Is anyone using Cisco ISE as a data source in SIEM? It says that is a supported device, but there is only one rule that exists in SIEM for it. So we are able to get the data in, but almost everything shows up as a "unknown event." ISE does a lot of authentications for us and seems valuable to have as a data source that could parse the authentications for correlation. Any thoughts or help would be great.
I recommend that you register the ciso Teams in ESM and in the support Generic Syslogs: Log "unknown syslog"
Then clear that you configure CISCO to send the syslog logging log to the collector, then log it as I told you and you will see "unknown" events, you see the detail of those events and then you go to package and poesteas those packages and I can help you To create the rule so that you can understand them.
go to the Policy Editor and search for this Parser Signature ID: 1029310 Than copy this parser and paste it. After the copy process open the copy and add some parser strings.
+ Button and
Hope this will help you.