Cisco Identity Services Engine

The IBM® QRadar® DSM for Cisco Identity Services Engine (ISE) collects device events from Cisco ISE appliances by using the UDP multiline syslog protocol.

The following table describes the specifications for the Cisco Identity Services Engine DSM:
Table 1. Cisco Identity Services Engine DSM specifications
Specification Value
Manufacturer Cisco
DSM name Cisco Identity Services Engine
RPM file name DSM-CiscoISE-QRadar_version-build_number.noarch.rpm
Supported versions 1.1 to 2.2
Protocol UDP Multiline Syslog
Event format Syslog
Recorded event types Device events
Automatically discovered? No
Includes identity? Yes
Includes custom properties? No
More information Cisco website (https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html)
To integrate Cisco ISE with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your QRadar Console. RPMs are available for download from the IBM support website (http://www.ibm.com/support):
    • DSMCommon RPM
    • Cisco Identity Services Engine DSM RPM
  2. Configure your Cisco ISE appliance to send UDP multiline syslog events to QRadar.
  3. Add a Cisco Identity Services Engine log source on the QRadar Console. The following table describes the parameters that require specific values to collect events from Cisco ISE:
    Table 2. Cisco Identity Services Engine log source parameters
    Parameter Value
    Log Source type Cisco Identity Service Engine
    Protocol Configuration UDP Multiline Syslog
    Log Source Identifier The IP address or host name of the Cisco Identity Service Engine device that sends UDP Multiline Syslog events to QRadar.
    Listen Port
    Type 517 as the port number used by QRadar to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65535.
    Note: UDP Multiline Syslog events can be assigned to any port that is not in use, except for port 514. The default port that is assigned to the UDP Multiline protocol is UDP port 517. For a list of ports that are used by QRadar, see Common ports and servers used by QRadar in the IBM QRadar Administration Guide or in the IBM Knowledge Center (https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_ports_and_servers.html).

    To edit a saved configuration to use a new port number, complete the following steps:

    1. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.
    2. Click Save.

    The port update is complete and event collection starts on the new port number.
    Message ID Pattern

    Type the following regular expression (regex) to filter the event payload messages:

    CISE_\S+ (\d{10})

    For a complete list of UDP multiline syslog protocol parameters and their values, see UDP multiline syslog protocol configuration options.

  4. Configure a remote logging target on your Cisco ISE appliance.
  5. Configure the event logging categories on your Cisco ISE appliance.