Cisco ISE集成
Cisco ISE產品概述
Cisco Identity Services Engine (ISE) 是一種全面的內部部署解決方案,可促進對網路和應用程式的安全存取。它集中管理使用者身分、身分驗證和原則執行,確保只有授權的使用者和裝置才能存取網路資源。
Sophos 技術文檔
我們攝取的東西
我們看到的示例警報:
EAP: Invalid or unexpected EAP payload received
EAP: Expected TLS acknowledge for last alert but received another message
Profiler: Profiler SNMP request failure
External-Active-Directory: Not all Active Directory attributes are retrieved successfully
EAP: EAP-TLS failed SSL/TLS handshake after a client alert
已擷取完整警示
我們建議您配置在您的資產中配置的所有Cisco ISE日誌類別,包括以下列出的類別:
- AAA審計
- 嘗試失敗
- 已通過驗證
- AAA 診斷
- 管理員身份驗證和授權
- 身份驗證流診斷
- 身份存儲診斷
- 策略診斷
- RADIUS診斷
- 訪客
- 會計
- RADIUS記帳
- 行政和業務審計
- 狀態和客戶端配置審計
- 狀態和客戶端配置診斷
- Profiler
- 系統診斷
- 分布式管理
- 內部操作診斷
- 系統統計資訊
請參閱 在Cisco ISE中配置日誌記錄類別。
篩選
我們按以下方式過濾事件。
允許
說明
我們允許系統日誌事件與ISE標準格式匹配。
例如:
<132>Mar 28 07:16:17 ise CISE_Alarm WARN: Profiler SNMP Request Failure : Server= ise; NAD Address=10.1.2.3; Error Message=Request timed out.
丟棄
說明
我們刪除與常規系統操作相關的事件,這些事件通常不重要,並且由於其重複性而不需要記錄。刪除這些內容有助於減少日誌雜亂並保留資源。
正則表達式模式
NOTICE Radius-Accounting: RADIUS Accounting watchdog update.
NOTICE EAP-TLS: Open secure connection with TLS peer.
NOTICE EAP-TLS: Shutdown secure connection with TLS peer.
NOTICE System-Stats: ISE Counters.
NOTICE System-Stats: ISE Process Health.
NOTICE System-Stats: ISE Utilization.
NOTICE Radius-Accounting: RADIUS Accounting stop request.
NOTICE Radius-Accounting: RADIUS Accounting start request.
CISE_MONITORING_DATA_PURGE_AUDIT.
威脅映射示例
"alertType": "RADIUS: Endpoint conducted several failed authentications of the same scenario", "threatId": "T1110", "threatName": "Brute Force",
"alertType": "Failed-Attempt: RADIUS Request dropped", "threatId": "T1562.004", "threatName": "Disable or Modify System Firewall",
"alertType": "NOTICE Failed-Attempt: Supplicant stopped responding to ISE", "threatId": "T1499", "threatName": "Endpoint Denial of Service",
"alertType": "EAP-TLS: Shutdown secure connection with TLS peer", "threatId": "T1573", "threatName": "Encrypted Channel",
"alertType": " MDM: Mobile device management compliant", "threatId": "T1120", "threatName": "Peripheral Device Discovery",