Collect Cisco ISE logs

Supported in:

This document describes how you can collect Cisco Identify Services Engine (ISE) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CISCO_ISE ingestion label.

Configure Cisco ISE

  1. Sign in to Cisco ISE console using administrator credentials.
  2. In the Cisco ISE console, select Administration > System > Logging > Remote logging targets.
  3. In the Remote logging targets window, click Add. The New logging target window appears.
  4. In the Logging target section, specify values for the following fields:

    Field Description
    Name Name of the Google Security Operations forwarder.
    Description Description of the Google Security Operations forwarder.
    Type Type of the remote log target, such as syslog.
    IP address IP address of the Google Security Operations forwarder.
    Target type Select TCP syslog or UDP syslog.
    Port Use a high port, such as 10514.
    Facility code You can specify one of the following values:

    • LOCAL0 (code = 16)
    • LOCAL1 (code = 17)
    • LOCAL2 (code = 18)
    • LOCAL3 (code = 19)
    • LOCAL4 (code = 20)
    • LOCAL5 (code = 21)
    • LOCAL6 (code = 22; default)
    • LOCAL7 (code = 23)
    Maximum length The recommended value is 1024.
  5. Click Submit. The Remote log targets window appears with the new Google Security Operations forwarder configuration.

  6. In the Cisco ISE console, select Administration > System > Logging > Logging categories.

  7. In the Logging categories window, select the categories for which you want to set the remote syslog target and add the remote syslog target.

    The following are the sample categories: AAA audits, AAA diagnostics, accounting, administrative and operational audit, posture and client provisioning audit, posture and client provisioning diagnostics, profiler, system diagnostics, and system statistics.

Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs

  1. From the Google Security Operations menu, select Settings, and then click Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder name field, type a name.
  4. Click Submit. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a name.
  6. Select Cisco ISE as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following input parameters as per the configuration done previously:
    • Protocol: specify the protocol.
    • Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts Cisco ISE logs from syslog messages, normalizes the data into UDM format, and enriches the event with additional context. It handles various ISE log categories, including authentication successes and failures, administrative audits, system statistics, and more, mapping relevant fields to the UDM schema and adding specific labels for detailed analysis.

UDM Mapping Table

Log Field UDM Mapping Logic
Acct-Authentic sec_result.detection_fields.value Directly mapped.
Acct-Delay-Time sec_result.detection_fields.value Directly mapped.
Acct-Input-Octets sec_result.detection_fields.value Directly mapped.
Acct-Input-Packets sec_result.detection_fields.value Directly mapped.
Acct-Output-Octets sec_result.detection_fields.value Directly mapped.
Acct-Output-Packets sec_result.detection_fields.value Directly mapped.
Acct-Session-Id sec_result.detection_fields.value Directly mapped.
Acct-Session-Time sec_result.detection_fields.value Directly mapped.
Acct-Status-Type sec_result.detection_fields.value Directly mapped.
Acct-Terminate-Cause sec_result.detection_fields.value Directly mapped.
AcsSessionID sec_result.detection_fields.value Directly mapped as "Acs SessionID".
AD-Account-Name principal.user.userid Directly mapped.
AD-Domain principal.group.group_display_name Directly mapped.
AD-Domain-Controller target.administrative_domain Directly mapped.
AD-Error-Details sec_result.description Directly mapped.
AD-Host-Candidate-Identities sec_result.detection_fields.value Directly mapped.
AD-IP-Address target.ip, target.asset.ip Directly mapped.
AD-Log-Id sec_result.detection_fields.value Directly mapped as "AD-Log-Id".
AD-Operating-System principal.asset.platform_software.platform_version Directly mapped as ad_operating_system. If contains "Windows", principal.platform is set to "WINDOWS".
AD-Site target.location.name Directly mapped.
AD-Srv-Query sec_result.detection_fields.value Directly mapped as "AD-Srv-Query".
AD-Srv-Record sec_result.detection_fields.value Directly mapped as "AD-Srv-Record".
AD-User-Resolved-Identities sec_result.detection_fields.value Directly mapped.
AD-User-SamAccount-Name principal.user.attribute.labels.value Directly mapped.
AdminIPAddress principal.ip, principal.asset.ip Directly mapped.
AdminInterface principal.user.attribute.labels.value Directly mapped as "Admin Interface".
AdminName principal.user.userid Directly mapped. A user.attribute.roles with type "ADMINISTRATOR" is also added.
AuthenticationIdentityStore sec_result.detection_fields.value Directly mapped as "Authentication Identity Store".
AuthenticationStatus sec_result.action_details Directly mapped. If value matches "AuthenticationPassed", sec_result.action is set to "ALLOW", otherwise "BLOCK".
AuthorizationPolicyMatchedRule sec_result.rule_name Mapped with prefix "AuthorizationPolicyMatchedRule : ".
BYODRegistration sec_result.detection_fields.value Directly mapped.
Called-Station-ID sec_result.detection_fields.value Directly mapped.
Calling-Station-ID sec_result.detection_fields.value, principal.ip, principal.asset.ip Directly mapped. If it's an IP address, also mapped to principal.ip and principal.asset.ip.
cdpCachePlatform principal.asset.hardware.model Directly mapped.
Class sec_result.detection_fields.value Directly mapped.
ClientLatency sec_result.detection_fields.value Directly mapped.
CmdSet target.process.command_line Directly mapped after removing surrounding brackets and spaces.
ConfigVersionId sec_result.detection_fields.value Directly mapped as "Config Version Id".
ConnectionStatus sec_result.detection_fields.value Directly mapped as "Connection Status".
CPMSessionID sec_result.detection_fields.value Directly mapped.
CreateTime principal.asset.attribute.creation_time Parsed as UNIX_MS timestamp.
DetailedInfo sec_result.description Directly mapped after removing backslashes.
DestinationIPAddress target.ip, target.asset.ip Directly mapped. Sets has_target to "true".
DestinationPort target.port Directly mapped if numeric.
Device IP Address principal.ip, principal.asset.ip, _intermediary.ip, target.ip, target.asset.ip Mapped as DeviceIPAddress. Used in various logic to populate principal.ip, _intermediary.ip, or target.ip depending on the log category and other fields.
Device Port principal.port, _intermediary.port, target.port Mapped as DevicePort. Used in various logic to populate principal.port, _intermediary.port, or target.port depending on the log category and other fields.
Device Type principal.asset.hardware.model Directly mapped as device-type.
DTLSSupport sec_result.detection_fields.value Directly mapped.
EndPointMACAddress principal.asset.mac Directly mapped after converting to lowercase and replacing hyphens with colons.
EndPointMatchedProfile sec_result.about.labels.value Directly mapped.
EndpointCertainityMetric sec_result.detection_fields.value Directly mapped as "Endpoint Certainity Metric".
EndpointIdentityGroup principal.group.group_display_name Directly mapped.
EndpointIPAddress principal.asset.ip Directly mapped.
EndpointNADAddress sec_result.detection_fields.value Directly mapped as "Endpoint NAD Address".
EndpointOUI sec_result.detection_fields.value Directly mapped as "Endpoint OUI".
EndpointPolicy principal.asset.platform_software.platform_version Directly mapped.
EndpointProperty sec_result.detection_fields.value Directly mapped as "Endpoint Property".
EndpointSourceEvent sec_result.detection_fields.value Directly mapped.
EndpointUserAgent network.http.user_agent Directly mapped.
EndPointVersion sec_result.detection_fields.value Directly mapped.
FailureReason sec_result.detection_fields.value, sec_result.summary, sec_result.description Mapped as FailureReason. Used to populate sec_result.detection_fields as "Failure Reason", sec_result.summary, or sec_result.description depending on the context.
FirstCollection principal.asset.first_discover_time Parsed as UNIX_MS timestamp.
Framed-IP-Address sec_result.detection_fields.value Directly mapped.
Framed-IPv6-Address FramedIPAddress Directly mapped.
Framed-Protocol sec_result.detection_fields.value Directly mapped.
IdentityGroup principal.group.group_display_name Directly mapped.
IdentityGroupID principal.group.product_object_id Directly mapped.
IdentityPolicyMatchedRule sec_result.about.labels.value Directly mapped.
IdentitySelectionMatchedRule sec_result.detection_fields.value Directly mapped.
IMEI target.asset.product_object_id Directly mapped.
ISELocalAddress _intermediary.ip, principal.ip, principal.asset.ip, _intermediary.port, principal.port, sec_result.detection_fields.value If in CISE_Administrative_and_Operational_Audit, IP and port are extracted and mapped to _intermediary and principal. Otherwise, mapped directly as "ISE Local Address" to sec_result.detection_fields.
ISEModuleName sec_result.detection_fields.value Directly mapped as "ISE Module Name".
ISEServiceName sec_result.detection_fields.value Directly mapped as "ISE Service Name".
IsThirdPartyDeviceFlow sec_result.detection_fields.value Directly mapped.
Issuer about.labels.value Directly mapped.
LastActivity principal.asset.last_discover_time Parsed as UNIX_MS timestamp.
LastNmapScanTime sec_result.detection_fields.value Directly mapped.
lldpChassisId target.mac Directly mapped after parsing as MAC address.
lldpSystemName target.hostname, target.asset.hostname Directly mapped.
Location principal.location.country_or_region, target.location.country_or_region Directly mapped to either principal or target location depending on the log category.
Manufacturer target.asset.hardware.manufacturer Directly mapped.
MessageCode sec_result.detection_fields.value, metadata.event_type Directly mapped as msg_code. Used in logic to determine metadata.event_type.
Model target.asset.hardware.model Directly mapped.
NAS-IP-Address principal.nat_ip Directly mapped.
NAS-Identifier principal.labels.value Directly mapped as nas_identifier.
NAS-Port principal.nat_port, sec_result.detection_fields.value, principal.labels.value Mapped as NASPort. If numeric and less than 2147483648, mapped to principal.nat_port. Otherwise, mapped as string to sec_result.detection_fields as "NAS Port" or principal.labels as "NAS-Port".
NAS-Port-Id principal.labels.value, sec_result.detection_fields.value Mapped as NASPortId. Used to populate principal.labels as "nas_port_id" or sec_result.detection_fields as "nas_port_id".
NAS-Port-Type principal.labels.value, sec_result.detection_fields.value Mapped as NASPortType. Used to populate principal.labels as "nas_port_type" or sec_result.detection_fields as "Nas-Port-Type".
NetworkDeviceGroups sec_result.detection_fields.value Directly mapped.
NetworkDeviceName _intermediary.hostname, principal.hostname, principal.asset.hostname, target.hostname, target.asset.hostname Mapped as NetworkDeviceName. Used in various logic to populate _intermediary.hostname, principal.hostname, or target.hostname depending on the log category and other fields.
NetworkDeviceProfileId principal.asset.asset_id Mapped with prefix "Cisco_ISE:".
NetworkDeviceProfileName principal.asset.attribute.labels.value Directly mapped.
ObjectName sec_result.about.labels.value Directly mapped.
ObjectType sec_result.about.labels.value Directly mapped.
OperatingSystem target.asset.platform_software.platform_version, principal.asset.platform_software.platform_version, principal.platform Mapped as OperatingSystem. Used to populate target.asset.platform_software.platform_version or principal.asset.platform_software.platform_version. If contains "Win", principal.platform is set to "WINDOWS". If contains "lin", principal.platform is set to "LINUX". If contains "iOS", principal.platform is set to "MAC".
OperationMessageText sec_result.detection_fields.value, about.labels.value, sec_result.summary Mapped as OperationMessageText. Used to populate sec_result.detection_fields as "Operation Message Text", about.labels as "Operation Message Text", or sec_result.summary depending on the context. If it contains connection details, those are extracted and mapped to src and target.
OriginalUserName principal.user.userid Directly mapped as User.
PeerAddress target.mac Directly mapped after converting to lowercase and replacing hyphens with colons.
PeerName target.hostname, target.asset.hostname IP and hostname are extracted and mapped to target.ip and target.hostname.
PhoneID principal.user.phone_numbers Directly mapped as User-Fetch-Telephone.
PhoneNumber principal.user.phone_numbers Directly mapped.
PolicyVersion sec_result.detection_fields.value Directly mapped.
Port _intermediary.port, principal.port, target.port Mapped as Port. Used in various logic to populate _intermediary.port, principal.port, or target.port depending on the log category and other fields.
PostureAssessmentStatus sec_result.detection_fields.value Directly mapped.
PostureExpiry sec_result.detection_fields.value Directly mapped.
PostureStatus sec_result.detection_fields.value Directly mapped as "Posture Status".
ProfilerServer sec_result.detection_fields.value Directly mapped.
Protocol sec_result.detection_fields.value Directly mapped.
r_cat_name metadata.product_event_type Directly mapped.
r_ip_or_host observer.ip, observer.hostname, principal.ip, principal.asset.ip, principal.hostname, principal.asset.hostname, target.ip, target.asset.ip, target.hostname, target.asset.hostname If an IP, mapped to observer.ip. If a hostname, mapped to observer.hostname. Also used in various logic to populate principal or target IP/hostname depending on the log category and other fields.
r_msg_id sec_result.detection_fields.value, metadata.product_log_id Directly mapped as "r_msg_id". Also used as metadata.product_log_id if sequence_num is not available.
r_seg_num sec_result.detection_fields.value, metadata.product_log_id Directly mapped as "r_seg_num". Also used as metadata.product_log_id if sequence_num is not available.
r_total_seg sec_result.detection_fields.value Directly mapped.
RadiusFlowType sec_result.detection_fields.value Directly mapped.
RadiusPacketType sec_result.detection_fields.value Directly mapped as "Radius Packet Type".
RegisterStatus sec_result.rule_name Directly mapped.
RequestLatency sec_result.detection_fields.value Directly mapped as "Request Latency".
SelectedAccessService sec_result.detection_fields.value Directly mapped as "Selected Access Service".
SelectedAuthorizationProfiles sec_result.detection_fields.value Directly mapped.
Serial Number network.tls.server.certificate.serial, about.labels.value Mapped as serial_number. Used to populate network.tls.server.certificate.serial or about.labels as "Serial Number" depending on the context.
Service-Type sec_result.detection_fields.value Directly mapped.
SessionId network.session_id Directly mapped.
ShutdownReason sec_result.detection_fields.value Directly mapped as "ShutdownReason".
SSID sec_result.detection_fields.value Directly mapped.
StaticGroupAssignment sec_result.detection_fields.value Directly mapped.
Subject about.labels.value Directly mapped.
Subject Alternative Name about.labels.value Directly mapped as "Subject Alternative Name".
SysStatsCpuCount target.asset.hardware.cpu_number_cores Directly mapped.
SysStatsProcessMemoryMB target.asset.hardware.ram Directly mapped as __hardware.ram.
SysStatsUtilizationNetwork target.resource.name, network.sent_bytes, network.received_bytes Network adapter name, sent bytes, and received bytes are extracted and mapped. target.resource.resource_type is set to "UNSPECIFIED".
TimeToProfile sec_result.detection_fields.value Directly mapped.
Total Certainty Factor sec_result.detection_fields.value Directly mapped.
TotalFailedTime sec_result.detection_fields.value Directly mapped.
Tunnel-Client-Endpoint sec_result.detection_fields.value Directly mapped as "Tunnel Client Endpoint".
UniqueConnectionIdentifier sec_result.detection_fields.value Directly mapped as "Unique Connection Identifier".
UpdateTime sec_result.detection_fields.value Directly mapped.
User principal.user.userid Directly mapped.
User-Fetch-Email sec_result.detection_fields.value Directly mapped.
User-Fetch-Last-Name principal.user.last_name Directly mapped.
User-Fetch-LocalityName sec_result.detection_fields.value Directly mapped.
User-Fetch-StateOrProvinceName sec_result.detection_fields.value Directly mapped.
User-Fetch-Telephone principal.user.phone_numbers Directly mapped as PhoneID.
UserName principal.user.userid Directly mapped. If not empty, and not "" or "unknown", it's converted to lowercase, hyphens are replaced with colons, and if it matches a MAC address pattern, it's also mapped to principal.mac.
User-Name principal.user.userid Directly mapped.
UserType principal.user.attribute.labels.value Directly mapped.
(Parser Logic) action sec_result.action Set to "ALLOW" if msg_text contains success keywords, "BLOCK" if it contains failure keywords, and "UNKNOWN_ACTION" otherwise.
(Parser Logic) about.hostname about.hostname Derived from StepData=4 or stepdata.
(Parser Logic) event.idm.read_only_udm.about event.idm.read_only_udm.about Populated with various fields like about.hostname, about.application, and about.process.pid.
(Parser Logic) event.idm.read_only_udm.extensions.auth.mechanism event.idm.read_only_udm.extensions.auth.mechanism Set to "NETWORK" in certain cases within the CISE_TACACS_Diagnostics category.
(Parser Logic) event.idm.read_only_udm.extensions.auth.type event.idm.read_only_udm.extensions.auth.type Set to "MACHINE" for various login/logout events, "TACACS" for certain TACACS events, and "AUTHTYPE_UNSPECIFIED" for other login events.
(Parser Logic) event.idm.read_only_udm.metadata.collected_timestamp event.idm.read_only_udm.metadata.collected_timestamp Parsed from logstash.process.timestamp if available.
(Parser Logic) event.idm.read_only_udm.metadata.description event.idm.read_only_udm.metadata.description Constructed from msg_class and msg_text or just msg_text if msg_class is not available.
(Parser Logic) event.idm.read_only_udm.metadata.event_timestamp event.idm.read_only_udm.metadata.event_timestamp Parsed from the datetime field, which is derived from either datetime and timezone or r_datetime.
(Parser Logic) event.idm.read_only_udm.metadata.event_type event.idm.read_only_udm.metadata.event_type Determined based on r_cat_name, msg_code, and other fields. Can be GENERIC_EVENT, STATUS_UPDATE, NETWORK_CONNECTION, STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN, USER_LOGIN, USER_LOGOUT, USER_RESOURCE_ACCESS, USER_UNCATEGORIZED, RESOURCE_READ, SCAN_NETWORK, STATUS_UNCATEGORIZED, NETWORK_FLOW.
(Parser Logic) event.idm.read_only_udm.metadata.ingested_timestamp event.idm.read_only_udm.metadata.ingested_timestamp Parsed from logstash.ingest.timestamp if available.
(Parser Logic) event.idm.read_only_udm.metadata.log_type event.idm.read_only_udm.metadata.log_type Set to "CISCO_ISE".
(Parser Logic) event.idm.read_only_udm.metadata.product_event_type event.idm.read_only_udm.metadata.product_event_type Derived from r_cat_name.
(Parser Logic) event.idm.read_only_udm.metadata.product_log_id event.idm.read_only_udm.metadata.product_log_id Derived from sequence_num, r_seg_num, or r_msg_id depending on availability.
(Parser Logic) event.idm.read_only_udm.metadata.product_name event.idm.read_only_udm.metadata.product_name Set to "ISE", or to MDMServerName if available.
(Parser Logic) event.idm.read_only_udm.metadata.vendor_name event.idm.read_only_udm.metadata.vendor_name Set to "Cisco".
(Parser Logic) event.idm.read_only_udm.network.http.user_agent event.idm.read_only_udm.network.http.user_agent Derived from ac-user-agent or EndpointUserAgent.
(Parser Logic) event.idm.read_only_udm.network.ip_protocol event.idm.read_only_udm.network.ip_protocol Set to "TCP" for certain event types.
(Parser Logic) event.idm.read_only_udm.network.session_id event.idm.read_only_udm.network.session_id Derived from SessionId.
(Parser Logic) event.idm.read_only_udm.network.tls.cipher event.idm.read_only_udm.network.tls.cipher Derived from TLSCipher.
(Parser Logic) event.idm.read_only_udm.network.tls.server.certificate.serial event.idm.read_only_udm.network.tls.server.certificate.serial Derived from Serial Number.
(Parser Logic) event.idm.read_only_udm.network.tls.version event.idm.read_only_udm.network.tls.version Derived from TLSVersion.
(Parser Logic) event.idm.read_only_udm.principal.asset.asset_id event.idm.read_only_udm.principal.asset.asset_id Derived from NetworkDeviceProfileId with prefix "Cisco_ISE:".
(Parser Logic) event.idm.read_only_udm.principal.asset.hardware event.idm.read_only_udm.principal.asset.hardware Populated with fields like hardware.manufacturer and hardware.model.
(Parser Logic) event.idm.read_only_udm.principal.asset.ip event.idm.read_only_udm.principal.asset.ip Derived from various IP address fields depending on the log category and other fields.
(Parser Logic) event.idm.read_only_udm.principal.asset.mac event.idm.read_only_udm.principal.asset.mac Derived from EndpointMacAddress, parsed_endpoint_mac, or other MAC address fields after appropriate formatting.
(Parser Logic) event.idm.read_only_udm.principal.asset.platform_software.platform_version event.idm.read_only_udm.principal.asset.platform_software.platform_version Derived from OperatingSystem, EndpointPolicy, or ad_operating_system.
(Parser Logic) event.idm.read_only_udm.principal.group.group_display_name event.idm.read_only_udm.principal.group.group_display_name Derived from AD-Domain, IdentityGroup, or EndpointIdentityGroup.
(Parser Logic) event.idm.read_only_udm.principal.group.product_object_id event.idm.read_only_udm.principal.group.product_object_id Derived from IdentityGroupID.
(Parser Logic) event.idm.read_only_udm.principal.hostname event.idm.read_only_udm.principal.hostname Derived from r_ip_or_host, NetworkDeviceName, or other hostname fields depending on the log category and other fields.
(Parser Logic) event.idm.read_only_udm.principal.ip event.idm.read_only_udm.principal.ip Derived from various IP address fields depending on the log category and other fields.
(Parser Logic) event.idm.read_only_udm.principal.labels event.idm.read_only_udm.principal.labels Populated with fields like nas_identifier, nas_port_type, and nas_port_id.
(Parser Logic) event.idm.read_only_udm.principal.location.country_or_region event.idm.read_only_udm.principal.location.country_or_region Derived from Location.
(Parser Logic) event.idm.read_only_udm.principal.nat_ip event.idm.read_only_udm.principal.nat_ip Derived from NAS-IP-Address.
(Parser Logic) event.idm.read_only_udm.principal.nat_port event.idm.read_only_udm.principal.nat_port Derived from NAS-Port if numeric and less than 2147483648.
(Parser Logic) event.idm.read_only_udm.principal.platform event.idm.read_only_udm.principal.platform Derived from device-platform or OperatingSystem. Can be WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM.
(Parser Logic) event.idm.read_only_udm.principal.platform_version event.idm.read_only_udm.principal.platform_version Derived from platform-version.
(Parser Logic) event.idm.read_only_udm.principal.port event.idm.read_only_udm.principal.port Derived from Device Port or Port if numeric.
(Parser Logic) event.idm.read_only_udm.principal.user.attribute.labels event.idm.read_only_udm.principal.user.attribute.labels Populated with fields like "Admin Interface", "UserType", and "Chargeable-User-Identity".
(Parser Logic) event.idm.read_only_udm.principal.user.phone_numbers event.idm.read_only_udm.principal.user.phone_numbers Derived from PhoneID or PhoneNumber.
(Parser Logic) event.idm.read_only_udm.principal.user.userid event.idm.read_only_udm.principal.user.userid Derived from User, UserName, User-Name, AdminName, OriginalUserName, or other username fields depending on the log category and other fields.
(Parser Logic) event.idm.read_only_udm.security_result.about.labels event.idm.read_only_udm.security_result.about.labels Populated with fields like "IdentityPolicyMatchedRule", "EndPointMatchedProfile", "ObjectType", and "ObjectName".
(Parser Logic) event.idm.read_only_udm.security_result.action event.idm.read_only_udm.security_result.action Derived from msg_text or AuthenticationStatus. Can be ALLOW, BLOCK, or UNKNOWN_ACTION.
(Parser Logic) event.idm.read_only_udm.security_result.detection_fields event.idm.read_only_udm.security_result.detection_fields Populated with various fields depending on the log category and other fields.
(Parser Logic) event.idm.read_only_udm.security_result.description event.idm.read_only_udm.security_result.description Derived from AD-Error-Details or DetailedInfo.
(Parser Logic) event.idm.read_only_udm.security_result.rule_name event.idm.read_only_udm.security_result.rule_name Derived from AuthorizationPolicyMatchedRule or RegisterStatus.
(Parser Logic) event.idm.read_only_udm.security_result.severity event.idm.read_only_udm.security_result.severity Derived from msg_sev. Can be CRITICAL, ERROR, HIGH, MEDIUM, or INFORMATIONAL.
(Parser Logic) event.idm.read_only_udm.security_result.severity_details event.idm.read_only_udm.security_result.severity_details Derived from msg_sev.
(Parser Logic) event.idm.read_only_udm.security_result.summary event.idm.read_only_udm.security_result.summary Derived from msg_text or FailureReason.
(Parser Logic) event.idm.read_only_udm.src.ip event.idm.read_only_udm.src.ip Derived from source_ip extracted from OperationMessageText.
(Parser Logic) event.idm.read_only_udm.src.port event.idm.read_only_udm.src.port Derived from source_port extracted from OperationMessageText if numeric.
(Parser Logic) event.idm.read_only_udm.target.administrative_domain event.idm.read_only_udm.target.administrative_domain Derived from AD-Domain-Controller.
(Parser Logic) event.idm.read_only_udm.target.asset.hardware event.idm.read_only_udm.target.asset.hardware Populated with fields like _hardware.cpu_number_cores.
(Parser Logic) event.idm.read_only_udm.target.asset.hostname `

Changes

2024-05-10

  • Mapped "ExternalGroups" to "additional.fields".

2024-05-09

  • Added Grok patterns to parse new formats of "CISE_Profiler".
  • Mapped some fields for "CISE_Administrative_and_Operational_Audit" and "CISE_Alarm".

2024-04-18

  • Mapped "msg_sev" to "security_result.severity_details".
  • Mapped "r_total_seg", "r_seg_num", "msg_code", and "r_msg_id" to "security_result.detection_fields".
  • Mapped "r_cat_name" to "security_result.category_details".
  • Mapped "msg_text" and "msg_class" to "metadata.description".
  • Aligned "target.ip" and "target.asset.ip" mappings.
  • Aligned "target.hostname" and "target.asset.hostname" mappings.
  • Aligned "principal.ip" and "principal.asset.ip" mappings.
  • Aligned "principal.hostname" and "principal.asset.hostname" mappings.
  • Added a Grok pattern to parse "msg_attrs".

2024-04-10

  • Bug-Fix:
  • Added Grok patterns to parse new formats of "PeerName".

2023-11-20

  • Added new Grok patterns to parse failing Syslogs.
  • Added "msg_code" "5412" to parse logs having the same "msg_code".

2023-09-29

  • Added support for a new pattern of JSON logs.
  • Mapped "EndpointSourceEvent", "NASIdentifier", "NAS-Port-Type", "NAS-Port-Id", "ProfilerServer" to "security_result.detection_fields" for 80002 and 80006 logs.
  • Changed mapping of "Location" from "principal.location" to "target.location" for 80002 and 80006 logs.
  • Added on_error check to replace and merge functions.
  • Modified date mapping to parse date with "MEST" and "MESZ" timezones.

2023-08-02

  • Enhancement -
  • Added KV mapping to parse and map "cisco-av-pair=dhcp-option=host-name" to "target.hostname".
  • Changed mapping of "security_result.action" from "FAIL" to "BLOCK" when "msg_text" contains "failed|dropped|stop|rejected|down|abandoned|block|blocking|invalid".

2023-07-18

  • Enhancement -
  • Mapped "cisco-av-pair=dhcp-option=host-name" to "target.hostname".
  • Changed mapping of "User-Name" from "target.user.userid" to "principal.user.userid".
  • Changed mapping of "UserName" from "target.user.userid" to "principal.user.userid".
  • Changed mapping of "User" from "target.user.userid" to "principal.user.userid".
  • Changed mapping of "PhoneNumber" from "target.user.phone_numbers" to "principal.user.phone_numbers".
  • Mapped "FramedIPAddress" to "security_result.detection_fields" for Profiler event types 80002, 80006.
  • Modified date mapping to parse date with "EASTERN" timezone.
  • Added Grok pattern to match "PeerAddress".

2023-06-07

  • Enhancement-
  • Added Grok pattern to parse a new log pattern.

2023-05-26

  • Enhancement-
  • Modified date mapping to parse date with 'BJ' timezone.

2023-04-18

  • Enhancement-
  • Added a 'json' block to handle JSON logs.
  • Mapped "logstash.irm_region" to "additional.fields".
  • Mapped "logstash.irm_environment" to "additional.fields".
  • Mapped "logstash.irm_site" to "additional.fields".
  • Mapped "logstash.ingest.timestamp" to "metadata.ingested_timestamp".
  • Mapped "logstash.process.timestamp" to "metadata.collected_timestamp".

2023-03-01

  • Enhancement-
  • Whenever 'Calling-Station-ID' is an IP address, then map it to 'principal.ip'.
  • Added a regular expression condition to validate MAC address for field 'device-mac' before mapping to 'principal.mac'.

2022-12-08

  • Enhancement-
  • Mapped 'assetDeviceType' to 'principal.resource.name'.
  • Mapped 'assetIncidentScore' to 'security_result.detection_fields'.
  • Mapped 'PostureAssessmentStatus' to 'security_result.detection_fields'.
  • Mapped 'PolicyVersion' to 'security_result.detection_fields'.
  • Mapped 'EndPointVersion' to 'security_result.detection_fields'.
  • Mapped 'EndPointPolicyID' to 'security_result.detection_fields'.

2022-10-13

  • Enhancement- Corrected the date mapping for SYSLOGTIMESTAMP date formats.

2022-08-10

  • Enhancement- Modified mappings for the following fields from 'additional.fields' to 'security_result.detection_fields'.
  • 'CPMSessionID', 'NASPort', 'AD-Log-Id', 'AD-Srv-Query', 'AD-Srv-Record', 'Tunnel-Client-Endpoint', 'IsThirdPartyDeviceFlow', 'PostureStatus', 'OperationMessageText', 'AcsSessionID', 'SelectedAccessService', 'RadiusPacketType', 'ISELocalAddress', 'ISEModuleName', 'ISEServiceName', 'ConnectionStatus', 'UniqueConnectionIdentifier', 'Audit_session_id', 'EndpointCertainityMetric', 'EndpointNADAddress', 'EndpointOUI', 'EndpointProperty', 'AuthenticationIdentityStore', 'AD-Host-Candidate-Identities', 'PostureExpiry', 'allowEasyWiredSession', 'ConfigVersionId', 'RequestLatency', 'Service-Type', 'Framed-Protocol', 'Class', 'Called-Station-ID', 'Calling-Station-ID', 'Acct-Status-Type', 'Acct-Delay-Time', 'Acct-Input-Octets', 'Acct-Output-Octets', 'Acct-Session-Id', 'Acct-Authentic', 'Acct-Session-Time', 'Acct-Input-Packets', 'Acct-Output-Packets', 'Acct-Terminate-Cause', 'Protocol'.

2022-08-12

  • Bug fix -
  • Modified mapping for the field 'prinicipal.asset.hostname' to 'intermediary.hostname'.
  • Modfied event_type from GENERIC_EVENT to STATUS_UPDATE or NETWORK_CONNECTION.

2022-07-11

  • Bug-fix - Mapped NetworkDeviceName to "event.idm.read_only_udm.principal.hostname" where Product_event_type is 5440 RADIUS.
  • Mapped r_ip_or_host to observer.ip or observer.hostname.
  • Dropped malformed/encoded logs.

2022-05-02

  • Bug-fix - Corrected mapping for 'security_result.action' from 'ALLOW' to 'FAIL' where the log_type is 'CISE_Failed_Attempts'.

2022-04-21

  • Enhancement-Parsed the logs with log_type='CISE_Profiler'
  • For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
  • Added proper condition for 'NASPort' field and 'Port' field.

2022-04-18

  • Mapped 'foreign_ip' to 'intermediary.ip'
  • Parsed the logs with log_type='CISE_TACACS_Accounting' and 'CISE_RADIUS_Accounting'
  • For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
  • Added proper condition for 'NASPort' field.

2022-04-13

  • Mapped NAS-Port-Id in event: 5200.
  • Mapped hostname in events: 60188, 60125, 60116, 60115, 60081, 60080, 51021, 51020, 51003, 51002, 51001, 51000, 52000, 52001, 52002.
  • Mapped Operation Message text in about.labels in event: 52000.
  • Mapped Serial Number in additional_fields in event: 5200.