Cisco Identity Services Engine (ISE)
Overview
Cisco Identity Services Engine (ISE) is an intelligent security policy enforcement platform that reduces security risks by providing visibility of connections between all users and devices across all network infrastructure. This product provides exceptional control over the information and locations to which users have access on the network. This solution, and all its components, have been approved and rigorously tested as an integrated system.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Cisco ISE. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Cisco ISE on ATT&CK Navigator
Cisco Identity Services Engine Configuration Changed
Cisco Identity Services Engine (ISE) has detected a device configuration changed (Added, Changed or Deleted). This should be reviewed in order to check if this an expected admin action.
- Effort: master
RYUK Ransomeware - martinstevens Username
Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Authentication logs |
There's an authentification audit, control and diagnostic |
Network device configuration |
Changing conf of devices usually by the admin |
Web logs |
Cisco ISE logs provide information about the connected client and the requested resource |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | configuration, network |
| Type | change, info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "INFO: Configuration Changed: Admin=john.doe; Object Type=EPPurgeScheduler; Object Name=f36afcff-e3af-4a70-99c0-5e5304c1c336",
"event": {
"category": [
"configuration"
],
"kind": "event",
"type": [
"change"
]
},
"cisco": {
"ise": {
"config_action": "Changed",
"config_object": {
"name": "f36afcff-e3af-4a70-99c0-5e5304c1c336",
"type": "EPPurgeScheduler"
}
}
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"user": [
"john.doe"
]
},
"user": {
"name": "john.doe"
}
}
{
"message": "INFO: 5 endpoint(s) purged successfully",
"event": {
"kind": "event",
"reason": " 5 endpoint(s) purged successfully",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
}
}
{
"message": "2023-06-07 04:26:17.306 +0200 60198 INFO null: MnT purge event occurred, MESSAGE=completed successfully,",
"event": {
"category": [
"network"
],
"kind": "event",
"reason": "MnT purge event occurred",
"type": [
"info"
]
},
"cisco": {
"ise": {
"event": {
"outcome": "success"
}
}
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
}
}
{
"message": "WARN: AcsSyslogContentAaaDiagnostics:: ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete",
"event": {
"category": [
"network"
],
"kind": "event",
"reason": ": ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
}
}
{
"message": "INFO: EAP Connection Timeout : Server=servername; NAS IP Address=1.2.3.4; NAS Identifier=A4:57:00:64:47:C0:test1",
"event": {
"category": [
"network"
],
"kind": "event",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"servername"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "servername",
"domain": "servername",
"ip": "1.2.3.4",
"mac": "A4:57:00:64:47:C0"
}
}
{
"message": "WARN: Dynamic Authorization Failed for Device : Server=servername; Calling Station Id=N/A; Network device IP=1.2.3.4; Network Device",
"event": {
"category": [
"network"
],
"kind": "event",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"servername"
],
"ip": [
"1.2.3.4"
],
"user": [
"N/A"
]
},
"source": {
"address": "servername",
"domain": "servername",
"ip": "1.2.3.4"
},
"user": {
"name": "N/A"
}
}
{
"message": "WARN: Profiler SNMP Request Failure : Server= servername; NAD Address=1.2.3.4; Error Message=Request timed out.",
"event": {
"category": [
"network"
],
"kind": "event",
"reason": "Request timed out.",
"type": [
"info"
]
},
"cisco": {
"ise": {
"network_calling_station": {
"id": "Request timed out."
}
}
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"servername"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "servername",
"domain": "servername",
"ip": "1.2.3.4"
}
}
{
"message": "WARN: TrustSec deploy verification failed to reach NAD.: Device Name=device005.internal.example.org; Device Ip=1.2.3.4; Device login username=admin",
"event": {
"category": [
"network"
],
"kind": "event",
"type": [
"info"
]
},
"observer": {
"product": "Cisco ISE",
"vendor": "Cisco"
},
"related": {
"hosts": [
"device005.internal.example.org"
],
"ip": [
"1.2.3.4"
],
"user": [
"admin"
]
},
"source": {
"address": "device005.internal.example.org",
"domain": "device005.internal.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "device005.internal",
"top_level_domain": "org"
},
"user": {
"name": "admin"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
cisco.ise.config_action |
keyword |
The action in a configuration events. (Added, Changed, Deleted) |
cisco.ise.config_object.name |
keyword |
The name of the object in the conf events |
cisco.ise.config_object.type |
keyword |
The type of the objection in the conf events |
cisco.ise.event.outcome |
keyword |
The outcome of the event |
cisco.ise.network_calling_station.id |
keyword |
the calling station id |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
user.name |
keyword |
Short name or login of the user. |
Configure
Prerequisites
- Have an internal log concentrator
Enable Syslog forwarding
Log on your ISE Administration Interface and follow this guide.
Create the intake
Go to the intake page and create a new intake from the format Cisco Identity Services Engine (ISE).
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.