Cisco ISE
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-07-03 |
| Solution Folder | Cisco ISE |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (90%) |
| Pre-requisites | Syslog |
The Cisco ISE solution for Microsoft Sentinel enables you to ingest Cisco ISE’s NAC logs into Microsoft Sentinel, providing insight into network threats and vulnerabilities.
This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| Syslog |
Data Connectors
This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):
Connectors from dependency solutions:
- Syslog via Legacy Agent (dependency on Syslog)
- Syslog via AMA (dependency on Syslog)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
Syslog |
Syslog via AMA (dependency), Syslog via Legacy Agent (dependency), [Deprecated] Cisco Identity Services Engine | Analytics, Hunting, Workbooks |
Content Items
This solution includes 25 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Playbooks | 3 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| CiscoISE - Command executed with the highest privileges from new IP | Medium | InitialAccess, Persistence, PrivilegeEscalation, DefenseEvasion, Execution | Syslog |
| CiscoISE - Attempt to delete local store logs | Medium | DefenseEvasion | Syslog |
| CiscoISE - Backup failed | Medium | Impact | Syslog |
| CiscoISE - Certificate has expired | Medium | CredentialAccess | Syslog |
| CiscoISE - Command executed with the highest privileges by new user | Medium | InitialAccess, Persistence, PrivilegeEscalation, DefenseEvasion, Execution | Syslog |
| CiscoISE - Device PostureStatus changed to non-compliant | Medium | PrivilegeEscalation, Persistence | Syslog |
| CiscoISE - Device changed IP in last 24 hours | Medium | CommandAndControl | Syslog |
| CiscoISE - ISE administrator password has been reset | Medium | Persistence, PrivilegeEscalation | Syslog |
| CiscoISE - Log collector was suspended | Medium | DefenseEvasion | Syslog |
| CiscoISE - Log files deleted | Medium | DefenseEvasion | Syslog |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| CiscoISE - Attempts to suspend the log collector | DefenseEvasion | Syslog |
| CiscoISE - Authentication attempts to suspended user account | InitialAccess, CredentialAccess | Syslog |
| CiscoISE - Dynamic authorization failed | InitialAccess | Syslog |
| CiscoISE - Expired certificate in the client certificates chain | - | Syslog |
| CiscoISE - Failed authentication events | CredentialAccess | Syslog |
| CiscoISE - Failed login attempts via SSH CLI (users) | LateralMovement | Syslog |
| CiscoISE - Guest authentication failed | CredentialAccess | Syslog |
| CiscoISE - Guest authentication succeeded | InitialAccess, Persistence, PrivilegeEscalation, DefenseEvasion | Syslog |
| CiscoISE - Rare or new useragent | InitialAccess | Syslog |
| CiscoISE - Sources with high number of 'Failed Authentication' events | CredentialAccess | Syslog |
Workbooks
| Name | Tables Used |
|---|---|
| CiscoISE | Syslog |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| CiscoISE-False Positives Clear Policies | This playbook gets triggered when a new sentinel incident is created 1.For each MAC address (MACAddr... | - |
| CiscoISE-SuspendGuestUser | When a new sentinel incident is created, this playbook gets triggered and performs the following act... | - |
| CiscoISE-TakeEndpointActionFromTeams | When a new sentinel incident is created, this playbook gets triggered and performs the following act... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| CiscoISEEvent | - | Syslog (read) |
Release Notes
| Version | Date Modified (DD-MM-YYY) | Change History |
|---|---|---|
| 3.0.3 | 20-05-2025 | Updated Parser to parse new fields |
| 3.0.2 | 04-12-2024 | Removed Deprecated Data connectors |
| 3.0.1 | 23-07-2024 | Deprecated data connectors |
| 3.0.0 | 11-07-2023 | Parser query optimization done |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊