Cisco Identity Services Engine (ISE)
Version: Cisco ISE version 2.0.
Cisco Identity Services Engine (ISE) is a network administration product (which is either a Cisco ISE appliance or Virtual Machine) that helps in creating and enforcing security and access policies for endpoint devices of the company’s routers and switches.
Netsurion Open XDR helps to monitor events from Cisco ISE. Its dashboard, alerts and reports will help you to track authentication activities, endpoint compliance status, admin, and operations activity, to keep you informed about its activities. It will trigger alert whenever user authenticate fails, receive invalid or bad HTTP request or External RESTful Services (ERS) xml input suspect for Cross-Site Scripting (XSS) or injection attack.
After the Cisco ISE is configured to deliver events to the Netsurion Open XDR, the dashboards and reports can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Cisco ISE – A failure to establish an SSL session was detected | This alert is triggered when failure in establishing SSL connection is detected. |
| Security | Cisco ISE – An SSH CLI user has attempted unsuccessfully to login | This alert is triggered when an SSH CLI user fails to login into ISE device. |
| Security | Cisco ISE – Endpoint Authentication failed | This alert is triggered when an endpoint fails to authenticate itself to a network device in client environment. |
| Security | Cisco ISE – Endpoint failed authentication of the same scenario several times and was rejected | This alert is triggered when an endpoint fails to authenticate itself multiple times and is rejected. |
| Security | Cisco ISE – ERS request rejected due to unauthorized user | This alert is triggered when an External RESTful Services (ERS) request is rejected because an unauthorized user has tried to access it. |
| Security | Cisco ISE – ERS request was rejected due to illegal request on a non-primary node | This alert is triggered when an External RESTful Services (ERS) request is rejected due to illegal request on a non-primary node. |
| Security | Cisco ISE – ERS xml input is a suspect for XSS or Injection attack | This alert is triggered when an External RESTful Services (ERS) xml input is suspected for an XSS or Injection attack. |
| Security | Cisco ISE – Potential ERS request suspicious of malicious attack detected | This alert is triggered when a potential External RESTful Services (ERS) request suspicious of malicious attack is detected. |
| Security | Cisco ISE – RADIUS Accounting tunnel rejected | This alert is triggered when RADIUS accounting tunnel establishment for endpoints and users was rejected either on Cisco ISE or other network devices like routers/ switches. |
| Security | Cisco ISE – Received Invalid or Bad HTTP request | This alert is triggered when a system detects an invalid or bad HTTP request (this could be an attempted security attack). |
| Security | Cisco ISE – Rejected administrator session from unauthorized client IP address | This alert is triggered when there is an attempt to start an administration session from an unauthorized client IP address and was rejected. |
| Operations | Cisco ISE – An SSH CLI user has successfully logged in | This alert is triggered when an SSH CLI user successfully logs into ISE device. |
| Operations | Cisco ISE – Guest user account is created | This alert is triggered when a guest user account is created in Cisco ISE device. |
| Operations | Cisco ISE – ISE server password updated | This alert is triggered when an ISER server password gets updated/modified by a user. |
| Operations | Cisco ISE – Successfully added a device (endpoint) | This alert is triggered when Cisco ISE allows and adds an endpoint to access the corporate network as defined by the policy. |
| Operations | Cisco ISE – Successfully deleted the device (endpoint) | This alert is triggered when an endpoint is removed from the access list. |
| Operations | Cisco ISE – The federation link is down | This alert is triggered when federation link/connection is down between Cisco ISE devices. |
| Operations | Cisco ISE – User changed password successfully | This alert is triggered when an internal user changes password for accessing network devices using their user accounts. |
| Operations | Cisco ISE – TACACS+ Accounting request rejected | This alert is triggered when a TACACS+ accounting request is rejected by Cisco ISE. |
| Compliance | Netwrix Auditor – Failed configuration Activities | This report gives information about all the failed configuration activities detected in Netwrix Auditor. Report contains username, object name, domain name, etc. |
| Compliance | Netwrix Auditor – Successful user login activities | This report gives information about all the user successful login activities detected in Netwrix Auditor. Report contains username, domain name, IP address, application name, etc. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Cisco ISE – Failed Attempts on Network Devices | This report provides a detailed summary of failed authentications on various networking devices in client environment. It contains, source IP address, source username, destination device address, port number, etc. |
| Operations | Cisco ISE – Passed Authentications | This report contains a detailed summary of events that includes passed authentication in various networking devices in client environment. It contains, source IP address, source username, destination device address, port number, etc. |
| Operations | Cisco ISE – TLS Connection Failure | This report contains a detailed summary of failed TLS connections in Cisco ISE device. It contains, username, ISE local address/port and failure reason. |
| Operations | Cisco ISE – Federation link is down | This report contains a detailed summary of events where a federation link/connection between ISE devices is down. It contains the devices names, and cause of the link failure/down. |
| Compliance | Cisco ISE – Successfully blacklisted the device (endpoint) | This alert is triggered when an endpoint is blacklisted/ blocked from network access. |
| Compliance | Cisco ISE – Endpoint Compliance Status | This report contains a detailed summary of Endpoint Compliance Status by Cisco ISE. It contains the source IP address, posture status, user ID and other useful information. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.3 or later, and Cisco ISE version 2.0.
Download Integration Guide and How-to Guide for configuration instructions and more information.