u/BaconEatingChamp — reddlx

Any Abnormal.ai Users?

We have Microsoft A5 and have had Cisco's basic inline hosted filter in front of it forever that can't do behavioral detection like MS can. Looking to ditch the inline and add a new API based hotness to catch the odd thing here or there MS may miss.

Anyways, demoing Cisco ETD and there are way too many false positives - it thinks parents e-mailing to pick their children up are bad e-mails.

I'd love to try out Checkpoint Harmony, but no luck there.

We are scheduled to try out Abnormal - looking for feedback on your experience if anyone in this space has tried it.

reddit.com

u/BaconEatingChamp — 8 days ago

▲ 2 r/Cisco

Cisco 9800 WLC + ISE

We are missing most syslog events to scrape user<>IP mappings in our firewall for our TEAP wifi network.

We see a Cisco Live slide showing to enable Interim Accounting on the WLC with a value of 0 under Security > AAA > AAA Advanced, but it will not accept 0 as a value. We do have Interim Accounting enabled per individual policy under Tags & Profiles > Policy.

https://i.imgur.com/wR40AbY.png

Is there a current recommended best practice? WLC v17.15.4b

u/BaconEatingChamp — 14 days ago

▲ 5 r/Cisco

We have ISE 3.4 up and want to scrape syslogs for user <> IP mappings with our TEAP wifi network (9800 WLC with Interim Accounting enabled). Our Palo is currently missing the majority of mappings as well as occasionally grabbing machine names. Anyone have this setup and regex to share?

https://i.imgur.com/qLdtdTd.png

Event Regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)  

Username Regex: UserName=(?![a-fA-F0-9]{12},)([a-zA-Z0-9._%-]+@[a-zA-Z0-9._-]+|[a-zA-Z0-9._]+),  

Address Regex: Framed-IP-Address=([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})

u/BaconEatingChamp — 21 days ago