The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Visibility is the first step towards securing an endpoint. Cisco AI Endpoint Analytics is an endpoint visibility solution
that helps you identify and profile endpoints and Internet of Things (IoT) devices. The Cisco AI Endpoint Analytics engine
enables you to assign labels to endpoints, using the telemetry information received from the network from various sources.
The profiling labels that are available in Cisco AI Endpoint Analytics are endpoint type, hardware model, manufacturer, and
operating system type. This is called multifactor classification.
Cisco AI Endpoint Analytics provides nuanced visibility and enforcement in your network with features like Trust Scores that
allow you to identify and act upon potentially risky endpoints and devices. You can also manage potential risks by applying
ANC policies through Cisco ISE, from the Cisco AI Endpoint Analytics GUI. You can monitor and work around the issue of random
and changing MAC addresses from endpoints in Cisco AI Endpoint Analytics and accurately identify endpoints through a unique
attribute called the DUID instead of MAC addresses.
Cisco AI Endpoint Analytics helps you gather endpoint telemetry from different sources. The primary source is the Network-Based
Application Recognition (NBAR) mechanism. The NBAR mechanism is embedded in Cisco Catalyst 9000 Series switches (access devices)
and performs deep packet inspection (DPI). Cisco AI Endpoint Analytics can also receive telemetry from Cisco DNA Traffic Telemetry
Appliances.
You can gather endpoint context information from various sources such as Cisco ISE, self-registration portals, and configuration
management database (CMDB) software such as ServiceNow.
Cisco AI Endpoint Analytics allows data inflow from a wide range of network devices, expanding your ability to easily identify
and profile endpoints with greater accuracy, and act upon any anomalies. You can aggregate varied endpoint information and
use the data to profile endpoints in Cisco AI Endpoint Analytics. After endpoints are profiled, AI and machine learning algorithms
can also be used to reduce the number of unknown endpoints by intuitively leveraging different methods.
Key Features of Cisco AI Endpoint Analytics
Cisco AI Endpoint Analytics dashboard
The Cisco AI Endpoint Analytics dashboard gives you a comprehensive view of the endpoints that are connected to your network.
You can view the number of known, unknown, profiled, and unprofiled endpoints, endpoints with low Trust Scores, and endpoints
that use random MAC addresses. The AI Proposals dashlet displays intelligent profiling suggestions to enhance endpoint profiling
and management.
Trust Scores to flag potentially risky endpoints
Cisco AI Endpoint Analytics assigns Trust Scores to endpoints to allow you to easily monitor and act on potentially risky
endpoints in your network. Behavioral anomalies are monitored and tracked, and a Trust Score is assigned based on the number
and frequency of the anomalies tracked. See Trust Scores for Endpoints.
Detect endpoints that use random MAC addresses
Cisco AI Endpoint Analytics enables you to handle the issue of random and changing MAC addresses by receiving from Cisco ISE
a unique endpoint identifier called the DUID (also known as GUID in Cisco ISE). Cisco AI Endpoint Analytics then uses the
DUID as the identifier for an endpoint, instead of its MAC address.
Reduce net unknowns with machine learning capabilities
Cisco AI Endpoint Analytics provides profiling suggestions based on learnings from endpoint groupings. You can use these suggestions
to reduce the number of unknown or unprofiled endpoints in your network.
Manage endpoints with system and custom profiling rules
Use Cisco-provided system rules and custom rules of your design to reliably profile and manage the endpoints connected to
your network.
Registration of endpoints through Cisco AI Endpoint Analytics
You can onboard and profile endpoints using Cisco AI Endpoint Analytics. The endpoint attribute data that is collected through
this registration process is used to profile the endpoints.
Registration of endpoints using external sources
You can connect some external sources of endpoint data, such as Configuration Management Databases (CMDB), to Cisco AI Endpoint
Analytics. This allows you to easily register, manage, and profile endpoints in your network.
Purge endpoints after a defined period of inactivity
Define an Endpoint Purge Policy to remove from your network the endpoints that have been inactive for a defined time. You
can define the period of inactivity after which an endpoint must be removed. You can also customize a purge policy to act
on a particular set of endpoints based on a profiling attribute.
FIPS Compliance
Note
Cisco DNA Center supports the United States' Federal Information Processing Standards (FIPS). FIPS is an optional mode that can be enabled
when installing the Cisco DNA Center image. By default, FIPS mode is disabled.
When FIPS mode is enabled in Cisco DNA Center, the following functions in the Cisco DNA Center GUI are unavailable:
The Enable AI Network Analytics dashlet under Optional Configurations section in AI Endpoint Analytics Setup window.
The AI Proposals dashlet in Policy > AI Endpoint Analytics > Overview.
The Profile Rule Settings tab in Policy > AI Endpoint Analytics > Overview > Configuration.
The AI Spoofing Detection section in Policy > AI Endpoint Analytics > Overview > Configuration > Trust Score Sources.
The AI Spoofing Detection section in Endpoint Anomaly Detection under Trust Score details for a particular endpoint in Policy > AI Endpoint Analytics > Endpoint Inventory.
The AI Spoofing Detection column in Policy > AI Endpoint Analytics > Endpoint inventory > Focus as Trust Score.
Set Up Cisco AI Endpoint Analytics in Cisco DNA Center
Install Software Updates
Install software updates in Cisco DNA Center to use Cisco AI Endpoint Analytics, as described in the following procedure.
Procedure
Step 1
Log in to Cisco DNA Center.
Step 2
Click the menu icon () and choose System > Software Updates.
Step 3
In the Updates tab, check if Cisco AI Endpoint Analytics, AI Network Analytics, and Application Visibility Service are listed in the Application Updates section. If these application updates are visible, click the Install All button.
Install the Cisco AI Endpoint Analytics update to access the endpoint profiling solution in your Cisco DNA Center.
Install the AI Network Analytics update to use machine learning and AI capabilities to receive intelligent profiling suggestions.
Install the Application Visibility Service update to use NBAR and Controller-Based Application Recognition (CBAR) techniques to inform endpoint profiling.
Step 4
If any of these updates are not listed in the Updates tab, click Installed Apps tab to check if the updates are already installed and are available for use. The Installed Apps tab also confirms if the software installation has been successful.
Connect and Enable Data Sources
The data sources that Cisco AI Endpoint Analytics uses may already be connected to your Cisco DNA Center. If the data sources are connected, see the following instructions to ensure that the data sources are available for use
by Cisco AI Endpoint Analytics.
You must add Cisco ISE or Catalyst 9000 Series access devices to Cisco DNA Center for Cisco AI Endpoint Analytics to provide results.
The following Cisco ISE releases support Cisco AI Endpoint Analytics:
2.4 Patch 11 and later
2.6 Patch 5 and later
2.7 Patch 1 and later
3.0 and later
In your Cisco ISE administration portal:
Choose Work Centers > Profiler > Settings.
In the Endpoint Analytics Settings area, check the following check boxes:
Publish Endpoint Attributes to AI Endpoint Analytics
Consume Endpoint Profiles from AI Endpoint Analytics
After Cisco ISE authenticates endpoints through 802.1X or MAB authentication methods, the endpoint attributes collected are made available
to Cisco AI Endpoint Analytics. Cisco ISE also shares telemetry data with Cisco AI Endpoint Analytics.
Step 2
Connect Cisco 9000 Series access devices to Cisco DNA Center for wired endpoints visibility.
To enable Cisco AI Endpoint Analytics features, upgrade your Cisco 9000 Series access devices to Cisco IOS-XE Release 17.6 or later.
To enable CBAR for the required access devices:
In the Cisco DNA Center GUI, click the menu icon () and choose Provision > Services > Application Visibility.
Select the Cisco Catalyst 9000 access device that you need data from. Check the check box next to the device name in the Site Devices section.
Click Enable CBAR.
Click Yes in the subsequent confirmation window.
In the Enable CBARslide-in pane, check the check box next to the supported SSID type.
Click Enable.
Step 3
(Optional) Connect Cisco Catalyst 9800 Series Wireless Controllers to Cisco DNA Center for wireless endpoints visibility.
The following Cisco Catalyst 9800 Series Wireless Controller models are supported by Cisco AI Endpoint Analytics:
9800-CL
9800-40
9800-80
9800-L
Cisco DNA Center Release 2.3.2 and later supports FlexConnect in Cisco Catalyst 9800 Series Wireless Controllers with Cisco IOS XE Release
17.7.1 and later. SD-AVC version 6 is not supported.
(Optional) Connect Cisco DNA Traffic Telemetry Appliances to Cisco DNA Center for wired and wireless endpoints visibility, and for third-party network device visibility.
Cisco DNA Traffic Telemetry Appliances (DN-APL-TTA-M) generate telemetry from mirrored network traffic for endpoint analytics.
This appliance enables Network-Based Application Recognition-based (NBAR-based) protocol inspection and endpoint attribute
extraction.
To receive endpoint attributes collected through the telemetry appliance in Cisco AI Endpoint Analytics, you must integrate Cisco ISE with Cisco DNA Center.
See Cisco DNA Traffic Telemetry Appliances for information on installing the appliances, connectivity configurations, and managing the appliances in Cisco DNA Center.
Enable CBAR on Switched Port Analyzer (SPAN)-receiving ports of access switches connected to Cisco DNA Traffic Telemetry Appliances
with the following command:
ip nbar protocol-discovery
Not all endpoints that are connected to the telemetry appliances are visible in Cisco AI Endpoint Analytics. Only endpoints that are also connected to Network Access Devices (NADs) that are managed in Cisco DNA Assurance are visible in Cisco AI Endpoint Analytics.
Step 6
(Optional) Enable ServiceNow in Cisco DNA Center.
After connecting ServiceNow to Cisco DNA Center, click the menu icon ( ) and choosePlatform > Manage > Bundles.
If the Status of the bundle Endpoint Attribute Retrieval with ITSM (ServiceNow) is New, click Enable for the bundle.
Step 7
(Optional) Enable Cisco AI Analytics in Cisco DNA Center.
To receive suggestions about AI-based endpoint groupings, automated custom profiling rules, and endpoint labels, and to detect
potentially spoofed devices in your network, you must enable the required settings in the Cisco AI Analytics window.
You must install the AI Network Analytics software to receive these AI-based suggestions.
Click the menu icon () and choose System > Settings > External Services > Cisco AI Analytics.
Click the toggle button for each of the following services that you want to enable:
AI Endpoint Analytics: AI Network Analytics leverages machine learning to drive intelligence in the network and enables you to effectively improve
network performance and accelerate issue resolution. AI Network Analytics significantly reduces noise and false positives
by analyzing network behavior and adapting to your network environment.
Endpoint Smart Grouping: Using AI and Machine Learning, Endpoint Smart Grouping reduces the number of unknown endpoints in your network by providing
AI-based endpoint groupings, automated custom profiling rules, and crowdsourced endpoint labels.
AI Spoofing Detection: AI Spoofing Detection identifies spoofed endpoints based on pretrained behavioral models. Enabling the Enable AI Spoofing Detection toggle button allows Cisco DNA Center to detect spoofed endpoints using these behavioral models and the flow information provided by the network devices. Several
behavioral models are centrally trained using the collected flow information gathered from participating customers. You can
also allow anonymized and censored data collection by enabling the Send data to help Cisco improve the model toggle button, to help Cisco further enhance behavioral models.
Endpoint Telemetry Sources
Cisco AI Endpoint Analytics receives telemetry data in the following ways.
Deep Packet Inspection
Deep packet inspection is an advanced method of packet analysis that is carried out by Cisco Catalyst 9000 Series access devices.
These access devices run NBAR, which inspects application traffic and performs protocol analysis to discover, identify, and
profile endpoints with high fidelity.
Deep packet inspection profiling is based on various attributes that are collected from endpoint traffic to the network. These
attributes are collected across multiple protocols, from packet header layers 4 to 7.
Configuration Management Database Connection
Cisco AI Endpoint Analytics receives endpoint data from your Configuration Management Database Connection (CMDB) for greater
accuracy in endpoint profiling. The connection with ServiceNow enables you to receive information from the CMDB to Cisco AI
Endpoint Analytics.
Machine Learning Capabilities
Data collected for profiling is anonymized and sent to a Cisco cloud location that serves as a device data lake. Here, machine
learning algorithms analyze the data available to create profiling rules that you can evaluate and apply, as needed. Smart
profiling rules are suggested through Cisco AI Endpoint Analytics to help make endpoint profiling and management simpler and
more efficient for you. Existing rules too are evaluated and improvement suggestions provided based on this continuous learning.
Cisco AI Endpoint Analytics Overview Window
Click the menu icon () and choose Policy > AI Endpoint Analytics.
The Overview window displays the following dashlets:
Total Endpoints
This dashlet displays the total number of endpoints in your network in two groups, Fully Profiled and Missing Profiles. Cisco AI Endpoint Analytics profiles endpoints based on four factors, Endpoint Type, OS Type, Hardware Model, and Hardware
Manufacturer. If one or more of these factors are missing for an endpoint, it is profiled in the Missing Profiles group.
Click Missing Profiles Labels to view the number of endpoints in your network with missing profiles, categorized by profile label type. To check the endpoints
with a specific missing profile label, click the number next to the profile label. The Endpoint Inventory tab is displayed with the corresponding list of endpoints.
AI Proposals
Cisco AI Endpoint Analytics uses smart grouping algorithms to group unknown endpoints in your network that have similar profiling
data. If you have enabled AI Endpoint Analytics, you will receive the following types of rule proposals. These rule proposals
are based on learnings from endpoint clusters:
New rules for profiling endpoints that may be similar.
Modification proposals for previously accepted rules.
Review of profiling rules that are no longer needed.
Trust Score Sources: Click the toggle buttons to enable or disable Trust Score sources. You cannot disable the Authentication Method source. If an active Cisco ISE integration is configured, the authentication method used by the endpoint and its posture
status will inform the Trust Score of an endpoint. You can enable or disable other sources of Trust Score data such as AI Spoofing DetectionChanged Profile Labels, NAT Mode Detection, Concurrent MAC Addresses, and Security Sensor.
Integrate Cisco AI Endpoint Analytics with Talos Intelligence
Talos Intelligence is a comprehensive threat-detection network. Talos Intelligence is composed of threat detection analysts and real-time automated
detection systems that span web requests, emails, malware samples, open-source data sets, endpoint intelligence, and network
intrusions. Integrate Cisco AI Endpoint Analytics with Talos to flag network connections reaching out to untrusted IP addresses, quarantining them, and protecting your network
from the most common cyber threats.
The Cisco DNA Cloud communicates with the Talos Intelligence Cloud Service to obtain the updated IP Reputation data every
30 minutes. This update in the IP Reputation data is pushed to all registered Cisco DNA Center devices.
To set up Talos Intelligence on your Cisco DNA Center device, complete the following steps.
Before you begin
The prerequisites for integrating Cisco AI Endpoint Analytics with Talos Intelligence are:
Cisco DNA Center must be registered with Cisco DNA Cloud.
Note
When a user isn’t registered with Cisco DNA Cloud, a warning is displayed next to the toggle button under the Talos IP Reputation setting in the Cisco DNA Center GUI.
The account must be subscribed to the Talos offer on Cisco DNA Cloud.
For the Talos IP Reputation feature to work smoothly, enable application telemetry and choose Cisco DNA Center as the NetFlow collector.
Procedure
Step 1
Create a Cisco DNA Cloud account. On Cisco DNA Cloud, subscribe to the Talos offer and select the appropriate Cisco DNA Center region.
Step 2
Under On-prem Connections, register your Cisco DNA Center device. A One Time Password (OTP) is sent to your device. The OTP is valid for 30 minutes.
Step 3
On the Cisco DNA Center home page, register your Cisco DNA Center device to Cisco DNA Cloud using the OTP for cloud authentication (System-Settings > Cloud Authentication).
Note
After registering your Cisco DNA Center device to Cisco DNA Cloud, wait for 3 minutes before proceeding to the next step.
Step 4
On the Cisco DNA Center AI Endpoint Analytics window (AI Endpoint Analytics > Configurations > Trust Score Sources), click the Talos IP Reputation toggle button to enable it. You can enable Talos IP Reputation from either the Trust Score window or the Cisco DNA Center System Settings window.
After Talos IP Reputation is enabled, Cisco DNA Center receives the updated IP Reputation data whenever it’s available. If an endpoint in the network tries to access an untrusted
IP address, it’s flagged, and a warning message stating Detected is displayed for Talos IP Reputation in the Trust Score view for an endpoint. This warning reduces the overall Trust Score
of the endpoint. The Talos IP Reputation feature harbors information about the untrusted IP addresses accessed and the number
of access attempts made by an endpoint. This information is useful when deciding about increasing the security of the network.
The Talos Reputation window (Cisco DNA Center System Settings > Talos IP Reputation) displays the latest versions of various files received from Talos. The time when these files were received is also displayed.
IPv4 and IPv6 files are Talos IP reputation data files, and are typically updated once a day. However, the Threat Level file is metadata and changes in this file are rare.
Publish Authorization Attributes to Cisco ISE
Publish Cisco AI Endpoint Analytics profile data to Cisco ISE to authorize endpoint access to the network and for endpoint
control. The attribute information that is shared by Cisco AI Endpoint Analytics is then easily accessible to a Cisco ISE
administrator through the AI Endpoint Analytics dictionary. A Cisco ISE administrator can easily create authorization policies
in Cisco ISE. The following attributes are shared with Cisco ISE:
The overall trust score and the score for each anomaly that is recorded.
If your Cisco DNA Center has an active integration with Cisco ISE Release 3.1 and later releases, and you want to publish
authorization attributes to Cisco ISE, carry out the following tasks.
Procedure
Step 1
To enable attribute sharing in Cisco DNA Center, do the following:
In the Cisco AI Endpoint Analytics Overview window, click Configurations.
Click ISE Integration from the left panel.
Click the Enable Profile Publishing to ISE toggle button to enable the feature.
Check the Asset Topic Based Integration or Enhanced Authorization Integration check boxes, or both, depending on which type of topic you want to use to publish attribute information to Cisco ISE.
Click Save.
Step 2
To enable pxGrid subscription in Cisco ISE, do the following:
In the Cisco ISE GUI, click the menu icon and choose Work Center > Profiler > Settings.
If you are connected to Cisco ISE Release 3.1, in the Endpoint Analytics Settings area, check the following check boxes:
Publish Endpoint Attributes to AI Endpoint Analytics
Consume Endpoint Profiles from AI Endpoint Analytics
What to do next
To verify the subscription, from the Cisco ISE main menu, choose Administration > pxGrid Services > Diagnostics > WebSocket > Clients. The newly created subscription containing “com.cisco.ea.data.ise-<Cisco ISE node>” is displayed in the Subscription column of the PSN nodes.
In the Cisco ISE Policy > Policy Sets window, a new dictionary that is named Endpoint-Analytics is visible in the Conditions Studio.
In the Cisco ISE Context Visibility > Endpoints window, click MAC Address for endpoint details. The attributes area of the details displays attributes that contain "EA-" prefixes for the attributes
that are received from Cisco AI Endpoint Analytics.
Endpoint Purge Policies
Define an Endpoint Purge Policy to remove from your network the endpoints that have been inactive for a defined time. You
can define the period of inactivity after which an endpoint must be removed. You can also customize a purge policy to act
on a particular set of endpoints based on a profiling attribute. Purge policies are executed at 2 A.M. (server time) every
day, and the endpoints that meet the defined purge requirements are removed from your network.
Registered endpoints and static endpoints that are imported into Cisco AI Endpoint Analytics are not affected by endpoint purge policies.
The Backup and Restore operation in your Cisco DNA Center and the endpoint purge activity cannot run simultaneously. If a Backup and Restore operation is in progress at 2 A.M., the
purge activity is not initiated. If a Backup and Restore operation starts while an endpoint activity is in progress, the endpoint
purge stops running, and the purge activity is left incomplete. The remaining endpoints are not acted on until the next purge
is executed at 2 A.M. (server time) the next day.
To view, edit, or add endpoint purge policies, click the menu icon () and choose Policy > AI Endpoint Analytics > Configurations > Endpoint Purge Policy. The following policies are available by default:
Default
Random MAC Default
You cannot edit these default policies. You can only enable or disable them.
Create a Purge Policy
Procedure
Step 1
Click the menu icon () and choose Policy > AI Endpoint Analytics > Configurations > Endpoint Purge Policy.
Step 2
Click Add Endpoint Purge Policy.
Step 3
In the Add Endpoint Purge Policy dialog box, click Let's Do It to go directly to the workflow.
Step 4
In the Define Policy Details window, do the following:
Enter a name for your policy in the Rule Name field.
From the Select Status drop-down list, choose Enabled or Disabled.
Define the time of inactivity after which an endpoint must be purged. Enter a value (in days) in the Elapsed Greater than or Equal to field. The accepted value range is from 5 to 180 days.
Step 5
(Optional) In the Define Additional Policy Conditions window, choose the profiling attributes, to filter the endpoints that are impacted by this purge policy. Check the check
box next to the attribute you want to select and choose the required values from the drop-down lists displayed for the attribute.
Step 6
The Summary window displays your Purge Policy configuration. Review the details that are displayed and click Done to create the policy.
What to do next
Audit Logs of Endpoint Purge Activities
After you enable an Endpoint Purge Policy and a purge activity is executed, you can view the audit logs of an endpoint purge
activity:
Click the menu icon () and choose Activities > Audit Logs.
Check the description fields of the audit logs to find the logs related to the execution of a purge policy.
Click the appropriate audit logs to view the details of the Purge Policy that was executed.
Configure Endpoint Subnet Inspection
In a deployment, devices at the access layer and devices above the access layer have different IP subnets. In the case of
Cisco TTA devices, endpoint profiling accuracy is optimum when only southbound traffic is analyzed by Cisco AI Endpoint Analytics. To allow better endpoint profiling, configure specific IP subnets or subnet ranges that must be analyzed by Cisco AI Endpoint Analytics.
This configuration of filtered subnets is then shared with Cisco SD-AVC servers. The configuration is applied on Cisco TTA
devices though Cisco SD-AVC servers.
Procedure
Step 1
Click the menu icon () and choose Policy > AI Endpoint Analytics > Configurations > Endpoint Subnet Inspection.
Step 2
Enter the required value in the IP Subnet field.
Step 3
Click + to add another IP subnet. You can add multiple subnets or subnet ranges in this window.
Endpoint Inventory
The Endpoint Inventory tab displays details of the endpoints that are connected to Cisco AI Endpoint Analytics through the configured data sources.
The tab contains two views that you can choose from using the Focus drop-down list:
All Endpoints: This is the default view for the Endpoint Inventory tab. This view displays the profiling information of all the connected
endpoints.
To edit or customize the endpoint inventory table that is displayed, click the gear icon in the right corner at the top of
the table. The pane that is displayed contains the Table Appearance, Edit Table Columns, and Edit Custom Views menus where you can choose a table view, the information that you want displayed in the table, and create custom views.
Click Apply to save the changes, or click Reset All Settings to apply the default settings for the endpoint inventory table.
Trust Score: This view displays columns for the various factors that inform the overall Trust Score of an endpoint. The Trust Score helps
you identify the endpoints in which behavioral anomalies have been detected, so you can examine the details of the endpoint
and take the necessary remediation actions. If you apply an ANC policy to an endpoint to manage its low Trust Score, the Trust
Score view also displays the name of the ANC policy applied and when the policy was applied. See Trust Scores for Endpoints.
You can easily filter a set of endpoints based on your requirement. The search bar at the top of table allows you to easily
find a filter parameter. You can type and use the assisted search feature, or you can scroll the drop-down that is displayed
to find and select the required parameters.
Most of the columns in the All Endpoints and Trust Score tables contain quick filters. While some filters display drop-down menus for you to choose values from, some filters are
text fields you can type into.
You can register endpoints, and edit, delete, and profile the registered endpoints. You can select single or multiple endpoints
by checking the check box near the MAC addresses to filter and perform a particular action on the chosen endpoints from the
Actions drop-down list.
To see the complete profiling details of an endpoint, click the MAC Address of the endpoint. A slide-in dialog box is displayed which contains user details, endpoint details, and attribute details
of the endpoint.
In the Details tab, the following new fields are displayed in Cisco DNA Center 2.2.2 and later, with the details received from Cisco ISE:
Authentication Status: This field displays Started when an endpoint is authenticated through Cisco ISE, and Disconnected when it is not.
Authorization Profile: The authorization policies configured for an endpoint in Cisco ISE are displayed here.
Security Group Tag: The Security Group Tags configured for an endpoint in Cisco ISE are displayed here.
In Cisco DNA Center 2.2.2 and later, the Trust Score tab is available in the slide-in dialog box for endpoint details. This tab displays details of the various factors that inform
trust score of an endpoint. See Trust Scores for Endpoints.
In Cisco DNA Center 2.2.3 and later, the Details tab contains the Previous MAC Addresses area, which displays the MAC addresses that have been used by an endpoint which has the MAC Randomization feature enabled
on it. See Trust Scores for Endpoints with Random and Changing MAC Addresses.
Export Cisco AI Endpoint Analytics Data
To export a list of endpoints and their details from this window, click Export. If you apply any filters in the Endpoint Inventory window, only the filtered endpoints will be processed for export. To export the details of all the endpoints, ensure that
no filters are applied when you click Export.
When you click Export, a new tab opens with the Reports window. The Generated Reports window contains a list of exports initiated, with the latest export request at the top of the list. A report generated from
the Endpoint Inventory window contains AI Endpoint Analytics in its Template Category column. Report generation takes a few minutes. When a report is ready for download, the value in the Last Run column changes from Not Initiated to a timestamp with a download icon next to it. The timestamp refers to the time at which the export list was generated.
Click the download icon to download a CSV file of the list of endpoints to your system.
You can also export Cisco AI Endpoint Analytics data from the Reports window, through the following steps:
Note
You must run your first export of AI Endpoint Analytics data for endpoints from the Endpoint Inventory window. Then you can generate AI Endpoint Analytics reports directly from the Reports window.
Procedure
Step 1
Click the menu icon () and choose Reports > Report Templates > AI Endpoint Analytics.
Step 2
If a task overview window appears, click Let's Do It to go directly to the workflow.
Note
To skip this screen in the future, check the Don't show this to me again check box.
Step 3
In the Select Report Template window, the template Endpoint Profiling is applied by default.
Step 4
In the Setup Report Scope window, do the following:
Enter a name in the Report Name field.
Define the filters that you want to apply to the list of endpoints that you want to export from the Endpoint Inventory window.
To export the details of all endpoints, do not choose any values in the Scope area.
Step 5
In the Select File Type window, the Client Details area allows you to review the chosen parameters. Edit the information to be exported by checking or unchecking the check
boxes next to the relevant fields.
Step 6
In the Schedule Report window, click Run Now, Run Later (One-Time, or Run Recurring radio button.
Note
The Run Later (One-Time and Run Recurring options display scheduling fields to define the time of export.
Step 7
In the Delivery and Notification window, do not check the Email Report check box.
Step 8
In the Summary window, review all the configurations. To make any changes, click Edit.
Step 9
Click the View Reports link in this window for a list of generated reports. It takes a few minutes for the report to be generated and displayed
in this window.
Filter Endpoints
Use this procedure to filter the endpoints based on their profiling data, primary profiling labels, known profiles, and health
status.
Procedure
Step 1
In the Endpoint Inventory window, click Filter.
Step 2
Define the following filters by choosing a value from the corresponding drop-down list or clicking the radio button for the
required value, as applicable:
Mac Address
Trust Score
Endpoint Type
Hardware Model
Hardware Manufacturer
OS Type
Registered
Is Random Mac
Step 3
Click Apply.
You can also filter the profiled endpoints displayed by the four primary profiling labels. Click one or more of the labels
in the View Known Profiles section.
The health status of endpoints is updated every five minutes.
Attribute Glossary
Attribute glossary is a list of all the profiling attributes available from Cisco ISE probe data.
In order to view all the profiling attributes, follow the below steps.
Procedure
Step 1
In the Endpoint Inventory window, click the MAC address of an endpoint.
Step 2
In the new area that is displayed on the right side, click View Attribute Glossary.
The Attribute Glossary window displays the following information for each attribute:
Key profiling attributes
Description
Associated Profile Labels
Source
Dictionary
Discovery Method
The glossary gives you a detailed view of all the profiling attributes. If a profiling attribute is frequently used to create
a profile label, the label is listed in the Associated Profile Labels column.
You can also view the attribute glossary in the Choose Attribute Condition window while creating a logical condition for the rules. For more information, see Create a Custom Rule.
Register Endpoints
You can onboard and profile new endpoints by registering them in Cisco AI Endpoint Analytics. The profiling information of
an endpoint is the source of truth for classification. You can also update new profile information for a registered endpoint
using the Register Endpoint option.
Procedure
Step 1
Choose Actions > Register Endpoints.
Step 2
Choose whether you want to register a single endpoint or multiple endpoints, by clicking the Single or Bulk radio button.
Option
Steps
Single
Enter the MAC Address, Endpoint Type, Hardware Model and Hardware Manufacturer for the endpoint.
Bulk
Download a .csv template by clicking the Download .csv Template option.
In the downloaded .csv file, enter the following details for each endpoint you must register: MAC address, endpoint type,
hardware model, and hardware manufacturer. Save this file.
Upload the .csv file using the Choose a File option.
You can register a maximum of 500 endpoints at a time using the Bulk option.
Step 3
Click Next.
Step 4
Review the endpoint details in the Review Endpoint window. You can also edit the endpoint details, if changes are required.
Note
While registering an existing endpoint, the profile label changes of the endpoint are reflected in purple color and can be
edited.
Step 5
Click Next to continue with the registration process.
Step 6
Click Register.
Edit Registered Endpoints
You can update the profiling information of registered endpoints from the Endpoint Inventory window.
Procedure
Step 1
Check the check box adjacent to the MAC address of the endpoint that you want to edit.
Step 2
Click Actions.
Step 3
Click Edit Endpoint.
Step 4
Enter the Endpoint Type, Hardware Model, and Hardware Manufacturer details.
Step 5
Click Save.
Delete Registered Endpoints
If there are registered endpoints that are no a longer part of your network, you can delete them from Cisco AI Endpoint Analytics.
Procedure
Step 1
Check the check box adjacent to the MAC address of the endpoints that you want to delete.
Step 2
Click Actions.
Step 3
Click Delete Endpoint.
The following message is displayed:
Do you really want to delete the selected endpoint(s)?
Step 4
Click Yes to permanently delete the endpoint from Cisco AI Endpoint Analytics.
Trust Scores for Endpoints
Cisco AI Endpoint Analytics assigns Trust Scores to endpoints to allow you to easily monitor and act on potentially risky endpoints in your network.
Behavioral anomalies are monitored and tracked, and a Trust Score is assigned based on the number and frequency of the anomalies
tracked.
To choose the sources that must be included in the calculation of Trust Scores, from the Cisco AI Endpoint AnalyticsOverview window, choose Configuration > Enable Trust Sources. Click the toggle button for each of the sources you want to enable.
Cisco AI Endpoint Analytics generates historical Trust Scores based on the following factors:
The history of anomalies associated with an endpoint—how many anomalies have been detected for this endpoint?
The severity of each anomaly detected for the endpoint.
In Cisco DNA Center 2.2.3 and later, the overall Trust Score calculation for an endpoint factors in the following anomalies and scores are displayed
for each anomaly that is detected (if the corresponding source is enabled):
AI Spoofing Detection
Cisco AI Endpoint Analytics analyzes NetFlow telemetry data, and network probe data from Cisco ISE and SD-AVC devices, to detect spoofed endpoints. For
more information on how to configure NetFlow Collector servers, see Configure Syslog, SNMP Traps, NetFlow Collector Servers, and Wired Client Data Collection Using Telemetry. In Cisco DNA Center 2.3.2 and later, probe and NetFlow data from Cisco DNA Traffic Telemetry Appliances (DN-APL-TTA-M) is also analyzed. Configure inbound span of traffic toward your Cisco DNA Traffic Telemetry Appliances so the endpoint traffic data is then available to Cisco AI Endpoint Analytics for spoofing detection.
Each endpoint type has a behavior model that is developed using machine learning algorithms. Based on the data received for
an endpoint, if an endpoint’s behavior is unexpected of its endpoint type profile, the endpoint is assigned a low Trust Score
in the AI Spoofing Detection area. The applications and server ports that are used by an endpoint are analyzed in this spoofing
detection process. For example, if an endpoint profiled as a printer uses a video calling application, it is identified as
a spoofed endpoint and assigned a Trust Score.
Endpoints are identified by their MAC addresses on a Cisco DNA Center-managed switch. Several endpoints using a single MAC address such as by using NAT, running a virtual machine or a container,
is not a supported configuration on Cisco AI Endpoint Analytics.
AI Spoofing Detection currently covers the following device types:
IP Phones
Printers
Cameras
Building automation devices with the following hardware model attributes:
Automated-Logic-Device
Honeywell-Device
Johnson-Controls-Device
Rockwell-Automation-Device
Schneider-Electric-Device
Siemens-Automation-Device
Siemens-Building-Device
Trane-Device
Telepresence:
Endpoints with one of the following hardware models:
Cisco-Tandberg-Device
Cisco-TelePresence
Cisco Telepresence SX80
Cisco Telepresence SX20
Cisco-Collaboration-Room-Endpoint
Poly-Device
Endpoints with the device type Video Conferencing
Changed Profile Labels
When a device joins a network, and then through periodic probing while the device is active, the profiling data for an endpoint
is continuously monitored and updated. Certain changes in the profiling data that is received from an endpoint are flagged
as anomalies in Cisco AI Endpoint Analytics. For example, if an endpoint was first profiled as a Linux device and is then profiled as a macOS device, this is flagged
as a high-severity anomaly. A score is assigned in the Changed Profile Label column for the endpoint and the endpoint’s overall
Trust Score is also updated to reflect this change.
However, if there is a change in the version of macOS and the endpoint appears to have downgraded from a later release to
an earlier release, such a change is flagged as a lower priority anomaly and the corresponding scores are updated accordingly.
NAT Mode Detection
If you have a NAT-enabled router in your network, an endpoint that is connected to a NAT router is recognized by the IP or
MAC addresses of the router instead of the IP or MAC addresses of the specific endpoint. Information on NAT-enabled routers
is collected from the Cisco Catalyst 9000 Series devices they are connected to.
Concurrent MAC Addresses
Identify the endpoints that share the same MAC addresses and are connected to Cisco Catalyst 9000 Series devices. The endpoints
with shared MAC addresses are assigned a Concurrent MAC Address score, and you can easily identify these endpoints and examine
their details.
Security Sensor
With the Security Sensor scan feature, you can install active probes on specific Cisco Catalyst 9000 Series switches, and
configure Cisco AI Endpoint Analytics to scan endpoints for open ports that are not expected to be open, for credential vulnerabilities or both.
The Trust Score of an endpoint is also informed by the following events that are collected from Cisco ISE. Every endpoint that authenticates through Cisco ISE receives an initial Trust Score based on the following events:
Authentication Method
Posture
Note
For the Trust Score sources that receive data from Cisco Catalyst 9000 Series devices, you must enable CBAR on the devices
and upgrade the devices to Cisco IOS-XE Release 17.6 or later.
The Trust Score that is displayed in the Endpoint Inventory window is the overall trust score that takes the history and severity of anomalies for an endpoint. Click the MAC Address to view the details of the causes for the Trust Score that is assigned to an endpoint. This means that if a low-level anomaly
was detected for an endpoint, and this is the only instance of an anomaly, the overall Trust Score for the endpoint would
be a 9, even if the actual Trust Score for with the anomalous event is a 7.
If multiple low-level anomalies are detected, the overall Trust Score would further decrease to account for the number of
anomalies.
The trust scores assigned range from 1 through 10, and are categorized as follows:
Trust Score Category
Range
Threat Level of Endpoint
Low
1–3
High
Medium
4–6
Moderate
High
7–10
Low
You can then apply Adaptive Network Control (ANC) policies from Cisco ISE to enforce appropriate remediation actions on the endpoints. See section “Adaptive Network Control” in Chapter “Cisco ISE
Admin Guide: Maintain and Monitor” of the Cisco ISE Administrator Guide.
The ANC policies are defined in Cisco ISE and allow you to apply remediation actions on chosen endpoints. You can apply ANC policies to quarantine, shut down, or port
bounce an endpoint, or force endpoint reauthentication. When you apply an ANC policy to an endpoint with an undesirable Trust
Score in Cisco AI Endpoint Analytics, a Change of Authorization (CoA) is sent to the endpoint from Cisco ISE.
An endpoint is identified by its MAC address. Cisco ISE sends the CoA to the endpoints that hold an active session for the identified MAC address at the time of the ANC application.
Any endpoint with the same MAC address that does not have an active session in Cisco ISE at the time matches the ANC policy when a new session starts or when it must reauthenticate at the end of the configured
reauthentication timer.
To verify which endpoint is being acted upon by the ANC policy, log in to your Cisco ISE administration portal. From the main menu, choose Operations > RADIUS > Live Sessions. Enter the MAC address of the spoofed endpoint in the Endpoint ID column, to filter the endpoints that share the same MAC address and currently have live sessions in Cisco ISE. These are
the endpoints that will be affected by the ANC policy.
To view a historic log of the RADIUS sessions in Cisco ISE, from the main menu, choose Operations > Reports > Reports > Endpoints and Users > RADIUS Authentications.
To view or modify ANC policy application on endpoints in Cisco ISE, from the main menu, choose Context Visibility > Endpoints. Check the check box next to the MAC address of an endpoint and click the options that are displayed at the top of the list,
as required.
Prerequisites
Prerequisites for receiving Trust Scores for endpoints:
Cisco DNA Center is upgraded to Release 2.2.2 or later.
Cisco ISE is connected to your on-premises Cisco DNA Center.
Network access devices are managed by both Cisco DNA Assurance and Cisco ISE.
Note
The endpoint spoofing detection feature supports a maximum of 500 network access devices with NetFlow export flows, as Cisco DNA Assurance supports only 500 NetFlow exporters.
Endpoints connected to network access devices are authenticated through Cisco ISE.
Enable the required sources for Trust Score calculation in the Trust Score Sources window (Policy > AI Endpoint Analytics > Configurations > Trust Score Sources).
Changed Profile Labels
Cisco AI Endpoint Analytics collects data from multiple probes from different sources continually to derive accurate profile
labels for endpoints. Cisco AI Endpoint Analytics collects the following data from the following sources:
From Cisco ISE:
RADIUS probes.
User details from Directory.
VPN details like AnyConnect availability.
Optionally, other data if port forwarding is configured. For example, DHCP details.
From switches:
Device connection messages. For example, DHCP and NetBIOS messages.
Deep packet inspection
Switch telemetry
Cisco AI Endpoint Analytics creates system rules based on the information received from these sources. When a device joins
a network, and then through periodic probing while the device is active, the profiling data for an endpoint is continuously
monitored and updated.
Certain changes in the profiling data received from the endpoint are flagged as anomalies in Cisco AI Endpoint Analytics.
For example, if an endpoint was first profiled as a Linux device and is then profiled as a macOS device, this is flagged as
a high-severity anomaly. A score is assigned in the Changed Profile Label column for the endpoint and the endpoint’s overall
Trust Score is also updated to reflect this change.
However, if there is a change in the sub-version of macOS and the endpoint appears to have downgraded from a later release
to an earlier release, such a change is flagged as a lower priority anomaly and the corresponding scores are updated accordingly.
In the Endpoint Inventory window, click the MAC Address of an endpoint with a Changed Profile Label score to view the profiling data changes recorded. The old and new profiles for the endpoints are displayed here. If the
profiling changes are not of concern for any reason, or if you think the profiling change detected is erroneous, reset the
score by clicking the corresponding button in the Changed Profile Label area of the endpoint’s details.
You can also disable Changed Profile Label detection for a specific endpoint by clicking the toggle button in the Changed Profile Label area of the endpoint’s details.
Data regarding this anomaly is sent to Cisco ISE if the affected endpoint is connected to Cisco ISE. The data is available
as an Endpoint Analytics dictionary attribute that a Cisco ISE administrator can easily use to define policies.
Changed Profile Label detection is not available for the endpoints that have Custom Rules applied to them.
NAT Mode Detection
Network Address Translation (NAT) allows private IP internetworks that use nonregistered IP addresses to connect to the Internet.
NAT can be configured to advertise to the outside world only one address for the entire network. If you have a NAT-enabled
router in your network, an endpoint connected to a NAT router is recognized by the IP or MAC addresses of the router instead
of the IP or MAC addresses of the specific endpoint. Information on NAT-enabled routers is collected from the Cisco Catalyst
9000 Series devices they are connected to.
NAT detection is included in Trust Score calculation as a device acting as a NAC-enabled router could allow unauthorized endpoints
to connect to your network. For the endpoints that are assigned a NAT Mode Detection score, in the Endpoint Inventory tab, click the MAC Address to view the details of the endpoint in a slide-in window. If you are certain that the identity
of the endpoint corresponds to a NAT-enabled router in your network:
Click NAT Mode Detection in the Trust Score tab of the details slide-in window.
Click the toggle button to disable NAT Detection for this specific endpoint.
Endpoints with Concurrent MAC Addresses Connected to Cisco Catalyst 9000 Series Devices
Identify the endpoints that share the same MAC addresses and are connected to Cisco Catalyst 9000 Series devices. The issue
of endpoints with concurrent MAC addresses occurs in wired environments and in hybrid environments that contain wired and
wireless deployments. In a wireless environment, concurrent MAC addresses do not occur as only one endpoint with a specific
MAC address is allowed to access the network at any time.
Cisco AI Endpoint Analytics allows you to identify the endpoints with concurrent MAC addresses by assigning a Concurrent MAC
Address score to the endpoints. To detect endpoints with shared MAC addresses in your network, you must enable CBAR in the
connected Cisco Catalyst 9000 Series devices.
When devices with the same MAC Address connect to a Cisco Catalyst 9000 Series device, the endpoints are recognized as concurrent
endpoints and a low score is assigned to the MAC Address. Endpoints with concurrent MAC addresses may be connected to:
The same Cisco Catalyst 9000 Series device from different VLANs
Different Cisco Catalyst 9000 Series devices
Table 1. Environments in Which the Concurrent MAC Address Issue Occurs
Deployment 1
Deployment 2
Can Concurrent MAC Addresses Occur in the Network?
Concurrent MAC Addresses Detection Support in this Environment
Wired
Wired
Yes
Yes
Wired
Wireless
Yes
Yes
Wireless
Wired
Yes
Yes
Wireless
Wireless
No
No
In Cisco DNA Center Release 2.2.3 and later releases, the Trust Scores view of the Endpoint Inventory tab contains the Concurrent MAC Address column. Shared MAC addresses are detected as an anomaly and a low score is assigned in the Concurrent MAC Address column. Click the MAC Address to view a slide-in window with the details of the MAC Address. Click Concurrent MAC Address and the field expands to display information regarding the various sources of the MAC address.
In the Concurrent MAC Address area, the Network Device Name column displays the name of the Cisco Catalyst 9000 Series device to which an endpoint is connected. The Interface and VLAN columns display the corresponding values to help you identify how the endpoint is connected to the network.
Initial Trust Score Assessment Using Posture and Authentication Values from Cisco ISE
When an endpoint authenticates through Cisco ISE, a Trust Score is immediately assigned to the endpoint based on its authentication
and posture details. Authentication Method score is assigned by default and you cannot disable or act upon this score. You
can choose to enable or disable Posture-based scores, either at a global level from the Configurations window, or for a particular endpoint in the Endpoint Inventory tab. The Trust Score that is assigned based on the Authentication Method and Posture values becomes the initial Trust Score
for the endpoint.
Any other anomalous behaviors detected for this endpoint would then impact this initial Trust Score and drive it lower based
on the severity and number of the anomalies.
The Authentication Method score, displayed in the details of an endpoint in the Endpoint Inventory tab, is based on the perceived security level of the authentication method used. For example, WebAuth Over HTTPS, certificate-based
authentication, and authentication using secure tunnels receive high Trust Scores.
The Posture score is based on whether or not the connect endpoint is posture compliant.
If an endpoint's Trust Score consists of only the Authentication Method score, the Reset Trust Score button is inactive. When a Trust Score source other than the Authentication Method displays a score, you can use the reset
option.
Trust Scores for Endpoints with Random and Changing MAC Addresses
As a privacy measure, mobile devices increasingly use random and changing MAC addresses for each SSID that they connect to.
Some desktop operating systems offer users the ability to randomize MAC addresses at regular intervals as well. This means
that an endpoint presents different MAC addresses every time they connect to a different SSID.
Cisco AI Endpoint Analytics enables you to handle the issue of random and changing MAC addresses by receiving from Cisco ISE
a unique endpoint identifier called the DUID (also known as GUID in Cisco ISE). Cisco AI Endpoint Analytics then uses the
DUID as the identifier for an endpoint, instead of its MAC address. For more information how GUIDs are assigned in Cisco ISE,
see Cisco ISE Administration Guide, Release 3.1.
The Endpoint MAC Randomization dashlet in the Cisco AI Endpoint Analytics Overview window displays a graphical representation of how many endpoints in your network are using random and changing MAC addresses.
For the endpoints that are connected to Cisco ISE and have DUID information available, this information is displayed in Cisco
AI Endpoint Analytics as well. The following columns display the required information in the Endpoint Inventory window in Cisco AI Endpoint Analytics:
DUID: The DUID value for the endpoint.
Previous MAC Addresses: The random and changing MAC addresses with which the endpoint previously connected to the network.
Using the DUID value, Cisco AI Endpoint Analytics is now able to reliably identify an endpoint and track the various MAC addresses
that the endpoint has previously used. This means that the Trust Score for an endpoint with random and changing MAC addresses
still has high fidelity. The Trust Score of the endpoint from a previous MAC addresses is carried forward to the current MAC
address that the endpoint is presenting and continues to be impacted by the probe data received for the same endpoint.
If a device has the Private Address setting enabled, the Is MAC Random column for this device displays the value Yes. This device is then recognized as a random and changing MAC address. However, whether or not a DUID value is available for
this device depends on whether or not the endpoint was authenticated through Cisco ISE and if a GUID was generated for this
endpoint in Cisco ISE.
Sensor Scans to Check for Open Ports and Credential Vulnerabilities
Install an active probes container to gain more information about the endpoints in your network. When you enable security
sensor scans, the Trust Score that is assigned to an endpoint takes into account any anomalies in open ports and endpoint
login credentials.
The sensor scan feature is supported by the following switches:
Cisco Catalyst 9300 Series switches
Cisco Catalyst 9400 Series switches
Note
Cisco Catalyst 9800 Series Wireless Controllers do not support the sensor scan feature.
Cisco AI Endpoint Analytics uses the Application Hosting capability that is available on the switches to enable scans for
open ports and weak credentials.
Enable and Monitor Sensor Scans
Before you begin
Connection to Cisco ISE Release 3.1 or later releases, if you want to enforce endpoint policies based on the scan results.
Connection to Cisco Catalyst 9200, 9300, or 9400 Series devices
Ensure that the switches are upgraded to Cisco IOS XE Release 17.7.1 or later releases.
Procedure
Step 1
Log in to your Cisco DNA Center.
Step 2
From the main menu, choose Policy > AI Endpoint Analytics.
Step 3
In the Overview window that is displayed, click Configurations.
Step 4
From the left pane, choose Trust Score Sources.
Step 5
In the Security Sensor area, the prerequisites for using the sensor scans feature to identify open ports and weak endpoint credentials are displayed.
Click the corresponding links in this area to carry out the following tasks:
Verify the supported Cisco DNA Center and Cisco IOS-XE releases from the release notes for Cisco Catalyst 9000 Series devices.
Download the security sensor container from software.cisco.com for the relevant Cisco Catalyst 9000 Series device. A .tar
file downloads to your system.
Install App Hosting in your Cisco DNA Center. See Application Hosting for instructions.
Upload the .tar file in your Cisco DNA Center App Hosting window. The link to the App Hosting window is displayed in the Security Sensor area.
Install and enable the .tar file in each Cisco Catalyst 9000 Series device that you want to enable sensor scans on.
In your Cisco DNA Center App Hosting window, check that the App Hosting Status is active for least one of the Cisco Catalyst 9000 Series devices on which you enabled the .tar file.
Step 6
After the active probes container is installed and enabled as explained in the previous step, in the Security Sensor area, you can configure Trust Score settings in Cisco AI Endpoint Analytics to scan for open ports and weak credentials on
endpoints that are connected to Cisco ISE and the Cisco Catalyst devices on which the active probes application is enabled.
Click the Open Port Scan toggle button to enable Cisco AI Endpoint Analytics to proactively run port scans to detect and close possible vulnerabilities
on defined endpoints on the network.
Click the Credential Vulnerability Scan toggle button to enable Cisco AI Endpoint Analytics to proactively detect when endpoints on your network are using weak credentials
in order to prevent malicious activity.
Step 7
(Optional) If you choose to enable scanning for open ports, you can define the scan by clicking Scan Configuration in the Open Port Scan area.
In the Scan Configuration window, in the Defined Scans tab, click the Define Scan button.
A dialog box is displayed that allows you to define the scope of a port scan:
To scan each endpoint at the time of endpoint enrollment, choose the On enrollment, scan all endpoints radio button.
To define the scope of the open port scan by subnet, profiling attributes, and more, choose the Create a Custom Scan radio button.
In both types of port scan, you define a list of unauthorized ports to specify the ports that must always be closed. This
list allows Cisco AI Endpoint Analytics to recognize anomalous port activity on an endpoint and assign it a low trust score.
For both port scan types, the minimum frequency of scan that you can configure is 12 hours.
In the Scan Configuration window, in the Open Ports List tab, specify the type and range of ports, or individual ports, that must be scanned.
In the Scan Configuration window, in the Unauthorized Ports tab, define by port number and port type, the ports that are unauthorized in your network. If Cisco AI Endpoint Analytics
detects these ports as active, the endpoint is given a low trust score for the anomaly of an active unauthorized port.
Step 8
(Optional) If you choose to enable the detection of weak credentials, you can define the scan by clicking Scan Configuration in the Credential Vulnerability Scan area. SSH and TELNET protocols are supported by this feature.
In the Credential Vulnerability Scan window, in the Scan tab, define a list of credentials that you want to identify as weak credentials. Define lists of usernames and passwords
that are considered vulnerable according to your enterprise requirements.
In the Credentials tab, a default list of more than 3500 weak credentials is available by default. You can use this default list to create a
credential vulnerability scan. To add a new list of vulnerable credentials, click Create New List.
The minimum frequency of credential vulnerability scan that you can configure is 12 hours.
Step 9
For the scans that you enable in the Security Sensor, the relevant endpoints are scanned and if anomalies are detected in open ports or credential checks, the Trust Score for
these endpoints is adjusted accordingly. In the Endpoint Inventory tab, where applicable, the Trust Score tab for an endpoint displays the list of unauthorized ports that are open on the endpoint, or weak usernames, or both.
View and Manage Trust Scores for Endpoints
After Cisco DNA Center is upgraded and necessary Trust Score sources are enabled, the Cisco AI Endpoint Analytics Overview tab (main menu > Policy > AI Endpoint Analytics) displays the Trust Scores dashlet. This dashlet contains the following information:
The total number of endpoints that have been assigned a Trust Score.
A donut chart and a list of the number of endpoints with low, medium, and high trust scores.
To view the details of endpoints in a trust score category, click its endpoint count in the Trust Scores dashlet. The Trust Score view of the Endpoint Inventory tab is displayed with the appropriate filters applied.
In the Endpoint Inventory tab, you can view endpoints with Trust Scores in two ways:
Click the Focus: drop-down list and choose Trust Score to see all the endpoints with Trust Scores assigned.
Click View endpoints in Trust Score View from the caution message that is displayed, to see endpoints with Low and Medium scores.
You can perform the following actions on endpoints with Trust Scores:
Apply an ANC Policy
Click the Apply ANC Policy button to choose an ANC policy to be applied to an endpoint. The endpoint’s access to the network is modified accordingly.
ANC policies are imported from Cisco ISE and displayed in the drop-down list in the pop-up window displayed.
Replace an ANC Policy
Click Change ANC Policy button to replace an existing ANC policy of an endpoint with another ANC policy. From the pop-up window displayed, choose
the new policy to be applied from the Change ANC Policy drop-down list.
Remove an ANC Policy
Click the Remove ANC Policy button to remove an applied ANC policy from an endpoint. In the pop-up window displayed, click Remove. This removes the remediation policy that was applied to the endpoint, and allows the endpoint to connect to the network
normally.
Reset Trust Score
Click Reset Trust Score button to remove an endpoint from the Trust Score inventory. In the pop-up window displayed, click Reset.
If you choose this option for an endpoint after applying an ANC policy, you will not see this endpoint in the Trust Score
inventory again. In this case, to modify the ANC policy for such an endpoint, you must remove the policy from Cisco ISE instead.
If you reset the score for an endpoint without applying an ANC policy, you may see the endpoint in the Trust Score inventory
again with the next automatic refresh of Trust Score data.
The buttons for each of the actions are displayed in two locations in the Endpoint Inventory tab. The actions can be performed a single endpoint, or on multiple endpoints.
Manage Trust Score for Single Endpoint
From the list of endpoints with a Trust Score, click the MAC Address of the endpoint you want to manage. In the endpoints
details pane that is displayed, click the Trust Score tab.
Here, Expected Endpoint Type and Likely Endpoint Type values are displayed. The Applications Used field lists the applications that are used by the endpoint, that are unusual for the expected endpoint type.
This pane includes buttons to start the workflows of accepting and removing ANC policies, and to reset the Trust Score. Click
the button for the intended task.
Alternatively, you can check the check box for an individual endpoint on the Endpoint Inventory window, click Actions, and choose the required option from the drop-down list.
Manage Trust Score for Multiple Endpoints
In the Endpoint Inventory tab, check the check boxes for all the endpoints you must perform a specific action on. Click Actions and choose the required action from the drop-down list.
Control Endpoint Spoofing
Concurrent MAC address detection means two endpoints with the same MAC address are detected accessing the network and generating
traffic. It then becomes imperative to distinguish between the real endpoint and the spoofed endpoint and take the necessary
remediation action for the spoofed endpoint.
The Control Endpoint Spoofing feature provides granular policy control by providing network information other than just the
MAC address of an endpoint. Network information includes site information, network device IP address, network device port,
first authorized timestamp, last authorized timestamp, and duration for which the endpoint has been available in the network.
You can choose to distinguish the entries by the MAC address as done traditionally, or by using both MAC address and the network
information provided. If you choose to distinguish by MAC address and connectivity (network information), a selection is made
automatically to detect the spoofed endpoint. You can either go with the automatic selection or choose the one you feel is
the spoofed endpoint, and apply the appropriate remediation action for that endpoint. The remediation actions available are
the ANC (Adaptive Network Control) policies configured in Cisco ISE.
As this is the granular way of applying the policy, you won’t see a listing for this policy in Operations > Adaptive Network Control > Endpoint Assignment.
For endpoints without concurrent MAC address detection and only NAT mode detection, the ANC policy is applied in the traditional way. In such a scenario, the endpoint gets listed under Endpoint Assignment in Cisco ISE.
For endpoints with both concurrent MAC addresses and NAT mode detection, the precedence is given to granular policy control.
So, when you click Apply ANC Policy, you get the new Apply ANC Policy window with two options to distinguish the entries.
You can also choose to change the ANC policy for an endpoint at any point of time. While changing the ANC policy, you have
an option to choose more than one entry for which the ANC policy can be applied.
Note
If you chose Shutdown as the remediation action, and you want to change the action, the endpoint won't be brought back automatically after changing
the action. You must manually turn on the interface in the switch to which the endpoint is connected.
An ANC policy can also be removed at any point of time.
Before you begin
The dynamic author must be configured in the network devices. We recommend that you provision the network devices with the
AAA configuration from the Cisco DNA Center.
Procedure
Step 1
From the Cisco DNA center GUI, choose Policy > AI Endpoint Analytics > Endpoint Inventory > View endpoints in trust score view.
Step 2
Click the endpoint that you want to check and apply the ANC policy to.
Step 3
Choose Trust Score > Concurrent MAC Address.
Step 4
Click Apply ANC Policy.
Step 5
In the Apply ANC Policy window, choose Based on MAC address or Based on MAC address and connectivity.
Step 6
Choose the appropriate remediation action from the Apply ANC Policy drop-down list.
Step 7
Click Apply ANC Policy.
After completing this task, when you return to the Trust Score view for that endpoint, you can see the ANC policy name and the network device IP address to which the policy was applied
along with the time at which the ANC policy was applied.
To verify the configuration, in the Cisco ISE GUI, choose Operation > RADIUS > Live logs. You can filter the Identity column by endpoint MAC address.
An entry for the CoA action that was initiated from Cisco ISE for this endpoint is listed. If you check the details, the CoA Reason shows the ANC policy that was applied by you for the endpoint.
Profiling Rules
Profiling rules in Cisco AI Endpoint Analytics enable you to group endpoints with a combination of common attributes. These
attributes allow endpoint identification by Endpoint Type, OS Type, Hardware model, and Hardware Manufacturer. The profiling
rules help you administer and manage many endpoints with ease.
Cisco AI Endpoints Analytics receives profiling data from network devices through DPI, media protocols, medical industry protocols,
and more. Profiling data from Cisco ISE is communicated through pxGrid. These profiling attributes are then available in the
device dictionary for authoring profile rules.
You can view the profiling rules in the Profiling Rules tab of Cisco AI Endpoints Analytics. In the table that is displayed under this tab, click a Rule Name entry to view the assigned profiles and attributes used.
The profiling rules that are used to profile the endpoints in Cisco AI Endpoint Analytics are:
System Rules
Custom Rules
Cisco AI Rules
Rule Prioritization
The profiling rules in Cisco AI Endpoint Analytics have an order of priority. Profiling rule execution follows this rule priority
to profile endpoints with high fidelity.
As user inputs are primary in Cisco AI Endpoint Analytics, the priority of the profiling rules is as follows:
Administrator-created static profiles, for example, profiles added using the Register Endpoints option.
Administrator-created custom rules.
Cisco-provided system rules that are available by default.
Auto-generated rules through the machine learning-enabled Smart Grouping workflow.
To view the set rule priority, click Rule Prioritization in the Profiling Rules window.
A registered endpoint can be profiled by multiple Cisco AI Endpoint Analytics rules for different profiling labels. The following
table shows the design of profiling rules for two endpoints.
Endpoint 1
Endpoint 2
Hardware Model profiled by System Rule
OS Type profiled by Cisco AI Rule
Hardware Manufacturer profiled by Custom Rule
Hardware Model profiled by System Rule
Hardware Model profiled by Custom Rule
Hardware Model profiled by Cisco AI Rule
For Endpoint 2, rule priority results in the precedence of the custom rule over the others. The Hardware Model label for Endpoint
2 is profiled by the custom rule.
For Endpoint 1, different rules define different profile labels, and each label is profiled accordingly.
Filter Profiling Rules
Procedure
Step 1
In the Profiling Rules window, click Filter.
Step 2
Enter a name in the Rule Name field.
Step 3
Select values for endpoint attributes from the corresponding drop-down lists, to filter for a set of endpoints.
Step 4
Click Apply.
View Updated Profiling Rules
Procedure
Step 1
Go to the Endpoint Inventory window.
Step 2
Click the check box adjacent to the MAC Address of the endpoint to view the profiling details of the endpoint.
Step 3
Click the information icon next to profile labels, and click the rule name to view the assigned profile and attributes details.
System Rules
Cisco AI Endpoint Analytics provides predefined rules called System rules for profiling endpoints. When Cisco AI Endpoint
Analytics is deployed, it provides day zero visibility into endpoints without any need to configure specific rules.
Newly onboarded endpoints are profiled using system rules by default.
Network devices are managed in Cisco DNA Center in the Provision > Network Devices > Inventory window.
These network devices are profiled by the system rules and are not visible in the Cisco AI Endpoint Analytics Endpoint Inventory window. However, you can view the endpoints profiled by custom rules because the custom rules are created with network device
as Device Type.
Automatic System Rule Updates for Endpoint Profiling
The system rules that are used for endpoint profiling in Cisco AI Endpoint Analytics are regularly updated to enhance profiling
accuracy. Schedule automatic updates to receive updates in endpoint profiling system rules from Cisco. Your Cisco DNA Center receives updates at the configured time, and the changes are applied in Cisco AI Endpoint Analytics. In the Profiling Rules window (Policy > AI Endpoint Analytics > Profiling Rules), review the details of the changes in endpoint profiles, and accept or decline the system rule update.
If an endpoint’s hardware model value changes due to an accepted system rule update, when you view the endpoint's details
in the Endpoint Inventory tab, the Hardware Model field contains the name of the system rule update.
To check the status of NBAR Cloud, choose Policy > AI Endpoint Analytics > Overview, and click Configuration.
Procedure
Step 1
From the main menu, choose System > Settings > Cisco Accounts > Profile Rule Settings.
The Enabled toggle button in the Schedule Automatic Updates area is set to active by default.
Step 2
Click the buttons for the days of the week on which you want to schedule updates. You can choose multiple days. Then, use
the Time Slot text fields to select the time for the update. It takes 30 minutes for the updates to be received by Cisco DNA Center. The second time slot area is not editable and displays the time when the scheduled update is expected to complete.
Step 3
When your Cisco DNA Center receives a system rule update, a notification is displayed in the Profiling Rules window (Policy > AI Endpoint Analytics > Profiling Rules). The following notification is displayed when you click Expand in the dialog box:
You are updated to the latest version Name of Latest Version and a recent Cisco profiling rule has changed the profiles of some endpoints. Review Update.
Click Review Update
Step 4
The Endpoint Profile Update Review dialog box is displayed. The dialog box contains information on the current stable update applied, the latest update received,
and more. It also contains the following sections that you can click to view the related endpoint profile updates:
Major Updates: Lists the endpoints whose profiles have had major changes, such as a Windows endpoint that is now recorded as a Linux endpoint.
Minor Updates: Lists the endpoints whose profiles have had minor changes, such as an updated version of Windows OS.
Newly Profiled: Lists the endpoints that were unprofiled previously and have now been assigned profile information.
Step 5
After you review the endpoint profile changes, to accept the profile update, click Mark As Approved Version in the Endpoint Profile Update Review dialog box. If you do not agree with the endpoint profile changes, click Rollback.
When you choose rollback, you must choose if you want to roll back to the last running version, or the last approved version,
by clicking the corresponding option.
You can also perform the accept and rollback actions from the AI Endpoint Analytics > Overview > Configuration window.
Step 6
Click X to close the dialog box.
Custom Rules
In addition to the system rules, you can also create custom rules for profiling endpoints using a combination of endpoint
attributes. Custom rules precede all the other endpoint profiling rules in Cisco AI Endpoint Analytics.
Logic and Conditions for Profiling Rules
You can create custom profiling rules in the Endpoint Inventory window. To create a custom profiling rule, you must create a logical condition based on endpoint attributes and values. These
attributes are collected from network probe data and are different from the classification attributes available in the Attribute Glossary window.
A value is a user input that uniquely identifies the group of endpoints. The attributes and values create a regular expression
with the help of the following operators.
Operators
Description
Contains
Attribute has the selected value.
Equals
Attribute is strictly mapped to the selected value.
Matches
Attribute should match the regular expression pattern of the selected value.
Starts With
Attribute should start with the selected value.
Note
Contains, Equals, and Starts With are case-sensitive operators. For case-insensitive values, use the Matches operator.
These conditions can be further combined with the help of logic (AND and OR) to create a nested rule.
Create and Edit a Logical Condition
Follow the below instruction to create a logical condition.
Procedure
Step 1
In the Choose Attribute Conditions window, check the check box adjacent to the Attribute that you want to update.
Step 2
Choose a option from the Operator drop-down lists.
Step 3
Enter the value in the Value field.
Step 4
Click Next.
Step 5
In the Add Logic to Conditions window that is displayed, drag and drop the AND logic or the OR logic between the conditions in order to create a logical sequence of conditions for a custom rule.
Note
You can also add or edit an attribute condition in the Add Logical Conditions window using the vertical ellipsis next to a condition.
Step 6
Click Next.
Create a Custom Rule
Procedure
Step 1
In the Endpoint Inventory window, check the check box adjacent to the MAC address of the endpoints that you want to profile.
Step 2
Click Actions and select Profile with Custom Rules.
Step 3
In the Name Rule and Type window that is displayed, in the Rule Name field, enter a name for the rule, and from the Profile Label drop-down list, choose a label.
Depending on what you choose from the Profile Label drop-down list, a corresponding field, whose name is dynamically updated, is displayed. For example, if you choose Endpoint Type, the Endpoint Type field appears.
Step 4
Enter a value in the new field that is displayed. As you start entering information, matching options are displayed. If an
option matches your requirements, select the same. Otherwise, enter the complete type name.
Step 5
Click Next.
Step 6
In the Choose Attribute Conditions window that is displayed, create a logical condition.
In the Review Rule window, review the list of endpoints that are going to be profiled with this custom rule.
Step 8
Click Next.
Step 9
Click Profile.
Edit a Custom Rule
Procedure
Step 1
In the Profiling Rules window, check the check box adjacent to the admin rule you want to edit.
Step 2
Click Actions and select Edit.
Step 3
In the Edit window that is displayed, in the Rule Name field, enter a name for the rule, and select or enter the profile details based on the Profile Label selected during the rule creation.
Step 4
In the Logic and Conditions section, click on the vertical ellipsis and select Edit to update the logic and conditions for profiling rules. For more information, see Logical Conditions.
Step 5
Click Next.
Step 6
Click Apply.
After the existing rule is updated with new profiling details, the endpoints profiled with this rule are updated with new
profiling details.
Delete a Custom Rule
Procedure
Step 1
In the Profiling Rules window, check the check box next to the rule that you want to delete.
Step 2
Click Actions and choose Delete.
The following message is displayed:
Do you really want to delete the selected Rule(s)?
Step 3
Click Yes to permanently delete the rule from Cisco AI Endpoint Analytics.
After the custom rule is deleted, the endpoints profiled with this rule are updated with system rules.
Export and Import Custom Profiling Rules Across Deployments Using APIs
Cisco DNA Center contains Cisco AI Endpoint Analytics APIs through which you can import, export, edit, and delete custom profiling rules.
To enable the Cisco AI Endpoint Analytics API bundle:
Click the menu icon () and choose Platform > Manage > Bundles.
Find the bundle named AI Endpoint Analytics and click Enable.
The value in the Status column changes from Disabled to Active, and the list of APIs is displayed. You can also view the expected request and response payloads for each API.
After you enable the API bundle, the Cisco AI Endpoint Analytics APIs are added to the Cisco DNA Center Developer Toolkit. You can then access the APIs from the Developer Toolkit window (Platform > Developer Toolkit).
From both the Bundles and Developer Toolkit windows, you can:
Generate code preview to view the API code that you can use in a different tool to run the API.
Click Try It to run the API from the Cisco DNA Center GUI. You will receive a JSON response that you can copy and paste into a text editor of your choice to continue working with.
Cisco Al Rules for Smart Grouping
The Cisco AI Endpoint Analytics' AI algorithm analyzes data about endpoint profiling labels and groups across deployments
and provides you with smart profiling rules suggestions.
The AI Proposal dashlet in the Cisco AI Endpoint Analytics Overview tab displays the following rule suggestions based on the learnings from endpoint clusters:
Modification suggestions for existing profiling rules in your network that are based on the endpoint profiling data changes
that AI algorithm has learned across deployments. For more information, see Smart Modification Suggestions for Your Endpoint Profiling Rules.
Deletion suggestions for profiling rule that contain an incorrect label that are based on the endpoint profiling data changes
that AI algorithm has learned across deployments. When you accept a deletion rule, the incorrect profiling label is removed
from the impacted endpoints. The profiling type value for the endpoints is then either empty or returns to a previously assigned
label. For more information, see Smart Suggestions to Delete Profiling Rules.
You can also initiate the workflows to review and apply proposals for changes to endpoint profiling rules from the Profiling Rules tab of Cisco AI Endpoint Analytics. The Profiling Rules displays a dialog box with information alerts. In the information alert dialog box, click Expand to view the available proposals for changes to endpoint profiling rules. Click Review next to the information alert that you want to examine to initiate the corresponding workflow.
New Profiling Suggestions for Similar Endpoints in Your Network
Procedure
Step 1
In the AI Proposals dashlet, click the Review button next to New rule(s) for profiling endpoints that many be similar.
The Smart Group Profile workflow is launched.
Step 2
The Choose an Endpoint Group window that is displayed contains a list of new profiling rules suggestions in the left pane. Click an entry in the list
to view the details of the profiling rule in the right pane.
The right pane contains the Summary, Profile Rule, and Endpoints tabs that provide a quick view of the details of the profiling rule that is suggested.
Step 3
Click Next to create the suggested profiling rule.
Step 4
In the Name Profiling Rules and Labels window that is displayed, in the Rule Name field, enter a name for the rule.
Step 5
In one or more of the following fields, enter the required values. You must enter a value in at least of the fields to proceed
to the next step.
Endpoint Type
Hardware Manufacturer
Hardware Model
OS Type
If the AI algorithm identifies a profiling label for the endpoints, the label is displayed as a suggestion in the corresponding
field. You can choose to proceed with the suggested label or select a different label.
Step 6
Click Next to continue.
Step 7
In the Summary window that is displayed, review the details of your profiling rule. To edit any details, click the Edit option that is displayed in the corresponding area of the window.
Step 8
To create the profiling rule, click Done.
Smart Modification Suggestions for Your Endpoint Profiling Rules
Procedure
Step 1
In the AI Proposals dashlet, click the Review button next to Modification proposal(s) for previously accepted rule(s).
The Smart Group Profile workflow is launched.
Step 2
The Review modified proposals window that is displayed contains a list of modification proposals for existing profiling rules. Click an entry in the list
to view the details of the modification suggestion in the right pane.
The right pane contains the Profile Labels, Profile Rule, and Endpoints tabs that provide a quick view of the details of the modified profiling rule that is suggested.
Step 3
Click Next to update the profiling rule as suggested.
Step 4
In the Summary window that is displayed, review the details of the profiling rule.
Step 5
To update the profiling rule, click Done.
Smart Suggestions to Delete Profiling Rules
Procedure
Step 1
In the AI Proposals dashlet, click the Review button next to Profiling Rules(s) is/are no longer needed.
The Review AI Proposals workflow is launched.
Step 2
The Review deletion proposals window that is displayed contains a list of deletion proposals for existing profiling rules. Click an entry in the list to
view the details of the deletion suggestion in the right pane.
The right pane contains the Profile Labels, Profile Rule, and Endpoints tabs that provide a quick view of the details of the modified profiling rule that is suggested.
Step 3
Click Next to update the profiling rule as suggested.
Step 4
In the Summary window that is displayed, review the details of the profiling rule.
Step 5
Click Done to accept the deletion proposal.
Import Profiling Rules
You can migrate your custom profiling rules and Cisco AI rules by importing the .json files.
Procedure
Step 1
In the Profiling Rule window, click Actions
Step 2
Choose Import Profiling Rules.
Step 3
Click Choose a file and browse to the .json file in your system.
Step 4
Click Ok.
Export Profiling Rules
You can export and back up custom rules and Cisco AI profiling rules from Cisco AI Endpoint Analytics. The Export Profiling Rules option exports all the available custom rules and Cisco AI profiling rules. You cannot selectively export rules.
Procedure
Step 1
In the Profiling Rules window, click Actions.
Step 2
Choose Export Profiling Rules.
Step 3
Click Yes to export all the custom and ML profiling rules. Click No to exit.
Note
You can import the same file again into Cisco AI Endpoint Analytics.
Hierarchy
Cisco AI Endpoint Analytics hierarchy helps you create logical groupings of endpoints, based on the endpoint types. Creating
categories and subcategories for the endpoints focuses on endpoint visibility and simplifies the authorization process.
You can create categories from the All Endpoints default parent category. The category details such as total number of endpoints, endpoint types, and subcategories are listed
within individual boxes in the Hierarchy window.
You can create, edit, and delete the categories to reorder the hierarchy.
Create Category and Subcategory
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the parent category.
Step 2
Click Create Category.
Step 3
Enter a category name.
Step 4
Click Enter.
What to do next
After you create a category, you can drag and drop endpoint types from the Endpoint Type window, or edit the category to add endpoints to it.
Edit a Category or Subcategory
Procedure
Step 1
In the Hierarchy window, click on the horizontal ellipsis of the category.
Step 2
Click Edit.
Step 3
In the Edit window that is displayed, enter the Category Name.
Step 4
Enter the Parent Category from the drop-down menu, if you want to reassign the category.
Step 5
Click the Endpoint Type tab.
Step 6
Click Actions and select Add Endpoint Type.
Step 7
Choose the endpoint type from the Search Dropdown list.
Step 8
Click Save.
What to do next
In the Endpoint Type window, you can filter the endpoint types as All, Available, and Assigned.
Delete Endpoint Types from Category
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the category that you want to delete.
Step 2
Click Edit.
Step 3
In the Edit window, click the Endpoint Type tab.
Step 4
Check the check box adjacent to the endpoint type that you want to delete.
Step 5
Click Actions and choose Remove From Category.
The following message displays:
Are you sure you want to delete this category?
Step 6
Click Yes to delete the endpoint from the category. Click No to exit.
Reassign Endpoint Types from Category
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the category.
Step 2
Click Edit.
Step 3
In the Edit window, click the Endpoint Type tab.
Step 4
Check the check box adjacent to the endpoint type that you want to reassign.
Step 5
Click Actions and choose Re-assign to existing category or Re-assign to a new category.
Option
Steps
Re-assign to existing category
In the Reassign window, choose an existing category from the Category drop down list.
Click Save.
Re-assign to a new category
In the Reassign window, choose New Category from the Category drop down list.
Choose a parent category from the Parent Category drop down list.
Enter the category name in the New Category field.
Click Save.
Delete a Category
Before you begin
Before you delete a parent category, check its subcategories. You can reassign the subcategories to another existing category
or to a new category. Otherwise, all the subcategories are deleted along with the parent category. You can also reassign the
subcategories while you are deleting a category.
Procedure
Step 1
In the Hierarchy window, click the horizontal ellipsis of the category.
Step 2
Click Delete.
If you are deleting a category that has subcategories assigned to it, the Reassign Relationships dialog box is displayed. Choose one of the following options:
Option
Condition
Steps
Reassign to an existing category
Reassign the subcategories to an existing category.
Select a category from the Category drop-down list.
Click Reassign.
The parent category is deleted and its subcategories will be reassigned to the selected category.
Reassign to a new category
Reassign the subcategories to an existing category.
Select a category from the Parent Category drop-down list.
Enter the category name in the New Category field.
Click Reassign.
The parent category is deleted and its subcategories are reassigned to the new category.
Remove from category
Delete the subcategories along with the parent category.
Click Reassign.
The parent category and its subcategories are deleted.