We’ve reached out to a couple of internal teams and we haven’t had this specific need or source come up and as you know we don’t currently support Cisco ISE as an authentication source for events. If you are able to identify the Cisco ISE logs with the authentication result, then I would highly recommend the use of a Universal Event Source for formatting the message as required.
While there is no one way to accomplish this, I’ve found use of nxlog, logstash, or even a simple Python script a good way to go. No matter the tooling there are three steps necessary:
- Get event
- Format event
- Send event
Here is a post that might help a bit if you were to go the python route: Getting the Most Out of InsightIDR Universal Event Sources