Cisco ISE integration
Cisco ISE product overview
Cisco Identity Services Engine (ISE) is a comprehensive, on-premises solution that facilitates secure access to networks and applications. It centralizes the management of users' identities, authentication, and policy enforcement, ensuring that only authorized users and devices can access network resources.
Sophos documents
What we ingest
Sample alerts we see:
EAP: Invalid or unexpected EAP payload received
EAP: Expected TLS acknowledge for last alert but received another message
Profiler: Profiler SNMP request failure
External-Active-Directory: Not all Active Directory attributes are retrieved successfully
EAP: EAP-TLS failed SSL/TLS handshake after a client alert
Alerts ingested in full
We recommend that you configure all Cisco ISE log categories that are configured in your estate, including those listed here:
- AAA audit
- Failed attempts
- Passed authentication
- AAA diagnostics
- Administrator authentication and authorization
- Authentication flow diagnostics
- Identity store diagnostics
- Policy diagnostics
- Radius diagnostics
- Guest
- Accounting
- Radius accounting
- Administrative and operational audit
- Posture and client provisioning audit
- Posture and client provisioning diagnostics
- Profiler
- System diagnostics
- Distributed management
- Internal operations diagnostics
- System statistics
See Configuring logging categories in Cisco ISE.
Filtering
We filter events as follows.
Allow
Description
We allow syslog events matching the ISE standard format.
For example:
<132>Mar 28 07:16:17 ise CISE_Alarm WARN: Profiler SNMP Request Failure : Server= ise; NAD Address=10.1.2.3; Error Message=Request timed out.
Drop
Description
We drop events related to routine system operations that are typically non-critical and do not require logging due to their repetitive nature. Dropping these helps in reducing log clutter and preserving resources.
Regex Patterns
NOTICE Radius-Accounting: RADIUS Accounting watchdog update.
NOTICE EAP-TLS: Open secure connection with TLS peer.
NOTICE EAP-TLS: Shutdown secure connection with TLS peer.
NOTICE System-Stats: ISE Counters.
NOTICE System-Stats: ISE Process Health.
NOTICE System-Stats: ISE Utilization.
NOTICE Radius-Accounting: RADIUS Accounting stop request.
NOTICE Radius-Accounting: RADIUS Accounting start request.
CISE_MONITORING_DATA_PURGE_AUDIT.
Sample threat mapping
"alertType": "RADIUS: Endpoint conducted several failed authentications of the same scenario", "threatId": "T1110", "threatName": "Brute Force",
"alertType": "Failed-Attempt: RADIUS Request dropped", "threatId": "T1562.004", "threatName": "Disable or Modify System Firewall",
"alertType": "NOTICE Failed-Attempt: Supplicant stopped responding to ISE", "threatId": "T1499", "threatName": "Endpoint Denial of Service",
"alertType": "EAP-TLS: Shutdown secure connection with TLS peer", "threatId": "T1573", "threatName": "Encrypted Channel",
"alertType": " MDM: Mobile device management compliant", "threatId": "T1120", "threatName": "Peripheral Device Discovery",