Skip to main content
Endpoint Manager publishes one webhook event type today:
  • ise.configuration.audit — scope ORGANIZATION_CTX_CISCO_ISE.
That single event covers every configuration change inside a Cisco ISE Context — API credential updates, Managed Attribute definitions, Endpoint Identity Group connect / disconnect, endpoint add / update / delete, Change of Authorization triggers. If it shows up in the Context’s Audit Log, it also fires an ise.configuration.audit webhook delivery.

What the payload looks like

Webhook payloads follow the common Organization-level webhook shape — see Organization Webhooks for the full envelope and batching rules. Below is the event-body shape specific to ise.configuration.audit: 
{
  "eventId": "ise.configuration.audit",
  "eventTime": "2026-04-15T09:12:44.118Z",
  "scope": {
    "type": "ORGANIZATION_CTX_CISCO_ISE",
    "organizationId": "...",
    "contextId": "..."
  },
  "actor": {
    "type": "ADMIN",
    "email": "admin@example.com"
  },
  "change": {
    "entity": "PnGroupCiscoISE",
    "entityId": "...",
    "action": "UPDATE",
    "fields": [
      {
        "name": "Managed Attributes",
        "before": [...],
        "after":  [...]
      }
    ]
  }
}
The change block describes the diff — which entity changed, what field(s), and (for updates) the before / after values. Secret fields like the ISE API password are redacted; the change object still fires to tell you the password was rotated, but the before and after values read ***.

Subscribing

Webhooks are configured at the Organization level, scoped per Context. To receive Endpoint Manager events:
1

Open the Context's Webhooks tab

Left navigation under Administration → Webhooks on any Endpoint Manager Context.
2

Add a webhook

Click Add Webhook. Enter a URL, choose a delivery mode (batch vs single), and pick the event scope.
3

Tick ise.configuration.audit

The only event exposed on the Cisco ISE Context scope. Save.
The platform starts delivering events to your URL. See Organization Webhooks for signature validation, retry behaviour, and the delivery-history drill-down.
Webhook delivery detail showing a successful ise.configuration.audit event with request and response tabs

What isn’t in the webhook stream

A few categories of change don’t fire ise.configuration.audit events today:
  • Endpoint lifecycle on Cisco ISE itself. The event fires when you add / update / remove an endpoint via Endpoint Manager — not when ISE changes an endpoint on its own (for example, when a profiler rule re-categorises it). For ISE-side changes you still want ISE’s own audit stream.
  • Session events. Endpoints authenticating / dropping / rejecting are on Cisco ISE’s Monitoring API, not on Endpoint Manager’s webhook bus. If you need session events in your SIEM, point the SIEM at ISE.
If a session or endpoint-lifecycle webhook would help you, open a feature request with your account. The event catalogue is expected to grow.

Typical consumer shapes

  • SIEM intake. Forward every ise.configuration.audit to your SIEM for compliance-grade change tracking. The payload includes actor, entity, and before / after values — enough for most audit queries.
  • Slack alerts. Fire into a #network-ops channel on every group connect / disconnect, so the network team sees when a new fleet comes under managed administration or leaves.
  • Change-management tickets. Auto-open a ticket whenever API credentials are rotated or a group is removed — two events that are rare enough to warrant scrutiny.

Organization Webhooks

Envelope shape, batching, retries, signatures.

Audit Log

The admin-dashboard view of the same events.

Endpoint Manager Context

What counts as a configuration change on Endpoint Manager.

Delegated administration

Why you want a review trail in the first place.