Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1037
Views
0
Helpful
1
Replies

Top ISE alerts to SEIM

AK50
Level 1
Level 1

‎04-23-2020 04:49 AM

Hello everyone, We will be forwarding ISE logs to our SEIM (Helix) I wanted to know what are the top 5-10 logs I should be alerting on? I need to put together an action plan so I cant do that for all the logs. Thanks

 

0 Helpful
1 Reply 1

Colby LeMaire
VIP Alumni
VIP Alumni

‎04-23-2020 09:02 AM

There is no easy one-size-fits-all answer for this.  It all depends on a number of factors.  What are the capabilities of your SIEM system?  Would it help your SIEM to see all passed authentications?  Does your SIEM have an ability to make determinations based on endpoint type or profiling information?  Is the amount of data or storage a concern for your SIEM?  What are you even using ISE for?  Guest only?  VPN?  802.1x? TACACS+?  etc.

With ISE, the Syslog configuration is per category and not for each Syslog message.  At a minimum, you would want to send any failed authentication attempts and maybe accounting messages to track session start and end times.  Again, it really depends on your SIEM and what options you have for building policies/rules.  There is no sense in sending stuff to the SIEM if it is unable to do something with it.

0 Helpful
Customers Also Viewed These Support Documents
Top