Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
5
Helpful
4
Replies

SIEM detection rules for Cisco Identity Services Engine (ISE) Syslog?

Go to solution
HumbleHackerAM
Level 1
Level 1

‎03-17-2023 04:45 PM - edited ‎03-17-2023 04:48 PM

Hello Cisco ISE Community:

So I wanted to see if Cisco provided some SIEM detection rules in general, and more specifically SIEM detection rules for IBM QRadar SIEM.

As a novelty, I thought I would consult OpenAI's ChatGPT bot. I asked ChatGPT the following question:

Where can I find SIEM detection rules that will generate alerts on security events sent from the Cisco Identity Services Engine?

One of the responses ChatGPT gave was:
Cisco ISE Security Bundle: This is a set of pre-built correlation rules, dashboards, and reports that can be used to monitor security events from the ISE in a SIEM system. You can download the security bundle from the Cisco website and integrate it with your SIEM to start monitoring the ISE logs.

I searched Cisco's website, Google, and any mention of it the Cisco Forums for this "Cisco ISE Security Bundle" but my searches did not produce any results.

QUESTION: Does a "Cisco ISE Security Bundle" containing pre-built correlation rules, dashboards, and reports exist for any SIEM product (and specifically for QRadar)?

I am aware of the ISE Security Ecosystem Integration Guides documented here:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-ecosystem-partner-integration-details/ta-p/3645572

And I have read the guides specifically for integration with IBM QRadar SIEM. The specific integration with QRadar depends on the installation of an app on QRadar which would connect to Cisco's ISE pxGrid to query information. And according to the "Cisco ISE pxGrid App 3.1.0 for IBM QRadar SIEM" guide there is limited use case offense generation (A single use case from what I can tell, "pxGrid Radius Failure", Page 88).

"The Cisco pxGrid offense rule gets triggered when an event occurs, the match Radius Failure session or simply three events in the Cisco ISE pxGrid App Failed Authentication Dashboard from the same source IP address that occur within 10 minutes."

QUESTION: Does the Cisco ISE development team provide a "Cisco ISE Security Bundle" or an out-of-the-box collection of SIEM rules, dashboards, and reports that can work on correlating security offenses across Cisco ISE events inbound to a SIEM via a Syslog event integration method (rather than via the Cisco pxGrid integration method)?

Thank you in advance!

@Jason Kunst 

@thomas 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-20-2023 08:52 AM - edited ‎03-20-2023 08:56 AM

ChatGPT is making stuff up in its technical answers.

I have never heard of such a thing and there are no direct hits on "Cisco ISE Security Bundle" or ISE Security Bundle when I search for it (in case an integration partner had something like that).  We do have support bundles for TAC but no SIEM security bundles that I am aware of.

For available QRadar integration documents and rules, see http://cs.co/ise-guides#QRadar or ask the partner for their rules.

Apparently rather than ChatGPT taking our technical jobs, we will now need to hire more people to fact-check ChatGPT's ridiculous answers.  8-)

View solution in original post

4 Replies 4

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-19-2023 04:19 AM

I'm not from the ISE development team, hence I can't confirm if such a thing exists.
However, from my experience I have never heard of such thing as "Cisco ISE Security Bundle", except of course in the case of QRadar and ISE where you need an app to do the integration. 

Go to solution
HumbleHackerAM
Level 1
Level 1
In response to Tariq Mahmoud

‎03-19-2023 09:47 AM - edited ‎03-19-2023 09:47 AM

Hi Tariq,

Thanks for the reply.  It should be interesting to see what the response is from someone from the ISE team, I tagged them @Jason Kunst @thomas .  I posted this question later on in the day on Friday.  I am assuming they are having a great weekend with their families, which they should.  Let's see what feedback they have this coming work week.

If nothing exists as mentioned by ChatGPT then I'll give ChatGPT's response a thumbs down and feed it a corrective reply.

Adam

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-20-2023 08:52 AM - edited ‎03-20-2023 08:56 AM

ChatGPT is making stuff up in its technical answers.

I have never heard of such a thing and there are no direct hits on "Cisco ISE Security Bundle" or ISE Security Bundle when I search for it (in case an integration partner had something like that).  We do have support bundles for TAC but no SIEM security bundles that I am aware of.

For available QRadar integration documents and rules, see http://cs.co/ise-guides#QRadar or ask the partner for their rules.

Apparently rather than ChatGPT taking our technical jobs, we will now need to hire more people to fact-check ChatGPT's ridiculous answers.  8-)

Go to solution
HumbleHackerAM
Level 1
Level 1
In response to thomas

‎03-20-2023 09:22 AM - edited ‎03-20-2023 09:23 AM

Thanks for the reply @thomas.  I'll correct ChatGPT.  Thanks again.

Potential future job title:  ChatGPT Operator. 

Customers Also Viewed These Support Documents