Alert-Based Admission Control with Splunk Enterprise


Ivanti Policy Secure integration with the Splunk Enterprise provides complete visibility of network endpoints, including unmanaged endpoints and provide end to end network security. The Ivanti Policy Secure integration with Splunk integration allows Admin to perform user access control based on alerts received from the Splunk.

Splunk Enterprise receives log or threat information from various log sources such as Palo Alto Network firewall. Based on these logs/alerts a search query is created on Splunk to trigger alerts to Ivanti Policy Secure. takes action on user session by blocking or quarantining the user.

The authentication process is described below:

  1. User downloads a file from the Internet. The perimeter firewall scans the file and, based on user-defined policies, sends the file for analysis.

  2. Firewall detects that the file contains malware and a threat alert sylog gets generated and sent to Splunk Enterprise.

  3. Based on the alert rules configured on Splunk. It generates alerts and this has to be manually sent to Ivanti Policy Secure with the help of Ivanti Policy Secure App.

  4. The Alert includes severity for the affected endpoint to Ivanti Policy Secure.

  5. The Ivanti Policy Secure server quarantines/blocks the endpoint based on the configured Admission control policies.

In this example, the endpoint is connected to a third-party switch. The switch has 802.1X/MAB authentication enabled. As an alternate, SNMP enforcement mechanism can also be used.