Skip to content
Find out how we support MDR.

Cisco ISE integration

Cisco ISE product overview

Cisco Identity Services Engine (ISE) is a comprehensive, on-premises solution that facilitates secure access to networks and applications. It centralizes the management of users' identities, authentication, and policy enforcement, ensuring that only authorized users and devices can access network resources.

Sophos documents

What we ingest

Sample alerts we see:

  • EAP: Invalid or unexpected EAP payload received
  • EAP: Expected TLS acknowledge for last alert but received another message
  • Profiler: Profiler SNMP request failure
  • External-Active-Directory: Not all Active Directory attributes are retrieved successfully
  • EAP: EAP-TLS failed SSL/TLS handshake after a client alert

Alerts ingested in full

We recommend that you configure all Cisco ISE log categories that are configured in your estate, including those listed here:

  • AAA audit
  • Failed attempts
  • Passed authentication
  • AAA diagnostics
  • Administrator authentication and authorization
  • Authentication flow diagnostics
  • Identity store diagnostics
  • Policy diagnostics
  • Radius diagnostics
  • Guest
  • Accounting
  • Radius accounting
  • Administrative and operational audit
  • Posture and client provisioning audit
  • Posture and client provisioning diagnostics
  • Profiler
  • System diagnostics
  • Distributed management
  • Internal operations diagnostics
  • System statistics

See Configuring logging categories in Cisco ISE.

Filtering

We filter events as follows.

Allow

Description

We allow syslog events matching the ISE standard format.

For example:

<132>Mar 28 07:16:17 ise CISE_Alarm WARN: Profiler SNMP Request Failure : Server= ise; NAD Address=10.1.2.3; Error Message=Request timed out.

Drop

Description

We drop events related to routine system operations that are typically non-critical and do not require logging due to their repetitive nature. Dropping these helps in reducing log clutter and preserving resources.

Regex Patterns

  • NOTICE Radius-Accounting: RADIUS Accounting watchdog update.
  • NOTICE EAP-TLS: Open secure connection with TLS peer.
  • NOTICE EAP-TLS: Shutdown secure connection with TLS peer.
  • NOTICE System-Stats: ISE Counters.
  • NOTICE System-Stats: ISE Process Health.
  • NOTICE System-Stats: ISE Utilization.
  • NOTICE Radius-Accounting: RADIUS Accounting stop request.
  • NOTICE Radius-Accounting: RADIUS Accounting start request.
  • CISE_MONITORING_DATA_PURGE_AUDIT.

Sample threat mapping

"alertType": "RADIUS: Endpoint conducted several failed authentications of the same scenario", "threatId": "T1110", "threatName": "Brute Force",
"alertType": "Failed-Attempt: RADIUS Request dropped", "threatId": "T1562.004", "threatName": "Disable or Modify System Firewall",
"alertType": "NOTICE Failed-Attempt: Supplicant stopped responding to ISE", "threatId": "T1499", "threatName": "Endpoint Denial of Service",
"alertType": "EAP-TLS: Shutdown secure connection with TLS peer", "threatId": "T1573", "threatName": "Encrypted Channel",
"alertType": " MDM: Mobile device management compliant", "threatId": "T1120", "threatName": "Peripheral Device Discovery",

Vendor documentation