Audit Log
Endpoint Manager for ISE records every configuration change and every endpoint operation in a Context-scoped Audit Log. The audit is designed to make delegated administration verifiable — every change can be traced to a specific user, time and field-level diff — and to satisfy customer compliance and incident-response requirements.
What is captured
Section titled “What is captured”For each audit entry the platform records:
- Timestamp — UTC, millisecond precision.
- Acting user — the identity (email address) of the user who performed the action.
- Source — the surface from which the action originated (admin portal, Self-Service portal, API, webhook subscription, system).
- Action category —
Created,Updated,Deleted, or service-specific verbs (Connected,Disconnected,CoA). - Target — the entity affected (e.g. Endpoint Identity Group, endpoint MAC, Managed Attribute, Self-Service User, API credential).
- Field-level diff — before / after values for every modified field, where applicable.
Event taxonomy
Section titled “Event taxonomy”The following events are emitted from an Endpoint Manager Context:
Cisco ISE connection
Section titled “Cisco ISE connection”- API credential updated.
- API status verified.
Managed Attributes
Section titled “Managed Attributes”- Managed Attribute defined, modified, removed.
Endpoint Identity Groups
Section titled “Endpoint Identity Groups”- Group connected (brought under managed administration).
- Group disconnected (managed-admin layer removed; Cisco ISE group retained).
- Group renamed.
- Group-level Managed Attribute value set or modified.
Endpoints
Section titled “Endpoints”- Endpoint added.
- Endpoint modified (description, device type, per-endpoint attribute).
- Endpoint moved between groups.
- Endpoint deleted.
- Bulk operation (CSV import) — each row recorded individually.
Change of Authorization
Section titled “Change of Authorization”- CoA triggered, with the target endpoint and the outcome reported by Cisco ISE.
Delegated administration
Section titled “Delegated administration”- Self-Service User invited.
- Self-Service User role modified.
- Self-Service User removed.
Where the audit log lives
Section titled “Where the audit log lives”- In-platform. Each Context exposes its full audit history in the administration portal with filters by date, user, action and target.
- Outbound delivery. Configuration changes are published as
ise.configuration.auditwebhook events. Subscribers can forward the events to a SIEM, ticketing system, chat channel or change-management pipeline. Webhook delivery uses HTTPS with a customer-supplied endpoint URL.
Retention
Section titled “Retention”Audit entries are retained for the duration of the customer’s service subscription. Retention windows, export options and archival behaviour are detailed in the service-level documents that accompany the License & Terms.
What the audit is not
Section titled “What the audit is not”- Not a network event log. Authentication and authorization events on the wire remain in Cisco ISE’s own Monitoring & Troubleshooting subsystem. Endpoint Manager’s audit covers administrative actions performed through the platform, not RADIUS exchanges or device-side events.
- Not a substitute for SIEM. Webhook delivery is provided so customers can integrate audit data into their existing SIEM or compliance tooling.