I wanted to put this out here and see if anyone by chance has successfully configured Cisco ISE logs to come into Rapid 7 using the already existing product types in InsightIDR and have the Authentication logs enrich the case data.
To keep this short I discovered yesterday I have a hole in my authentication log data, where my logs show a user getting locked out and having nothing but successful authentications when pulling the logs into the case management platform.
My question is if you have successfully done this what product type did you choose and why? I am currently testing the Universal Ingress Auth one today. But just wanted to collect feedback from you guys and see if anyone else has overcome this challenge.
We’ve reached out to a couple of internal teams and we haven’t had this specific need or source come up and as you know we don’t currently support Cisco ISE as an authentication source for events. If you are able to identify the Cisco ISE logs with the authentication result, then I would highly recommend the use of a Universal Event Source for formatting the message as required.
While there is no one way to accomplish this, I’ve found use of nxlog, logstash, or even a simple Python script a good way to go. No matter the tooling there are three steps necessary:
We are using the “Rapid7 Generic Syslog” event type for the logs from Cisco ISE. I will say, we also have Duo integrated into ISE so we get auth logs from the MFA side as well.
While I don’t have any hands on experience with the Cisco ISE logs, to get any correlation or UBA you will likely need to convert it into the Universal Event Format for authentication. If you don’t need UBA, then ingesting as Generic Syslog will still give you the ability to search and/or alert on the logs.
Patrick, I too am looking at bringing in the ISE logs so I am curious to hear if you moved forward with that earlier this year?
My first attempt using the Rapid7 Generic Syslog option shows the data under the Raw Log section in Log Search and some fields have been identified… but far from all. My hope is to somehow figure out what data IDR needs to natively use the information from the ISE logs and then use the Custom Data Parsing (in Open Preview atm) to mark/identify those fields… and hopefully the magic happens!
If not, then I’ll fall back on my own dash-boarding I guess…
We are currently working on a native Cisco ISE event source for IDR, which we hope we can release soon.
Also, I would suggest that when sending syslog to IDR that you use the Raw Syslog event source. This is because the Generic Syslog expects format RFC3164. =)
I would like to make an announcement, that InsightIDR now support “Cisco ISE” as a new Event Source. It can be found in the “VPN category”.
More informations you can find here.
I just noticed in the IDR newsletter that came out this week that Cisco ISE indeed is supported now as a recognized log source… so that is great news!
I have “redirected” my initial attempt from the Raw Syslog option to this integration now and it seems to work.
However, the information about ISE as a log source points out the log options on the ISE side but does not specify which ones are mandatory for IDR to pick up on the information it needs to flag suspicious activity, i.e. …
Add the target that you created in the previous section to the following categories. These are default log collection settings and can be modified as needed:
AAA Audit
AAA Diagnostics
Accounting
External MDM
Passive ID
Posture and Client Provisioning Audit
Posture and Client Provisioning Diagnostics
Profiler
Administrative and Operational Audit
System Diagnostics
System Statistics
Maybe the documentation can be updated to reflect which of the above ISE logging options are indeed required for the built-in detection in IDR to work as expected… or maybe state that all are needed if that is the case?