Cisco Identity Services Engine (ISE)
Overview
Cisco Identity Services Engine (ISE) is an intelligent security policy enforcement platform that reduces security risks by providing visibility of connections between all users and devices across all network infrastructure. This product provides exceptional control over the information and locations to which users have access on the network. This solution, and all its components, have been approved and rigorously tested as an integrated system.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Cisco ISE. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Cisco ISE on ATT&CK Navigator
Cisco Identity Services Engine Configuration Changed
Cisco Identity Services Engine (ISE) has detected a device configuration changed (Added, Changed or Deleted). This should be reviewed in order to check if this an expected admin action.
- Effort: master
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Authentication logs |
There's an authentification audit, control and diagnostic |
Network device configuration |
Changing conf of devices usually by the admin |
Web logs |
Cisco ISE logs provide information about the connected client and the requested resource |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | `` |
Category | configuration , network |
Type | change , info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "INFO: Configuration Changed: Admin=john.doe; Object Type=EPPurgeScheduler; Object Name=f36afcff-e3af-4a70-99c0-5e5304c1c336",
"event": {
"category": [
"configuration"
],
"type": [
"change"
]
},
"cisco": {
"ise": {
"config_action": "Changed",
"config_object": {
"name": "f36afcff-e3af-4a70-99c0-5e5304c1c336",
"type": "EPPurgeScheduler"
}
}
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"user": [
"john.doe"
]
},
"user": {
"name": "john.doe"
}
}
{
"message": "INFO: 5 endpoint(s) purged successfully",
"event": {
"reason": " 5 endpoint(s) purged successfully",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
}
}
{
"message": "2023-06-07 04:26:17.306 +0200 60198 INFO null: MnT purge event occurred, MESSAGE=completed successfully,",
"event": {
"category": [
"network"
],
"reason": "MnT purge event occurred",
"type": [
"info"
]
},
"cisco": {
"ise": {
"event": {
"outcome": "success"
}
}
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
}
}
{
"message": "WARN: AcsSyslogContentAaaDiagnostics:: ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete",
"event": {
"category": [
"network"
],
"reason": ": ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
}
}
{
"message": "INFO: EAP Connection Timeout : Server=servername; NAS IP Address=1.2.3.4; NAS Identifier=A4:57:00:64:47:C0:test1",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"servername"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "servername",
"domain": "servername",
"ip": "1.2.3.4",
"mac": "A4:57:00:64:47:C0"
}
}
{
"message": "WARN: Dynamic Authorization Failed for Device : Server=servername; Calling Station Id=N/A; Network device IP=1.2.3.4; Network Device",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"servername"
],
"ip": [
"1.2.3.4"
],
"user": [
"N/A"
]
},
"source": {
"address": "servername",
"domain": "servername",
"ip": "1.2.3.4"
},
"user": {
"name": "N/A"
}
}
{
"message": "WARN: Profiler SNMP Request Failure : Server= servername; NAD Address=1.2.3.4; Error Message=Request timed out.",
"event": {
"category": [
"network"
],
"reason": "Request timed out.",
"type": [
"info"
]
},
"cisco": {
"ise": {
"network_calling_station": {
"id": "Request timed out."
}
}
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"servername"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "servername",
"domain": "servername",
"ip": "1.2.3.4"
}
}
{
"message": "WARN: TrustSec deploy verification failed to reach NAD.: Device Name=device005.internal.example.org; Device Ip=1.2.3.4; Device login username=admin",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"device005.internal.example.org"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin"
]
},
"source": {
"address": "device005.internal.example.org",
"domain": "device005.internal.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "device005.internal",
"top_level_domain": "org"
},
"user": {
"name": "admin"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
cisco.ise.config_action |
keyword |
The action in a configuration events. (Added, Changed, Deleted) |
cisco.ise.config_object.name |
keyword |
The name of the object in the conf events |
cisco.ise.config_object.type |
keyword |
The type of the objection in the conf events |
cisco.ise.event.outcome |
keyword |
The outcome of the event |
cisco.ise.network_calling_station.id |
keyword |
the calling station id |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
user.name |
keyword |
Short name or login of the user. |
Configure
Prerequisites
- Have an internal log concentrator
Enable Syslog forwarding
Log on your ISE Administration Interface and follow this guide.
Create the intake
Go to the intake page and create a new intake from the format Cisco Identity Services Engine (ISE).
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.