ise-incident-response
ISE Incident Response
Safety -- Non-Negotiable Rules
NEVER auto-quarantine an endpoint. Endpoint group changes require explicit human confirmation. The agent MUST present its findings, state its recommendation, and then STOP and WAIT for the human to type an affirmative response before proceeding with any ISE endpoint group modification.
NEVER skip the investigation steps. Even if the human says "just quarantine MAC XX:XX:XX:XX:XX:XX", the agent MUST first collect endpoint data, auth history, and posture state so the quarantine action has full context for the ServiceNow ticket and GAIT audit trail.
NEVER modify ISE authorization policies during incident response. This workflow changes endpoint group membership only. Policy changes require a separate Change Request via servicenow-change-workflow.
When to Use
- Suspected compromised endpoint (SOC alert, SIEM correlation)
- Unauthorized device detected on the network
- Endpoint exhibiting anomalous behavior (port scanning, lateral movement)
- Failed posture compliance requiring immediate isolation
- Rogue access point or hub detected on a switchport
How to Call the ISE MCP Tools
More from automateyournetwork/netclaw
pyats-topology
Network topology discovery via CDP/LLDP neighbors, ARP tables, routing peers, and interface mapping to build complete network maps. Use when mapping the network, building a diagram, discovering what is connected to what, or documenting device neighbors and links.
21drawio-diagram
Generate draw.io network diagrams — native .drawio files with CLI export (PNG/SVG/PDF), plus browser-based Mermaid/XML/CSV via MCP server. Use when creating network topology diagrams, generating architecture visuals, exporting diagrams to PNG or PDF, or building draw.io files from discovery data.
20aws-architecture-diagram
AWS architecture diagrams — generate visual network topology diagrams from live AWS infrastructure. Use when drawing AWS network diagrams, visualizing VPCs, mapping Transit Gateway topology, or generating architecture documentation.
20grafana-observability
Grafana observability platform — dashboards, Prometheus PromQL, Loki LogQL, alerting, incidents, OnCall schedules, annotations, datasource queries, panel rendering (75+ tools). Use when querying Grafana dashboards, running PromQL for interface metrics, searching Loki logs for syslog events, investigating firing alerts, or checking who is on call.
18pyats-health-check
Comprehensive network device health monitoring - CPU, memory, interfaces, hardware, NTP, logging, environment, and uptime analysis. Use when running a device health check, monitoring CPU or memory usage, checking interface errors, or validating NTP sync.
17aws-security-audit
AWS security auditing — IAM users/roles/policies, CloudTrail API events, security posture analysis. Use when auditing IAM permissions, investigating security incidents, checking MFA compliance, or tracing API activity in CloudTrail.
16