cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
0
Helpful
1
Replies

Top ISE alerts to SEIM

AK50
Level 1
Level 1

Hello everyone, We will be forwarding ISE logs to our SEIM (Helix) I wanted to know what are the top 5-10 logs I should be alerting on? I need to put together an action plan so I cant do that for all the logs. Thanks

 

1 Reply 1

Colby LeMaire
VIP Alumni
VIP Alumni

There is no easy one-size-fits-all answer for this.  It all depends on a number of factors.  What are the capabilities of your SIEM system?  Would it help your SIEM to see all passed authentications?  Does your SIEM have an ability to make determinations based on endpoint type or profiling information?  Is the amount of data or storage a concern for your SIEM?  What are you even using ISE for?  Guest only?  VPN?  802.1x? TACACS+?  etc.

With ISE, the Syslog configuration is per category and not for each Syslog message.  At a minimum, you would want to send any failed authentication attempts and maybe accounting messages to track session start and end times.  Again, it really depends on your SIEM and what options you have for building policies/rules.  There is no sense in sending stuff to the SIEM if it is unable to do something with it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: