🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Cisco ISE

integrations cisco ISE


The following instructions are for configuring Cisco ISE to facilitate log ingestion into Secureworks® Taegis™ XDR.

Connectivity Requirements

Source Destination Port/Protocol
Cisco ISE Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Auth CloudAudit DNS HTTP Netflow NIDS Process Thirdparty
Cisco ISE D           Y  

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Cisco ISE Platform

Follow the steps below to configure log forwarding.

  1. Follow the procedure in the Remote Logging Target Settings section to create the remote Syslog target. Enter the values specified below.
Field Value
Name A unique name for the Syslog target
Target Type UDP Syslog
IP Address XDR Collector (mgmt IP)
Port 514
Maximum Length 1024
  1. In the Cisco ISE console, select Administration > System > Logging > Logging Categories. Add the Syslog target that you created in the previous step to the following categories.

Example Query Language Searches

To search for auth events from the last 24 hours:

FROM auth WHERE sensor_type = 'Cisco_ISE' and EARLIEST=-24h

To search for process events:

FROM process WHERE sensor_type = 'Cisco_ISE'

To search for auth events associated with a specific user:

FROM auth WHERE sensor_type='Cisco_ISE' AND source_user_name = 'foo'

Sample logs

Important

XDR DOES NOT support multiple events in a single line. Each line much reference a single event and end with a newline character.

Authentication:

Dec 21 10:47:24 10.240.41.12 Dec 21 04:46:02 hostname CISE_Administrative_and_Operational_Audit 0000219976 1 0 2022-12-21 04:46:02.117 -06:00 0001168350 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=918, AdminInterface=ERS, AdminIPAddress=10.10.10.13, AdminName=userName, OperationMessageText=Administrator authentication successful,

Command Execution:

Dec 22 03:38:15 10.66.51.224 Dec 22 03:38:15 hostname CISE_Passed_Authentications 0000506073 3 0 2022-12-22 03:38:15.936 +00:00 0007167496 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=70, Device IP Address=192.168.1.10, DestinationIPAddress=10.10.51.220, DestinationPort=49, UserName=svc_CiscoPrime, CmdSet=[ CmdAV=no CmdArgAV=telemetry CmdArgAV=ietf CmdArgAV=subscription CmdArgAV=375515735 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=IOS WLC Network Administrator Access Command Set, RequestLatency=40, NetworkDeviceName=deviceName, Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=userName, Port=tty2, Remote-Address=10.10.51.52, Authen-Method=None, Service-Argument=shell, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=ukgs1ise01/452555344/505715, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=TACACS, SelectedCommandSet=IOS WLC Network Administrator Access Command Set,

Event Details

Cisco ISE Event Details

Cisco ISE Event Details

 

On this page: