Cisco ISE
The following instructions are for configuring Cisco ISE to facilitate log ingestion into Secureworks® Taegis™ XDR.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Cisco ISE | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
Auth | CloudAudit | DNS | HTTP | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|
Cisco ISE | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Cisco ISE Platform ⫘
Follow the steps below to configure log forwarding.
- Follow the procedure in the Remote Logging Target Settings section to create the remote Syslog target. Enter the values specified below.
Field | Value |
---|---|
Name | A unique name for the Syslog target |
Target Type | UDP Syslog |
IP Address | XDR Collector (mgmt IP) |
Port | 514 |
Maximum Length | 1024 |
- In the Cisco ISE console, select Administration > System > Logging > Logging Categories. Add the Syslog target that you created in the previous step to the following categories.
- AAA Audit
- Administrative and Operational Audit
Example Query Language Searches ⫘
To search for auth
events from the last 24 hours:
FROM auth WHERE sensor_type = 'Cisco_ISE' and EARLIEST=-24h
To search for process
events:
FROM process WHERE sensor_type = 'Cisco_ISE'
To search for auth
events associated with a specific user:
FROM auth WHERE sensor_type='Cisco_ISE' AND source_user_name = 'foo'
Sample logs ⫘
Important
XDR DOES NOT support multiple events in a single line. Each line much reference a single event and end with a newline character.
Authentication:
Dec 21 10:47:24 10.240.41.12 Dec 21 04:46:02 hostname CISE_Administrative_and_Operational_Audit 0000219976 1 0 2022-12-21 04:46:02.117 -06:00 0001168350 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=918, AdminInterface=ERS, AdminIPAddress=10.10.10.13, AdminName=userName, OperationMessageText=Administrator authentication successful,
Command Execution:
Dec 22 03:38:15 10.66.51.224 Dec 22 03:38:15 hostname CISE_Passed_Authentications 0000506073 3 0 2022-12-22 03:38:15.936 +00:00 0007167496 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=70, Device IP Address=192.168.1.10, DestinationIPAddress=10.10.51.220, DestinationPort=49, UserName=svc_CiscoPrime, CmdSet=[ CmdAV=no CmdArgAV=telemetry CmdArgAV=ietf CmdArgAV=subscription CmdArgAV=375515735 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=IOS WLC Network Administrator Access Command Set, RequestLatency=40, NetworkDeviceName=deviceName, Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=userName, Port=tty2, Remote-Address=10.10.51.52, Authen-Method=None, Service-Argument=shell, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=ukgs1ise01/452555344/505715, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=TACACS, SelectedCommandSet=IOS WLC Network Administrator Access Command Set,
Event Details ⫘
Cisco ISE Event Details