overall Trust Score is also updated to reflect this change.
However, if there is a change in the sub-version of macOS and the endpoint appears to have downgraded from a later release
to an earlier release, such a change is flagged as a lower priority anomaly and the corresponding scores are updated accordingly.
NAT Mode Detection
If you have a NAT-enabled router in your network, an endpoint connected to a NAT router is recognized by the IP or MAC addresses
of the router instead of the IP or MAC addresses of the specific endpoint. Information on NAT-enabled routers is collected
from the Cisco Catalyst 9000 Series devices they are connected to.
Concurrent MAC Addresses
Identify the endpoints that share the same MAC addresses and are connected to Cisco Catalyst 9000 Series devices. The endpoints
with shared MAC addresses are assigned a Concurrent MAC Address score, and you can easily identify these endpoints and examine
their details.
The Trust Score of an endpoint is also informed by the following events that are collected from Cisco ISE. Every endpoint
that authenticates through Cisco ISE receives an initial Trust Score based on the following events:
Authentication Method
Posture
Note
For the Trust Score sources that receive data from Cisco Catalyst 9000 Series devices, you must enable CBAR on the devices
and upgrade the devices to Cisco IOS-XE Release 17.6 or later.
The Trust Score displayed in the Endpoint Inventory window is the overall trust score that takes the history and severity of anomalies for an endpoint. Click the MAC Address to view the details of the causes for the Trust Score assigned to an endpoint. This means that if a low-level anomaly was
detected for an endpoint, and this is the only instance of an anomaly, the overall Trust Score for the endpoint would be a
9, even if the actual Trust Score for with the anomalous event is a 7.
If multiple low-level anomalies are detected, the overall Trust Score would further decrease to account for the number of
anomalies.
The trust scores assigned range from 1 through 10, and are categorized as follows:
Trust Score Category
Range
Threat Level of Endpoint
Low
1–3
High
Medium
4–6
Moderate
High
7–10
Low
You can then apply Adaptive Network Control (ANC) policies from Cisco ISE to enforce appropriate remediation actions on the
endpoints. See section “Adaptive Network Control” in Chapter “Cisco ISE Admin Guide: Maintain and Monitor” of the Cisco ISE Administrator Guide.
The ANC policies are defined in Cisco ISE and allow you to apply remediation actions on chosen endpoints. You can apply ANC
policies to quarantine, shut down, or port bounce an endpoint, or force endpoint reauthentication. When you apply an ANC policy
to an endpoint with an undesirable Trust Score in Cisco AI Endpoint Analytics, a Change of Authorization (CoA) is sent to
the endpoint from Cisco ISE.
An endpoint is identified by its MAC address. Cisco ISE sends the CoA to the endpoints that hold an active session for the
identified MAC address at the time of the ANC application. Any endpoint with the same MAC address that does not have an active
session in Cisco ISE at the time will match the ANC policy when a new session starts or when it must reauthenticate at the
end of the configured reauthentication timer.
To verify which endpoint is being acted upon by the ANC policy, log in to your Cisco ISE administration portal. From the main
menu, choose Operations > RADIUS > Live Sessions. Enter the MAC address of the spoofed endpoint in the Endpoint ID column, to filter the endpoints that share the same MAC address and currently have live sessions in Cisco ISE. These are
the endpoints that will be affected by the ANC policy.
To view a historic log of the RADIUS sessions in Cisco ISE, from the main menu, choose Operations > Reports > Reports > Endpoints and Users > RADIUS Authentications.
To view or modify ANC policy application on endpoints in Cisco ISE, from the main menu, choose Context Visibility > Endpoints. Check the check box next to the MAC address of an endpoint and click the options displayed at the top of the list, as required.
Prerequisites
Prerequisites for receiving Trust Scores for endpoints:
Cisco DNA Center is upgraded to Release 2.2.2 or later.
Cisco ISE is connected to your on-premise Cisco DNA Center.
Network access devices are managed by both Cisco DNA Assurance and Cisco ISE.
Note
The endpoint spoofing detection feature supports a maximum of 500 network access devices with NetFlow export flows, as Cisco
DNA Assurance supports only 500 NetFlow exporters.
Endpoints connected to network access devices are authenticated through Cisco ISE.
Enable the required sources for Trust Score calculation in the Trust Score Sources window (Policy > AI Endpoint Analytics > Configurations > Trust Score Sources).
Changed Profile Labels
Cisco AI Endpoint Analytics collects data from multiple probes from different sources continually to derive accurate profile
labels for endpoints. Cisco AI Endpoint Analytics collects the following data from the following sources:
From Cisco ISE:
RADIUS probes.
User details from Directory.
VPN details like AnyConnect availability.
Optionally, other data if port forwarding is configured. For example, DHCP details.
From switches:
Device connection messages. For example, DHCP and NetBIOS messages.
Deep packet inspection
Switch telemetry
Cisco AI Endpoint Analytics creates system rules based on the information received from these sources. When a device joins
a network, and then through periodic probing while the device is active, the profiling data for an endpoint is continuously
monitored and updated.
Certain changes in the profiling data received from the endpoint are flagged as anomalies in Cisco AI Endpoint Analytics.
For example, if an endpoint was first profiled as a Linux device and is then profiled as a macOS device, this is flagged as
a high-severity anomaly. A score is assigned in the Changed Profile Label column for the endpoint and the endpoint’s overall
Trust Score is also updated to reflect this change.
However, if there is a change in the sub-version of macOS and the endpoint appears to have downgraded from a later release
to an earlier release, such a change is flagged as a lower priority anomaly and the corresponding scores are updated accordingly.
In the Endpoint Inventory window, click the MAC Address of an endpoint with a Changed Profile Label score to view the profiling data changes recorded. The old and new profiles for the endpoints are displayed here. If the
profiling changes are not of concern for any reason, or if you think the profiling change detected is erroneous, reset the
score by clicking the corresponding button in the Changed Profile Label area of the endpoint’s details.
You can also disable Changed Profile Label detection for a specific endpoint by clicking the toggle button in the Changed Profile Label area of the endpoint’s details.
Data regarding this anomaly is sent to Cisco ISE if the affected endpoint is connected to Cisco ISE. The data is available
as an Endpoint Analytics dictionary attribute that a Cisco ISE administrator can easily use to define policies.
Changed Profile Label detection is not available for the endpoints that have Custom Rules applied to them.
NAT Mode Detection
Network Address Translation (NAT) allows private IP internetworks that use nonregistered IP addresses to connect to the Internet.
NAT can be configured to advertise to the outside world only one address for the entire network. If you have a NAT-enabled
router in your network, an endpoint connected to a NAT router is recognized by the IP or MAC addresses of the router instead
of the IP or MAC addresses of the specific endpoint. Information on NAT-enabled routers is collected from the Cisco Catalyst
9000 Series devices they are connected to.
NAT detection is included in Trust Score calculation as a device acting as a NAC-enabled router could allow unauthorized endpoints
to connect to your network. For the endpoints that are assigned a NAT Mode Detection score, in the Endpoint Inventory tab, click the MAC Address to view the details of the endpoint in a slide-in window. If you are certain that the identity
of the endpoint corresponds to a NAT-enabled router in your network:
Click NAT Mode Detection in the Trust Score tab of the details slide-in window.
Click the toggle button to disable NAT Detection for this specific endpoint.
Endpoints With Concurrent MAC Addresses Connected to Cisco Catalyst 9000 Series Devices
Identify the endpoints that share the same MAC addresses and are connected to Cisco Catalyst 9000 Series devices. The issue
of endpoints with concurrent MAC addresses occurs in wired environments and in hybrid environments that contain wired and
wireless deployments. In a wireless environment, concurrent MAC addresses do not occur as only one endpoint with a specific
MAC address is allowed to access the network at any time.
Cisco AI Endpoint Analytics allows you to identify the endpoints with concurrent MAC addresses by assigning a Concurrent MAC
Address score to the endpoints. To detect endpoints with shared MAC addresses in your network, you must enable CBAR in the
connected Cisco Catalyst 9000 Series devices.
When devices with the same MAC Address connect to a Cisco Catalyst 9000 Series device, the endpoints are recognized as concurrent
endpoints and a low score is assigned to the MAC Address. Endpoints with concurrent MAC addresses may be connected to:
The same Cisco Catalyst 9000 Series device from different VLANs
Different Cisco Catalyst 9000 Series devices
Table 1. Environments In Which The Concurrent MAC Address Issue Occurs
Deployment 1
Deployment 2
Can Concurrent MAC Addresses Occur In The Network?
Concurrent MAC Addresses Detection Support in This Environment
Wired
Wired
Yes
Yes
Wired
Wireless
Yes
Yes
Wireless
Wired
Yes
Yes
Wireless
Wireless
No
No
In Cisco DNA Center Release 2.2.3 and later releases, the Trust Scores view of the Endpoint Inventory tab contains the Concurrent MAC Address column. Shared MAC addresses are detected as an anomaly and a low score is assigned in the Concurrent MAC Address column. Click the MAC Address to view a slide-in window with the details of the MAC Address. Click Concurrent MAC Address and the field expands to display information regarding the various sources of the MAC address.
In the Concurrent MAC Address area, the Network Device Name column displays the name of the Cisco Catalyst 9000 Series device to which an endpoint is connected. The Interface and VLAN columns display the corresponding values to help you identify how the endpoint is connected to the network.
Initial Trust Score Assessment using Posture and Authentication Values from Cisco ISE
When an endpoint authenticates through Cisco ISE, a Trust Score is immediately assigned to the endpoint based on its authentication
and posture details. Authentication Method score is assigned by default and you cannot disable or act upon this score. You
can choose to enable or disable Posture-based scores, either at a global level from the Configurations window, or for a particular endpoint in the Endpoint Inventory tab. The Trust Score that is assigned based on the Authentication Method and Posture values becomes the initial Trust Score
for the endpoint.
Any other anomalous behaviors detected for this endpoint would then impact this initial Trust Score and drive it lower based
on the severity and number of the anomalies.
The Authentication Method score, displayed in the details of an endpoint in the Endpoint Inventory tab, is based on the perceived security level of the authentication method used. For example, WebAuth Over HTTPS, certificate-based
authentication, and authentication using secure tunnels receive high Trust Scores.
The Posture score is based on whether or not the connect endpoint is posture compliant.
If an endpoint's Trust Score consists of only the Authentication Method score, the Reset Trust Score button is inactive. When a Trust Score source other than the Authentication Method displays a score, you can use the reset
option.
Trust Scores For Endpoints With Random and Changing MAC Addresses
As a privacy measure, mobile devices increasingly use random and changing MAC addresses for each SSID that they connect to.
Some desktop operating systems offer users the ability to randomize MAC addresses at regular intervals as well. This means
that an endpoint presents different MAC addresses every time they connect to a different SSID.
Cisco AI Endpoint Analytics enables you to handle the issue of random and changing MAC addresses by receiving from Cisco ISE
a unique endpoint identifier called the DUID (also known as GUID in Cisco ISE). Cisco AI Endpoint Analytics then uses the
DUID as the indentifer for an endpoint, instead of its MAC address. For more information how GUIDs are assigned in Cisco ISE,
see Cisco ISE Administration Guide, Release 3.1.
The Endpoint MAC Randomization dashlet in the Cisco AI Endpoint Analytics Overview window displays a graphical representation of how many endpoints in your network are using random and changing MAC addresses.
For the endpoints that are connected to Cisco ISE and have DUID information available, this information is displayed in Cisco
AI Endpoint Analytics as well. The following columns display the required information in the Endpoint Inventory window in Cisco AI Endpoint Analytics:
DUID: The DUID value for the endpoint.
Previous MAC Addresses: The random and changing MAC addresses with which the endpoint previously connected to the network.
Using the DUID value, Cisco AI Endpoint Analytics is now able to reliably identify an endpoint and track the various MAC addresses
that the endpoint has previously used. This means that the Trust Score for an endpoint with random and changing MAC addresses
still has high fidelity. The Trust Score of the endpoint from a previous MAC addresses is carried forward to the current MAC
address that the endpoint is presenting and continues to be impacted by the probe data received for the same endpoint.
If a device has the Private Address setting enabled, the Is MAC Random column for this device displays the value Yes. This device is then recognized as a random and changing MAC address. However, whether or not a DUID value is available for
this device depends on whether or not the endpoint was authenticated through Cisco ISE and if a GUID was generated for this
endpoint in Cisco ISE.
View and Manage Trust Scores for Endpoints
After Cisco DNA Center is upgraded to Release 2.2.3 and necessary Trust Score sources are enabled, the Cisco AI Endpoint Analytics
Overview tab (Main Menu > Policy > AI Endpoint Analytics) displays the Trust Scores dashlet. This dashlet contains the following information:
The total number of endpoints that have been assigned a Trust Score.
A donut chart and a list of the number of endpoints with low, medium, and high trust scores.
To view the details of endpoints in a trust score category, click its endpoint count in the Trust Scores dashlet. The Trust Score view of the Endpoint Inventory tab is displayed with the appropriate filters applied.
In the Endpoint Inventory tab, you can view endpoints with Trust Scores in two ways:
Click the Focus: drop-down list and choose Trust Score to see all the endpoints with Trust Scores assigned.
Click View endpoints in Trust Score View from the caution message that is displayed, to see endpoints with Low and Medium scores.
You can perform the following actions on endpoints with Trust Scores:
Apply an ANC Policy
Click the Apply ANC Policy button to choose an ANC policy to be applied to an endpoint. The endpoint’s access to the network is modified accordingly.
ANC policies are imported from Cisco ISE and displayed in the drop-down list in the pop-up window displayed.
Replace an ANC Policy
Click Change ANC Policy button to replace an existing ANC policy of an endpoint with another ANC policy. From the pop-up window displayed, choose
the new policy to be applied from the Change ANC Policy drop-down list.
Remove an ANC Policy
Click the Remove ANC Policy button to remove an applied ANC policy from an endpoint. In the pop-up window displayed, click Remove. This removes the remediation policy that was applied to the endpoint, and allows the endpoint to connect to the network
normally.
Reset Trust Score
Click Reset Trust Score button to remove an endpoint from the Trust Score inventory. In the pop-up window displayed, click Reset.
If you choose this option for an endpoint after applying an ANC policy, you will not see this endpoint in the Trust Score
inventory again. In this case, to modify the ANC policy for such an endpoint, you must remove the policy from Cisco ISE instead.
If you reset the score for an endpoint without applying an ANC policy, you may see the endpoint in the Trust Score inventory
again with the next automatic refresh of Trust Score data.
The buttons for each of the actions are displayed in two locations in the Endpoint Inventory tab. The actions can be performed a single endpoint, or on multiple endpoints.
Manage Trust Score for Single Endpoint
From the list of endpoints with a Trust Score, click the MAC Address of the endpoint you want to manage. In the endpoints
details pane that is displayed, click the Trust Score tab.
Here, Expected Endpoint Type and Likely Endpoint Type values are displayed. The Applications Used field lists the applications that are used by the endpoint, that are unusual for the expected endpoint type.
This pane includes buttons to start the workflows of accepting and removing ANC policies, and to reset the Trust Score. Click
the button for the intended task.
Alternatively, you can check the check box for an individual endpoint on the Endpoint Inventory window, click Actions, and choose the required option from the drop-down list.
Manage Trust Score for Multiple Endpoints
In the Endpoint Inventory tab, check the check boxes for all the endpoints you must perform a specific action on. Click Actions and choose the required action from the drop-down list.
Profiling Rules
Profiling rules in Cisco AI Endpoint Analytics enable you to group endpoints with a combination of common attributes. These
attributes allow endpoint identification by Endpoint Type, OS Type, Hardware model, and Hardware Manufacturer. The profiling
rules help you administer and manage many endpoints with ease.
Cisco AI Endpoints Analytics receives profiling data from network devices through DPI, media protocols, medical industry protocols,
and more. Profiling data from Cisco ISE is communicated through pxGrid. These profiling attributes are then available in the
device dictionary for authoring profile rules.
You can view the profiling rules in the Profiling Rules tab of Cisco AI Endpoints Analytics. In the table that is displayed under this tab, click a Rule Name entry to view the assigned profiles and attributes used.
The profiling rules that are used to profile the endpoints in Cisco AI Endpoint Analytics are:
System Rules
Custom Rules
Cisco AI Rules
Rule Prioritization
The profiling rules in Cisco AI Endpoint Analytics have an order of priority. Profiling rule execution follows this rule priority
to profile endpoints with high fidelity.
As user inputs are primary in Cisco AI Endpoint Analytics, the priority of the profiling rules is as follows:
Administrator-created static profiles, for example, profiles added using the Register Endpoints option.
Administrator-created custom rules.
Cisco-provided system rules that are available by default.
Auto-generated rules through the machine learning-enabled Smart Grouping workflow.
To view the set rule priority, click Rule Prioritization in the Profiling Rules window.
A registered endpoint can be profiled by multiple Cisco AI Endpoint Analytics rules for different profiling labels. The following
table shows the design of profiling rules for two endpoints.
Endpoint 1
Endpoint 2
Hardware Model profiled by System Rule
OS Type profiled by Cisco AI Rule
Hardware Manufacturer profiled by Custom Rule
Hardware Model profiled by System Rule
Hardware Model profiled by Custom Rule
Hardware Model profiled by Cisco AI Rule
For Endpoint 2, rule priority results in the precedence of the custom rule over the others. The Hardware Model label for Endpoint
2 is profiled by the custom rule.
For Endpoint 1, different rules define different profile labels, and each label is profiled accordingly.
Filter Profiling Rules
Procedure
Step 1
In the Profiling Rules window, click Filter.
Step 2
Enter a name in the Rule Name field.
Step 3
Select values for endpoint attributes from the corresponding drop-down lists, to filter for a set of endpoints.
Step 4
Click Apply.
View Updated Profiling Rules
Procedure
Step 1
Go to the Endpoint Inventory window.
Step 2
Click the check box adjacent to the MAC Address of the endpoint to view the profiling details of the endpoint.
Step 3
Click the information icon next to profile labels, and click the rule name to view the assigned profile and attributes details.
System Rules
Cisco AI Endpoint Analytics provides predefined rules called System rules for profiling endpoints. When Cisco AI Endpoint
Analytics is deployed, it provides day zero visibility into endpoints without any need to configure specific rules.
Newly onboarded endpoints are profiled using system rules by default.
Network devices are managed in Cisco DNA Center in the Provision > Network Devices > Inventory window.
These network devices are profiled by the system rules and are not visible in the Cisco AI Endpoint Analytics Endpoint Inventory window. However, you can view the endpoints profiled by custom rules because the custom rules are created with network device
as Device Type.
Automatic System Rule Updates for Endpoint Profiling
The system rules that are used for endpoint profiling in Cisco AI Endpoint Analytics are regularly updated to enhance profiling
accuracy. Schedule automatic updates to receive updates in endpoint profiling system rules from Cisco. Your Cisco DNA Center receives updates at the configured time, and the changes are applied in Cisco AI Endpoint Analytics. In the Profiling Rules window (Policy > AI Endpoint Analytics > Profiling Rules), review the details of the changes in endpoint profiles, and accept or decline the system rule update.
If an endpoint’s hardware model value changes due to an accepted system rule update, when you view the endpoint's details
in the Endpoint Inventory tab, the Hardware Model field contains the name of the system rule update.
To check the status of NBAR Cloud, choose Policy > AI Endpoint Analytics > Overview, and click Configuration.
Procedure
Step 1
From the main menu, choose System > Settings > Cisco Accounts > Profile Rule Settings.
The Enabled toggle button in the Schedule Automatic Updates area is set to active by default.
Step 2
Click the buttons for the days of the week on which you want to schedule updates. You can choose multiple days. Then, use
the Time Slot text fields to select the time for the update. It takes 30 minutes for the updates to be received by Cisco DNA Center. The second time slot area is not editable and displays the time when the scheduled update is expected to complete.
Step 3
When your Cisco DNA Center receives a system rule update, a notification is displayed in the Profiling Rules window (Policy > AI Endpoint Analytics > Profiling Rules). The following notification is displayed when you click Expand in the dialog box:
You are updated to the latest version Name of Latest Version and a recent Cisco profiling rule has changed the profiles of some endpoints. Review Update.
Click Review Update
Step 4
The Endpoint Profile Update Review dialog box is displayed. The dialog box contains information on the current stable update applied, the latest update received,
and more. It also contains the following sections that you can click to view the related endpoint profile updates:
Major Updates: Lists the endpoints whose profiles have had major changes, such as a Windows endpoint that is now recorded as a Linux endpoint.
Minor Updates: Lists the endpoints whose profiles have had minor changes, such as an updated version of Windows OS.
Newly Profiled: Lists the endpoints that were unprofiled previously and have now been assigned profile information.
Step 5
After you review the endpoint profile changes, to accept the profile update, click Mark As Approved Version in the Endpoint Profile Update Review dialog box. If you do not agree with the endpoint profile changes, click Rollback.
When you choose rollback, you must choose if you want to roll back to the last running version, or the last approved version,
by clicking the corresponding option.
You can also perform the accept and rollback actions from the AI Endpoint Analytics > Overview > Configuration window.
Step 6
Click X to close the dialog box.
Custom Rules
In addition to the system rules, you can also create custom rules for profiling endpoints using a combination of endpoint
attributes. Custom rules precede all the other endpoint profiling rules in Cisco AI Endpoint Analytics.
Logic and Conditions for Profiling Rules
You can create custom profiling rules in the Endpoint Inventory window. To create a custom profiling rule, you must create a logical condition based on endpoint attributes and values. These
attributes are collected from network probe data and are different from the classification attributes available in the Attribute Glossary window.
A value is a user input that uniquely identifies the group of endpoints. The attributes and values create a regular expression
with the help of the following operators.
Operators
Description
Contains
Attribute has the selected value.
Equals
Attribute is strictly mapped to the selected value.
Matches
Attribute should match the regular expression pattern of the selected value.
Starts With
Attribute should start with the selected value.
Note
Contains, Equals, and Starts With are case-sensitive operators. For case-insensitive values, use the Matches operator.
These conditions can be further combined with the help of logic (AND and OR) to create a nested rule.
Create and Edit a Logical Condition
Follow the below instruction to create a logical condition.
Procedure
Step 1
In the Choose Attribute Conditions window, check the check box adjacent to the Attribute that you want to update.
Step 2
Choose a option from the Operator drop-down lists.
Step 3
Enter the value in the Value field.
Step 4
Click Next.
Step 5
In the Add Logic to Conditions window that is displayed, drag and drop the AND logic or the OR logic between the conditions in order to create a logical sequence of conditions for a custom rule.
Note
You can also add or edit an attribute condition in the Add Logical Conditions window using the vertical ellipsis next to a condition.
Step 6
Click Next.
Create a Custom Rule
Procedure
Step 1
In the Endpoint Inventory window, check the check box adjacent to the MAC address of the endpoints that you want to profile.
Step 2
Click Actions and select Profile with Custom Rules.
Step 3
In the Name Rule and Type window that is displayed, in the Rule Name field, enter a name for the rule, and from the Profile Label drop-down list, choose a label.
Depending on what you choose from the Profile Label drop-down list, a corresponding field, whose name is dynamically updated, is displayed. For example, if you choose Endpoint Type, the Endpoint Type field appears.
Step 4
Enter a value in the new field that is displayed. As you start entering information, matching options are displayed. If an
option matches your requirements, select the same. Otherwise, enter the complete type name.
Step 5
Click Next.
Step 6
In the Choose Attribute Conditions window that is displayed, create a logical condition.
In the Review Rule window, review the list of endpoints that are going to be profiled with this custom rule.
Step 8
Click Next.
Step 9
Click Profile.
Edit a Custom Rule
Procedure
Step 1
In the Profiling Rules window, check the check box adjacent to the admin rule you want to edit.
Step 2
Click Actions and select Edit.
Step 3
In the Edit window that is displayed, in the Rule Name field, enter a name for the rule, and select or enter the profile details based on the Profile Label selected during the rule creation.
Step 4
In the Logic and Conditions section, click on the vertical ellipsis and select Edit to update the logic and conditions for profiling rules. For more information, see Logical Conditions.
Step 5
Click Next.
Step 6
Click Apply.
After the existing rule is updated with new profiling details, the endpoints profiled with this rule are updated with new
profiling details.
Delete a Custom Rule
Procedure
Step 1
In the Profiling Rules window, check the check box next to the rule that you want to delete.
Step 2
Click Actions and choose Delete.
The following message is displayed:
Do you really want to delete the selected Rule(s)?
Step 3
Click Yes to permanently delete the rule from Cisco AI Endpoint Analytics.
After the custom rule is deleted, the endpoints profiled with this rule are updated with system rules.
Export and Import Custom Profiling Rules Across DNAC Deployments Using APIs
Cisco DNA Center Release 2.2.3 contains Cisco AI Endpoint Analytics APIs through which you can import, export, edit, and delete
custom profiling rules.
To enable the Cisco AI Endpoint Analytics API bundle:
In the Cisco DNA Center GUI, click the Menu icon () and choose Platform > Manage > Bundles > ..
Find the bundle named AI Endpoint Analytics and click Enable.
The value in the Status column updates from Disabled to Active, and the list of APIs is displayed in this window. You can also view the expected request and response payloads for each
API.
After you enable the AI Endpoint Analytics API bundle, the AI Endpoint Analytics APIs are added to the Cisco DNA Center Developer
Toolkit. You can then access the APIs from the Developer Toolkit window (Platform > Developer Toolkit).
From both the Bundles and Developer Toolkit windows, you can:
Generate code preview to view the API code that you can use in a different tool to run the API.
Click Try It to run the API from the Cisco DNA Center GUI. You will receive a JSON response that you can copy and paste into a text editor
of your choice to continue working with.
Cisco Al Rules or Smart Grouping
Cisco AI Endpoint Analytics uses ML cloud to group unknown endpoints on your network dynamically. It also allows you to assign
custom labels to groups of unknown endpoints. You can review the clusters and accept or reject the profiling suggestions provided.
When you accept the profiling suggestions, a profiling rule is automatically created to profile the selected endpoints, and
to profile similar endpoints that join your network in the future.
Modify Profiling Rule Suggestions
The AI Proposal dashlet on the Endpoint Analytics home page displays rule suggestions based on the endpoint clusters generated by Smart Grouping. To view an AI proposal, click
Review adjacent to the corresponding proposal type and proceed according to the following decision chart.
Import Profiling Rules
You can migrate your custom profiling rules and Cisco AI rules by importing the .json files.
Procedure
Step 1
In the Profiling Rule window, click Actions
Step 2
Choose Import Profiling Rules.
Step 3
Click Choose a file and browse to the .json file in your system.
Step 4
Click Ok.
Export Profiling Rules
You can export and back up custom rules and Cisco AI profiling rules from Cisco AI Endpoint Analytics. The Export Profiling Rules option exports all the available custom rules and Cisco AI profiling rules. You cannot selectively export rules.
Procedure
Step 1
In the Profiling Rules window, click Actions.
Step 2
Choose Export Profiling Rules.
Step 3
Click Yes to export all the custom and ML profiling rules. Click No to exit.
Note
You can import the same file again into Cisco AI Endpoint Analytics.
Hierarchy
Cisco AI Endpoint Analytics hierarchy helps you create logical groupings of endpoints, based on the endpoint types. Creating
categories and subcategories for the endpoints focuses on endpoint visibility and simplifies the authorization process.
You can create categories from the All Endpoints default parent category. The category details such as total number of endpoints, endpoint types, and subcategories are listed
within individual boxes in the Hierarchy window.
You can create, edit, and delete the categories to reorder the hierarchy.
Create Category and Subcategory
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the parent category.
Step 2
Click Create Category.
Step 3
Enter a category name.
Step 4
Click Enter.
What to do next
After you create a category, you can drag and drop endpoint types from the Endpoint Type window, or edit the category to add endpoints to it.
Edit a Category or Subcategory
Procedure
Step 1
In the Hierarchy window, click on the horizontal ellipsis of the category.
Step 2
Click Edit.
Step 3
In the Edit window that is displayed, enter the Category Name.
Step 4
Enter the Parent Category from the drop-down menu, if you want to reassign the category.
Step 5
Click the Endpoint Type tab.
Step 6
Click Actions and select Add Endpoint Type.
Step 7
Choose the endpoint type from the Search Dropdown list.
Step 8
Click Save.
What to do next
In the Endpoint Type window, you can filter the endpoint types as All, Available, and Assigned.
Delete Endpoint Types from Category
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the category that you want to delete.
Step 2
Click Edit.
Step 3
In the Edit window, click the Endpoint Type tab.
Step 4
Check the check box adjacent to the endpoint type that you want to delete.
Step 5
Click Actions and choose Remove From Category.
The following message displays:
Are you sure you want to delete this category?
Step 6
Click Yes to delete the endpoint from the category. Click No to exit.
Reassign Endpoint Types from Category
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the category.
Step 2
Click Edit.
Step 3
In the Edit window, click the Endpoint Type tab.
Step 4
Check the check box adjacent to the endpoint type that you want to reassign.
Step 5
Click Actions and choose Re-assign to existing category or Re-assign to a new category.
Option
Steps
Re-assign to existing category
In the Reassign window, choose an existing category from the Category drop down list.
Click Save.
Re-assign to a new category
In the Reassign window, choose New Category from the Category drop down list.
Choose a parent category from the Parent Category drop down list.
Enter the category name in the New Category field.
Click Save
Delete a Category
Before you begin
Before you delete a parent category, check its subcategories. You can reassign the subcategories to another existing category
or to a new category. Otherwise, all the subcategories will get deleted along with the parent category. You can also reassign
the subcategories while you are deleting a category.
Procedure
Step 1
In the Hierarchy window, click on the horizontal ellipsis of the category.
Step 2
Click Delete.
If you are deleting a category that has subcategories assigned to it, the Reassign Relationships dialog box is displayed. Select the one of the following options:
Option
Condition
Steps
Reassign to an existing category
Reassign the subcategories to an existing category.
Select a category from the Category drop-down list.
Click Reassign.
The parent category is deleted and its subcategories will be reassigned to the selected category.
Reassign to a new category
Reassign the subcategories to an existing category.
Select a category from the Parent Category drop-down list.
Enter the category name in the New Category field.
Click Reassign.
The parent category is deleted and its subcategories are reassigned to the new category.
Remove from category
Delete the subcategories along with the parent category.
Click Reassign.
The parent category and its subcategories are deleted.