Cisco ISE Logs

Hello Rapid 7 Community,

I wanted to put this out here and see if anyone by chance has successfully configured Cisco ISE logs to come into Rapid 7 using the already existing product types in InsightIDR and have the Authentication logs enrich the case data.

To keep this short I discovered yesterday I have a hole in my authentication log data, where my logs show a user getting locked out and having nothing but successful authentications when pulling the logs into the case management platform.

My question is if you have successfully done this what product type did you choose and why? I am currently testing the Universal Ingress Auth one today. But just wanted to collect feedback from you guys and see if anyone else has overcome this challenge.

Pat

Hey, we saw this. We’re trying to track down an answer for you.

Thanks for asking! We’ll get back as soon as we get an answer.

2 Likes

Thank you Joey

We’ve reached out to a couple of internal teams and we haven’t had this specific need or source come up and as you know we don’t currently support Cisco ISE as an authentication source for events. If you are able to identify the Cisco ISE logs with the authentication result, then I would highly recommend the use of a Universal Event Source for formatting the message as required.

While there is no one way to accomplish this, I’ve found use of nxlog, logstash, or even a simple Python script a good way to go. No matter the tooling there are three steps necessary:

  1. Get event
  2. Format event
  3. Send event

Here is a post that might help a bit if you were to go the python route: Getting the Most Out of InsightIDR Universal Event Sources

We are using the “Rapid7 Generic Syslog” event type for the logs from Cisco ISE. I will say, we also have Duo integrated into ISE so we get auth logs from the MFA side as well.

5 Likes

Thank you for helping out @jaredboulden :star2:

Thank you Jared I will explore this tomorrow =)

Did you have to do any data conversion or did it just natively work?

1 Like

While I don’t have any hands on experience with the Cisco ISE logs, to get any correlation or UBA you will likely need to convert it into the Universal Event Format for authentication. If you don’t need UBA, then ingesting as Generic Syslog will still give you the ability to search and/or alert on the logs.

2 Likes

Patrick, I too am looking at bringing in the ISE logs so I am curious to hear if you moved forward with that earlier this year?

My first attempt using the Rapid7 Generic Syslog option shows the data under the Raw Log section in Log Search and some fields have been identified… but far from all. My hope is to somehow figure out what data IDR needs to natively use the information from the ISE logs and then use the Custom Data Parsing (in Open Preview atm) to mark/identify those fields… and hopefully the magic happens! :wink:

If not, then I’ll fall back on my own dash-boarding I guess…

Hey Peter,

We are currently working on a native Cisco ISE event source for IDR, which we hope we can release soon.

Also, I would suggest that when sending syslog to IDR that you use the Raw Syslog event source. This is because the Generic Syslog expects format RFC3164. =)

Regards

2 Likes

Hi Patrick,

I would like to make an announcement, that InsightIDR now support “Cisco ISE” as a new Event Source. It can be found in the “VPN category”.
More informations you can find here.

Hope this helps :slight_smile:

3 Likes

Hi Felipe and Mirela,

I just noticed in the IDR newsletter that came out this week that Cisco ISE indeed is supported now as a recognized log source… so that is great news!

I have “redirected” my initial attempt from the Raw Syslog option to this integration now and it seems to work.
However, the information about ISE as a log source points out the log options on the ISE side but does not specify which ones are mandatory for IDR to pick up on the information it needs to flag suspicious activity, i.e. …

Add the target that you created in the previous section to the following categories. These are default log collection settings and can be modified as needed:

  • AAA Audit
  • AAA Diagnostics
  • Accounting
  • External MDM
  • Passive ID
  • Posture and Client Provisioning Audit
  • Posture and Client Provisioning Diagnostics
  • Profiler
  • Administrative and Operational Audit
  • System Diagnostics
  • System Statistics

Maybe the documentation can be updated to reflect which of the above ISE logging options are indeed required for the built-in detection in IDR to work as expected… or maybe state that all are needed if that is the case?

Thanks :slightly_smiling_face:
Peter

1 Like

Hi @peter_eriksson!

Thanks for the awesome feedback on this. I will reach out to our internal teams and ask to update the document based on your suggestions.

Regards,
Felipe

1 Like

Thanks Felipe, I’ll keep my eyes peeled for the update… and in the meantime test with the log options to see what comes over to IDR… :slight_smile:

//Peter

1 Like

I believe IDR only parses the following ISE logging categories. Can anyone/Rapid7 confirm?

  • Failed Attempts
  • Passed Authentications
  • RADIUS Accounting
  • TACACS Accounting

Hi Michael,
you are correct!

Rapid7 supports event codes are at 3000, 3001, 5200, 5400, 5401, 3304, 3301.
Which are: RADIUS Accounting, Passed Authentications, Failed Attempts and TACACS Accounting.

1 Like

Just to note, we had to set the maximum length much higher than 1024 (stated in the documentation) as we had events surpassing 6,000 bytes in size.

Thank you Michael for your feedback.
We are going to update the documentation. :slight_smile:

1 Like