Showing results for 
Search instead for 
Did you mean: 

SIEM detection rules for Cisco Identity Services Engine (ISE) Syslog?


Hello Cisco ISE Community:

So I wanted to see if Cisco provided some SIEM detection rules in general, and more specifically SIEM detection rules for IBM QRadar SIEM.

As a novelty, I thought I would consult OpenAI's ChatGPT bot. I asked ChatGPT the following question:

Where can I find SIEM detection rules that will generate alerts on security events sent from the Cisco Identity Services Engine?

One of the responses ChatGPT gave was:
Cisco ISE Security Bundle: This is a set of pre-built correlation rules, dashboards, and reports that can be used to monitor security events from the ISE in a SIEM system. You can download the security bundle from the Cisco website and integrate it with your SIEM to start monitoring the ISE logs.

I searched Cisco's website, Google, and any mention of it the Cisco Forums for this "Cisco ISE Security Bundle" but my searches did not produce any results.

QUESTION: Does a "Cisco ISE Security Bundle" containing pre-built correlation rules, dashboards, and reports exist for any SIEM product (and specifically for QRadar)?

I am aware of the ISE Security Ecosystem Integration Guides documented here:

And I have read the guides specifically for integration with IBM QRadar SIEM. The specific integration with QRadar depends on the installation of an app on QRadar which would connect to Cisco's ISE pxGrid to query information. And according to the "Cisco ISE pxGrid App 3.1.0 for IBM QRadar SIEM" guide there is limited use case offense generation (A single use case from what I can tell, "pxGrid Radius Failure", Page 88).

"The Cisco pxGrid offense rule gets triggered when an event occurs, the match Radius Failure session or simply three events in the Cisco ISE pxGrid App Failed Authentication Dashboard from the same source IP address that occur within 10 minutes."

QUESTION: Does the Cisco ISE development team provide a "Cisco ISE Security Bundle" or an out-of-the-box collection of SIEM rules, dashboards, and reports that can work on correlating security offenses across Cisco ISE events inbound to a SIEM via a Syslog event integration method (rather than via the Cisco pxGrid integration method)?

Thank you in advance!

@Jason Kunst