Audit & Admin Views
Overview
Audit views track ISE administrator activity including GUI/CLI logins, configuration changes, and system events. Critical for compliance, change management, and security monitoring.
ADMINISTRATOR_LOGINS
ISE admin portal login attempts - who accessed ISE GUI/CLI.
Key Columns
| Column | Type | Description |
|---|---|---|
|
TIMESTAMP |
Login attempt time |
|
VARCHAR2 |
Administrator username |
|
VARCHAR2 |
Source IP of admin |
|
VARCHAR2 |
Admin type (Internal, External) |
|
VARCHAR2 |
Interface used (GUI, CLI, API) |
|
VARCHAR2 |
'Pass' or 'Fail' |
|
VARCHAR2 |
Reason for failed login |
|
VARCHAR2 |
ISE node accessed |
|
VARCHAR2 |
Session identifier |
|
VARCHAR2 |
Admin role assigned |
|
VARCHAR2 |
Admin group membership |
Common Queries
Recent Admin Logins
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI:SS') AS time,
ADMIN_NAME,
ADMIN_IP_ADDRESS,
ADMIN_INTERFACE,
ADMIN_PASSED,
ISE_NODE
FROM ADMINISTRATOR_LOGINS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 50 ROWS ONLY
"Failed Admin Logins
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
ADMIN_NAME,
ADMIN_IP_ADDRESS,
ADMIN_INTERFACE,
FAILURE_REASON
FROM ADMINISTRATOR_LOGINS
WHERE ADMIN_PASSED = 'Fail'
AND TIMESTAMP_TIMEZONE > SYSDATE - 7
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 30 ROWS ONLY
"Admin Activity Summary
netapi ise dc query "
SELECT
ADMIN_NAME,
COUNT(*) AS total_logins,
SUM(CASE WHEN ADMIN_PASSED = 'Pass' THEN 1 ELSE 0 END) AS passed,
SUM(CASE WHEN ADMIN_PASSED = 'Fail' THEN 1 ELSE 0 END) AS failed,
COUNT(DISTINCT ADMIN_IP_ADDRESS) AS unique_ips,
MAX(TIMESTAMP_TIMEZONE) AS last_login
FROM ADMINISTRATOR_LOGINS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 30
GROUP BY ADMIN_NAME
ORDER BY total_logins DESC
"Admin Access by Interface
netapi ise dc query "
SELECT
ADMIN_INTERFACE,
COUNT(*) AS logins,
SUM(CASE WHEN ADMIN_PASSED = 'Pass' THEN 1 ELSE 0 END) AS passed,
COUNT(DISTINCT ADMIN_NAME) AS unique_admins
FROM ADMINISTRATOR_LOGINS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 7
GROUP BY ADMIN_INTERFACE
ORDER BY logins DESC
"CHANGE_CONFIGURATION_AUDIT
Configuration change tracking - all ISE configuration modifications.
Key Columns
| Column | Type | Description |
|---|---|---|
|
TIMESTAMP |
Change time |
|
VARCHAR2 |
Admin who made change |
|
VARCHAR2 |
Admin’s source IP |
|
VARCHAR2 |
Interface used (GUI, CLI, API) |
|
VARCHAR2 |
Type of object changed |
|
VARCHAR2 |
Name of object changed |
|
VARCHAR2 |
Operation (Create, Update, Delete) |
|
VARCHAR2 |
Success or failure |
|
CLOB |
Detailed change description |
|
CLOB |
Previous configuration |
|
CLOB |
New configuration |
|
VARCHAR2 |
Change message code |
|
VARCHAR2 |
ISE node where change was made |
Common Queries
Recent Configuration Changes
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
ADMIN_NAME,
OBJECT_TYPE,
OBJECT_NAME,
OPERATION_TYPE,
OPERATION_STATUS
FROM CHANGE_CONFIGURATION_AUDIT
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 50 ROWS ONLY
"Changes by Object Type
netapi ise dc query "
SELECT
OBJECT_TYPE,
COUNT(*) AS changes,
SUM(CASE WHEN OPERATION_TYPE = 'Create' THEN 1 ELSE 0 END) AS creates,
SUM(CASE WHEN OPERATION_TYPE = 'Update' THEN 1 ELSE 0 END) AS updates,
SUM(CASE WHEN OPERATION_TYPE = 'Delete' THEN 1 ELSE 0 END) AS deletes
FROM CHANGE_CONFIGURATION_AUDIT
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 7
GROUP BY OBJECT_TYPE
ORDER BY changes DESC
FETCH FIRST 20 ROWS ONLY
"Policy Changes
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
ADMIN_NAME,
OBJECT_NAME,
OPERATION_TYPE,
ADMIN_INTERFACE
FROM CHANGE_CONFIGURATION_AUDIT
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 7
AND (
UPPER(OBJECT_TYPE) LIKE '%POLICY%'
OR UPPER(OBJECT_TYPE) LIKE '%AUTHORIZATION%'
OR UPPER(OBJECT_TYPE) LIKE '%AUTHENTICATION%'
)
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 30 ROWS ONLY
"Admin Change Activity
netapi ise dc query "
SELECT
ADMIN_NAME,
COUNT(*) AS total_changes,
COUNT(DISTINCT OBJECT_TYPE) AS object_types,
SUM(CASE WHEN OPERATION_TYPE = 'Delete' THEN 1 ELSE 0 END) AS deletions,
MAX(TIMESTAMP_TIMEZONE) AS last_change
FROM CHANGE_CONFIGURATION_AUDIT
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 30
GROUP BY ADMIN_NAME
ORDER BY total_changes DESC
"Deletions (High-Risk Changes)
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
ADMIN_NAME,
OBJECT_TYPE,
OBJECT_NAME,
ADMIN_IP_ADDRESS
FROM CHANGE_CONFIGURATION_AUDIT
WHERE OPERATION_TYPE = 'Delete'
AND TIMESTAMP_TIMEZONE > SYSDATE - 7
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 50 ROWS ONLY
"ADMIN_USERS
ISE administrator accounts - admin user definitions.
netapi ise dc query "
SELECT
ADMIN_NAME,
ADMIN_GROUP,
ADMIN_TYPE,
STATUS,
LAST_LOGIN
FROM ADMIN_USERS
ORDER BY ADMIN_NAME
"OPENAPI_OPERATIONS
REST API operations - API calls to ISE.
Key Columns
| Column | Type | Description |
|---|---|---|
|
TIMESTAMP |
API call time |
|
VARCHAR2 |
API user/service account |
|
VARCHAR2 |
Source IP |
|
VARCHAR2 |
GET, POST, PUT, DELETE |
|
VARCHAR2 |
API endpoint called |
|
NUMBER |
HTTP response code |
|
VARCHAR2 |
Response status |
|
VARCHAR2 |
Node that handled request |
Common Queries
Recent API Calls
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI:SS') AS time,
ADMIN_NAME,
HTTP_METHOD,
REQUEST_URI,
RESPONSE_CODE
FROM OPENAPI_OPERATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 50 ROWS ONLY
"API Errors (4xx/5xx)
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
ADMIN_NAME,
HTTP_METHOD,
REQUEST_URI,
RESPONSE_CODE,
RESPONSE_MESSAGE
FROM OPENAPI_OPERATIONS
WHERE RESPONSE_CODE >= 400
AND TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 30 ROWS ONLY
"API Usage by Endpoint
netapi ise dc query "
SELECT
REQUEST_URI,
COUNT(*) AS calls,
COUNT(DISTINCT ADMIN_NAME) AS unique_users,
SUM(CASE WHEN RESPONSE_CODE < 400 THEN 1 ELSE 0 END) AS success,
SUM(CASE WHEN RESPONSE_CODE >= 400 THEN 1 ELSE 0 END) AS errors
FROM OPENAPI_OPERATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY REQUEST_URI
ORDER BY calls DESC
FETCH FIRST 20 ROWS ONLY
"USER_PASSWORD_CHANGES
Password change audit - internal user password modifications.
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
USERNAME,
ADMIN_NAME,
CHANGE_TYPE,
STATUS
FROM USER_PASSWORD_CHANGES
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 30
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 50 ROWS ONLY
"Compliance Patterns
Daily Admin Activity Report
netapi ise dc query "
SELECT
TO_CHAR(TRUNC(TIMESTAMP_TIMEZONE), 'YYYY-MM-DD') AS date,
COUNT(DISTINCT ADMIN_NAME) AS active_admins,
SUM(CASE WHEN ADMIN_PASSED = 'Pass' THEN 1 ELSE 0 END) AS logins,
SUM(CASE WHEN ADMIN_PASSED = 'Fail' THEN 1 ELSE 0 END) AS failed_logins
FROM ADMINISTRATOR_LOGINS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 30
GROUP BY TRUNC(TIMESTAMP_TIMEZONE)
ORDER BY date DESC
"Change Summary Report
netapi ise dc query "
SELECT
TO_CHAR(TRUNC(TIMESTAMP_TIMEZONE), 'YYYY-MM-DD') AS date,
COUNT(*) AS changes,
COUNT(DISTINCT ADMIN_NAME) AS admins,
SUM(CASE WHEN OPERATION_TYPE = 'Delete' THEN 1 ELSE 0 END) AS deletions
FROM CHANGE_CONFIGURATION_AUDIT
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 30
GROUP BY TRUNC(TIMESTAMP_TIMEZONE)
ORDER BY date DESC
"After-Hours Admin Access
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI') AS time,
ADMIN_NAME,
ADMIN_IP_ADDRESS,
ADMIN_INTERFACE
FROM ADMINISTRATOR_LOGINS
WHERE ADMIN_PASSED = 'Pass'
AND TIMESTAMP_TIMEZONE > SYSDATE - 7
AND (
TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24') < '06'
OR TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24') > '22'
)
ORDER BY TIMESTAMP_TIMEZONE DESC
"See Also
-
TACACS+ - Device admin audit
-
Policy & Authorization - Policy definitions
-
SQL Cookbook - More query patterns