Skip to content
Monitoring & logs

Audit Log

Endpoint Manager for ISE records every configuration change and every endpoint operation in a Context-scoped Audit Log. The audit is designed to make delegated administration verifiable — every change can be traced to a specific user, time and field-level diff — and to satisfy customer compliance and incident-response requirements.

For each audit entry the platform records:

  • Timestamp — UTC, millisecond precision.
  • Acting user — the identity (email address) of the user who performed the action.
  • Source — the surface from which the action originated (admin portal, Self-Service portal, API, webhook subscription, system).
  • Action categoryCreated, Updated, Deleted, or service-specific verbs (Connected, Disconnected, CoA).
  • Target — the entity affected (e.g. Endpoint Identity Group, endpoint MAC, Managed Attribute, Self-Service User, API credential).
  • Field-level diff — before / after values for every modified field, where applicable.

The following events are emitted from an Endpoint Manager Context:

  • API credential updated.
  • API status verified.
  • Managed Attribute defined, modified, removed.
  • Group connected (brought under managed administration).
  • Group disconnected (managed-admin layer removed; Cisco ISE group retained).
  • Group renamed.
  • Group-level Managed Attribute value set or modified.
  • Endpoint added.
  • Endpoint modified (description, device type, per-endpoint attribute).
  • Endpoint moved between groups.
  • Endpoint deleted.
  • Bulk operation (CSV import) — each row recorded individually.
  • CoA triggered, with the target endpoint and the outcome reported by Cisco ISE.
  • Self-Service User invited.
  • Self-Service User role modified.
  • Self-Service User removed.
  • In-platform. Each Context exposes its full audit history in the administration portal with filters by date, user, action and target.
  • Outbound delivery. Configuration changes are published as ise.configuration.audit webhook events. Subscribers can forward the events to a SIEM, ticketing system, chat channel or change-management pipeline. Webhook delivery uses HTTPS with a customer-supplied endpoint URL.

Audit entries are retained for the duration of the customer’s service subscription. Retention windows, export options and archival behaviour are detailed in the service-level documents that accompany the License & Terms.

  • Not a network event log. Authentication and authorization events on the wire remain in Cisco ISE’s own Monitoring & Troubleshooting subsystem. Endpoint Manager’s audit covers administrative actions performed through the platform, not RADIUS exchanges or device-side events.
  • Not a substitute for SIEM. Webhook delivery is provided so customers can integrate audit data into their existing SIEM or compliance tooling.

Next