cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1973
Views
6
Helpful
4
Replies

SIEM detection rules for Cisco Identity Services Engine (ISE) Syslog?

HumbleHackerAM
Level 1
Level 1

Hello Cisco ISE Community:

So I wanted to see if Cisco provided some SIEM detection rules in general, and more specifically SIEM detection rules for IBM QRadar SIEM.

As a novelty, I thought I would consult OpenAI's ChatGPT bot. I asked ChatGPT the following question:

Where can I find SIEM detection rules that will generate alerts on security events sent from the Cisco Identity Services Engine?

One of the responses ChatGPT gave was:
Cisco ISE Security Bundle: This is a set of pre-built correlation rules, dashboards, and reports that can be used to monitor security events from the ISE in a SIEM system. You can download the security bundle from the Cisco website and integrate it with your SIEM to start monitoring the ISE logs.

I searched Cisco's website, Google, and any mention of it the Cisco Forums for this "Cisco ISE Security Bundle" but my searches did not produce any results.

QUESTION: Does a "Cisco ISE Security Bundle" containing pre-built correlation rules, dashboards, and reports exist for any SIEM product (and specifically for QRadar)?

I am aware of the ISE Security Ecosystem Integration Guides documented here:
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-ecosystem-partner-integration-details/ta-p/3645572

And I have read the guides specifically for integration with IBM QRadar SIEM. The specific integration with QRadar depends on the installation of an app on QRadar which would connect to Cisco's ISE pxGrid to query information. And according to the "Cisco ISE pxGrid App 3.1.0 for IBM QRadar SIEM" guide there is limited use case offense generation (A single use case from what I can tell, "pxGrid Radius Failure", Page 88).

"The Cisco pxGrid offense rule gets triggered when an event occurs, the match Radius Failure session or simply three events in the Cisco ISE pxGrid App Failed Authentication Dashboard from the same source IP address that occur within 10 minutes."

QUESTION: Does the Cisco ISE development team provide a "Cisco ISE Security Bundle" or an out-of-the-box collection of SIEM rules, dashboards, and reports that can work on correlating security offenses across Cisco ISE events inbound to a SIEM via a Syslog event integration method (rather than via the Cisco pxGrid integration method)?

Thank you in advance!

@Jason Kunst 

@thomas 

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

ChatGPT is making stuff up in its technical answers.

I have never heard of such a thing and there are no direct hits on "Cisco ISE Security Bundle" or ISE Security Bundle when I search for it (in case an integration partner had something like that).  We do have support bundles for TAC but no SIEM security bundles that I am aware of.

For available QRadar integration documents and rules, see http://cs.co/ise-guides#QRadar or ask the partner for their rules.

Apparently rather than ChatGPT taking our technical jobs, we will now need to hire more people to fact-check ChatGPT's ridiculous answers.  8-)

View solution in original post

4 Replies 4

Tariq Mahmoud
Level 1
Level 1

I'm not from the ISE development team, hence I can't confirm if such a thing exists.
However, from my experience I have never heard of such thing as "Cisco ISE Security Bundle", except of course in the case of QRadar and ISE where you need an app to do the integration. 

Hi Tariq,

Thanks for the reply.  It should be interesting to see what the response is from someone from the ISE team, I tagged them @Jason Kunst @thomas .  I posted this question later on in the day on Friday.  I am assuming they are having a great weekend with their families, which they should.  Let's see what feedback they have this coming work week.

If nothing exists as mentioned by ChatGPT then I'll give ChatGPT's response a thumbs down and feed it a corrective reply.

Adam

thomas
Cisco Employee
Cisco Employee

ChatGPT is making stuff up in its technical answers.

I have never heard of such a thing and there are no direct hits on "Cisco ISE Security Bundle" or ISE Security Bundle when I search for it (in case an integration partner had something like that).  We do have support bundles for TAC but no SIEM security bundles that I am aware of.

For available QRadar integration documents and rules, see http://cs.co/ise-guides#QRadar or ask the partner for their rules.

Apparently rather than ChatGPT taking our technical jobs, we will now need to hire more people to fact-check ChatGPT's ridiculous answers.  8-)

Thanks for the reply @thomas.  I'll correct ChatGPT.  Thanks again.

Potential future job title:  ChatGPT Operator.