Collect Cisco ISE logs
Supported in:
This document describes how you can collect Cisco Identify Services Engine (ISE) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the
CISCO_ISE ingestion label.
Configure Cisco ISE
- Sign in to Cisco ISE console using administrator credentials.
- In the Cisco ISE console, select Administration > System > Logging > Remote logging targets.
- In the Remote logging targets window, click Add. The New logging target window appears.
In the Logging target section, specify values for the following fields:
Field Description Name Name of the Google Security Operations forwarder. Description Description of the Google Security Operations forwarder. Type Type of the remote log target, such as syslog. IP address IP address of the Google Security Operations forwarder. Target type Select TCP syslog or UDP syslog. Port Use a high port, such as 10514. Facility code You can specify one of the following values: - LOCAL0 (code = 16)
- LOCAL1 (code = 17)
- LOCAL2 (code = 18)
- LOCAL3 (code = 19)
- LOCAL4 (code = 20)
- LOCAL5 (code = 21)
- LOCAL6 (code = 22; default)
- LOCAL7 (code = 23)
Maximum length The recommended value is 1024. Click Submit. The Remote log targets window appears with the new Google Security Operations forwarder configuration.
In the Cisco ISE console, select Administration > System > Logging > Logging categories.
In the Logging categories window, select the categories for which you want to set the remote syslog target and add the remote syslog target.
The following are the sample categories: AAA audits, AAA diagnostics, accounting, administrative and operational audit, posture and client provisioning audit, posture and client provisioning diagnostics, profiler, system diagnostics, and system statistics.
Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs
- From the Google Security Operations menu, select Settings, and then click Forwarders.
- Click Add new forwarder.
- In the Forwarder name field, type a name.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select Cisco ISE as the Log type.
- Select Syslog as the Collector type.
- Configure the following input parameters as per the configuration done previously:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser extracts Cisco ISE logs from syslog messages, normalizes the data into UDM format, and enriches the event with additional context. It handles various ISE log categories, including authentication successes and failures, administrative audits, system statistics, and more, mapping relevant fields to the UDM schema and adding specific labels for detailed analysis.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Acct-Authentic |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Delay-Time |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Input-Octets |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Input-Packets |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Output-Octets |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Output-Packets |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Session-Id |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Session-Time |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Status-Type |
sec_result.detection_fields.value |
Directly mapped. |
Acct-Terminate-Cause |
sec_result.detection_fields.value |
Directly mapped. |
AcsSessionID |
sec_result.detection_fields.value |
Directly mapped as "Acs SessionID". |
AD-Account-Name |
principal.user.userid |
Directly mapped. |
AD-Domain |
principal.group.group_display_name |
Directly mapped. |
AD-Domain-Controller |
target.administrative_domain |
Directly mapped. |
AD-Error-Details |
sec_result.description |
Directly mapped. |
AD-Host-Candidate-Identities |
sec_result.detection_fields.value |
Directly mapped. |
AD-IP-Address |
target.ip, target.asset.ip |
Directly mapped. |
AD-Log-Id |
sec_result.detection_fields.value |
Directly mapped as "AD-Log-Id". |
AD-Operating-System |
principal.asset.platform_software.platform_version |
Directly mapped as ad_operating_system. If contains "Windows", principal.platform is set to "WINDOWS". |
AD-Site |
target.location.name |
Directly mapped. |
AD-Srv-Query |
sec_result.detection_fields.value |
Directly mapped as "AD-Srv-Query". |
AD-Srv-Record |
sec_result.detection_fields.value |
Directly mapped as "AD-Srv-Record". |
AD-User-Resolved-Identities |
sec_result.detection_fields.value |
Directly mapped. |
AD-User-SamAccount-Name |
principal.user.attribute.labels.value |
Directly mapped. |
AdminIPAddress |
principal.ip, principal.asset.ip |
Directly mapped. |
AdminInterface |
principal.user.attribute.labels.value |
Directly mapped as "Admin Interface". |
AdminName |
principal.user.userid |
Directly mapped. A user.attribute.roles with type "ADMINISTRATOR" is also added. |
AuthenticationIdentityStore |
sec_result.detection_fields.value |
Directly mapped as "Authentication Identity Store". |
AuthenticationStatus |
sec_result.action_details |
Directly mapped. If value matches "AuthenticationPassed", sec_result.action is set to "ALLOW", otherwise "BLOCK". |
AuthorizationPolicyMatchedRule |
sec_result.rule_name |
Mapped with prefix "AuthorizationPolicyMatchedRule : ". |
BYODRegistration |
sec_result.detection_fields.value |
Directly mapped. |
Called-Station-ID |
sec_result.detection_fields.value |
Directly mapped. |
Calling-Station-ID |
sec_result.detection_fields.value, principal.ip, principal.asset.ip |
Directly mapped. If it's an IP address, also mapped to principal.ip and principal.asset.ip. |
cdpCachePlatform |
principal.asset.hardware.model |
Directly mapped. |
Class |
sec_result.detection_fields.value |
Directly mapped. |
ClientLatency |
sec_result.detection_fields.value |
Directly mapped. |
CmdSet |
target.process.command_line |
Directly mapped after removing surrounding brackets and spaces. |
ConfigVersionId |
sec_result.detection_fields.value |
Directly mapped as "Config Version Id". |
ConnectionStatus |
sec_result.detection_fields.value |
Directly mapped as "Connection Status". |
CPMSessionID |
sec_result.detection_fields.value |
Directly mapped. |
CreateTime |
principal.asset.attribute.creation_time |
Parsed as UNIX_MS timestamp. |
DetailedInfo |
sec_result.description |
Directly mapped after removing backslashes. |
DestinationIPAddress |
target.ip, target.asset.ip |
Directly mapped. Sets has_target to "true". |
DestinationPort |
target.port |
Directly mapped if numeric. |
Device IP Address |
principal.ip, principal.asset.ip, _intermediary.ip, target.ip, target.asset.ip |
Mapped as DeviceIPAddress. Used in various logic to populate principal.ip, _intermediary.ip, or target.ip depending on the log category and other fields. |
Device Port |
principal.port, _intermediary.port, target.port |
Mapped as DevicePort. Used in various logic to populate principal.port, _intermediary.port, or target.port depending on the log category and other fields. |
Device Type |
principal.asset.hardware.model |
Directly mapped as device-type. |
DTLSSupport |
sec_result.detection_fields.value |
Directly mapped. |
EndPointMACAddress |
principal.asset.mac |
Directly mapped after converting to lowercase and replacing hyphens with colons. |
EndPointMatchedProfile |
sec_result.about.labels.value |
Directly mapped. |
EndpointCertainityMetric |
sec_result.detection_fields.value |
Directly mapped as "Endpoint Certainity Metric". |
EndpointIdentityGroup |
principal.group.group_display_name |
Directly mapped. |
EndpointIPAddress |
principal.asset.ip |
Directly mapped. |
EndpointNADAddress |
sec_result.detection_fields.value |
Directly mapped as "Endpoint NAD Address". |
EndpointOUI |
sec_result.detection_fields.value |
Directly mapped as "Endpoint OUI". |
EndpointPolicy |
principal.asset.platform_software.platform_version |
Directly mapped. |
EndpointProperty |
sec_result.detection_fields.value |
Directly mapped as "Endpoint Property". |
EndpointSourceEvent |
sec_result.detection_fields.value |
Directly mapped. |
EndpointUserAgent |
network.http.user_agent |
Directly mapped. |
EndPointVersion |
sec_result.detection_fields.value |
Directly mapped. |
FailureReason |
sec_result.detection_fields.value, sec_result.summary, sec_result.description |
Mapped as FailureReason. Used to populate sec_result.detection_fields as "Failure Reason", sec_result.summary, or sec_result.description depending on the context. |
FirstCollection |
principal.asset.first_discover_time |
Parsed as UNIX_MS timestamp. |
Framed-IP-Address |
sec_result.detection_fields.value |
Directly mapped. |
Framed-IPv6-Address |
FramedIPAddress |
Directly mapped. |
Framed-Protocol |
sec_result.detection_fields.value |
Directly mapped. |
IdentityGroup |
principal.group.group_display_name |
Directly mapped. |
IdentityGroupID |
principal.group.product_object_id |
Directly mapped. |
IdentityPolicyMatchedRule |
sec_result.about.labels.value |
Directly mapped. |
IdentitySelectionMatchedRule |
sec_result.detection_fields.value |
Directly mapped. |
IMEI |
target.asset.product_object_id |
Directly mapped. |
ISELocalAddress |
_intermediary.ip, principal.ip, principal.asset.ip, _intermediary.port, principal.port, sec_result.detection_fields.value |
If in CISE_Administrative_and_Operational_Audit, IP and port are extracted and mapped to _intermediary and principal. Otherwise, mapped directly as "ISE Local Address" to sec_result.detection_fields. |
ISEModuleName |
sec_result.detection_fields.value |
Directly mapped as "ISE Module Name". |
ISEServiceName |
sec_result.detection_fields.value |
Directly mapped as "ISE Service Name". |
IsThirdPartyDeviceFlow |
sec_result.detection_fields.value |
Directly mapped. |
Issuer |
about.labels.value |
Directly mapped. |
LastActivity |
principal.asset.last_discover_time |
Parsed as UNIX_MS timestamp. |
LastNmapScanTime |
sec_result.detection_fields.value |
Directly mapped. |
lldpChassisId |
target.mac |
Directly mapped after parsing as MAC address. |
lldpSystemName |
target.hostname, target.asset.hostname |
Directly mapped. |
Location |
principal.location.country_or_region, target.location.country_or_region |
Directly mapped to either principal or target location depending on the log category. |
Manufacturer |
target.asset.hardware.manufacturer |
Directly mapped. |
MessageCode |
sec_result.detection_fields.value, metadata.event_type |
Directly mapped as msg_code. Used in logic to determine metadata.event_type. |
Model |
target.asset.hardware.model |
Directly mapped. |
NAS-IP-Address |
principal.nat_ip |
Directly mapped. |
NAS-Identifier |
principal.labels.value |
Directly mapped as nas_identifier. |
NAS-Port |
principal.nat_port, sec_result.detection_fields.value, principal.labels.value |
Mapped as NASPort. If numeric and less than 2147483648, mapped to principal.nat_port. Otherwise, mapped as string to sec_result.detection_fields as "NAS Port" or principal.labels as "NAS-Port". |
NAS-Port-Id |
principal.labels.value, sec_result.detection_fields.value |
Mapped as NASPortId. Used to populate principal.labels as "nas_port_id" or sec_result.detection_fields as "nas_port_id". |
NAS-Port-Type |
principal.labels.value, sec_result.detection_fields.value |
Mapped as NASPortType. Used to populate principal.labels as "nas_port_type" or sec_result.detection_fields as "Nas-Port-Type". |
NetworkDeviceGroups |
sec_result.detection_fields.value |
Directly mapped. |
NetworkDeviceName |
_intermediary.hostname, principal.hostname, principal.asset.hostname, target.hostname, target.asset.hostname |
Mapped as NetworkDeviceName. Used in various logic to populate _intermediary.hostname, principal.hostname, or target.hostname depending on the log category and other fields. |
NetworkDeviceProfileId |
principal.asset.asset_id |
Mapped with prefix "Cisco_ISE:". |
NetworkDeviceProfileName |
principal.asset.attribute.labels.value |
Directly mapped. |
ObjectName |
sec_result.about.labels.value |
Directly mapped. |
ObjectType |
sec_result.about.labels.value |
Directly mapped. |
OperatingSystem |
target.asset.platform_software.platform_version, principal.asset.platform_software.platform_version, principal.platform |
Mapped as OperatingSystem. Used to populate target.asset.platform_software.platform_version or principal.asset.platform_software.platform_version. If contains "Win", principal.platform is set to "WINDOWS". If contains "lin", principal.platform is set to "LINUX". If contains "iOS", principal.platform is set to "MAC". |
OperationMessageText |
sec_result.detection_fields.value, about.labels.value, sec_result.summary |
Mapped as OperationMessageText. Used to populate sec_result.detection_fields as "Operation Message Text", about.labels as "Operation Message Text", or sec_result.summary depending on the context. If it contains connection details, those are extracted and mapped to src and target. |
OriginalUserName |
principal.user.userid |
Directly mapped as User. |
PeerAddress |
target.mac |
Directly mapped after converting to lowercase and replacing hyphens with colons. |
PeerName |
target.hostname, target.asset.hostname |
IP and hostname are extracted and mapped to target.ip and target.hostname. |
PhoneID |
principal.user.phone_numbers |
Directly mapped as User-Fetch-Telephone. |
PhoneNumber |
principal.user.phone_numbers |
Directly mapped. |
PolicyVersion |
sec_result.detection_fields.value |
Directly mapped. |
Port |
_intermediary.port, principal.port, target.port |
Mapped as Port. Used in various logic to populate _intermediary.port, principal.port, or target.port depending on the log category and other fields. |
PostureAssessmentStatus |
sec_result.detection_fields.value |
Directly mapped. |
PostureExpiry |
sec_result.detection_fields.value |
Directly mapped. |
PostureStatus |
sec_result.detection_fields.value |
Directly mapped as "Posture Status". |
ProfilerServer |
sec_result.detection_fields.value |
Directly mapped. |
Protocol |
sec_result.detection_fields.value |
Directly mapped. |
r_cat_name |
metadata.product_event_type |
Directly mapped. |
r_ip_or_host |
observer.ip, observer.hostname, principal.ip, principal.asset.ip, principal.hostname, principal.asset.hostname, target.ip, target.asset.ip, target.hostname, target.asset.hostname |
If an IP, mapped to observer.ip. If a hostname, mapped to observer.hostname. Also used in various logic to populate principal or target IP/hostname depending on the log category and other fields. |
r_msg_id |
sec_result.detection_fields.value, metadata.product_log_id |
Directly mapped as "r_msg_id". Also used as metadata.product_log_id if sequence_num is not available. |
r_seg_num |
sec_result.detection_fields.value, metadata.product_log_id |
Directly mapped as "r_seg_num". Also used as metadata.product_log_id if sequence_num is not available. |
r_total_seg |
sec_result.detection_fields.value |
Directly mapped. |
RadiusFlowType |
sec_result.detection_fields.value |
Directly mapped. |
RadiusPacketType |
sec_result.detection_fields.value |
Directly mapped as "Radius Packet Type". |
RegisterStatus |
sec_result.rule_name |
Directly mapped. |
RequestLatency |
sec_result.detection_fields.value |
Directly mapped as "Request Latency". |
SelectedAccessService |
sec_result.detection_fields.value |
Directly mapped as "Selected Access Service". |
SelectedAuthorizationProfiles |
sec_result.detection_fields.value |
Directly mapped. |
Serial Number |
network.tls.server.certificate.serial, about.labels.value |
Mapped as serial_number. Used to populate network.tls.server.certificate.serial or about.labels as "Serial Number" depending on the context. |
Service-Type |
sec_result.detection_fields.value |
Directly mapped. |
SessionId |
network.session_id |
Directly mapped. |
ShutdownReason |
sec_result.detection_fields.value |
Directly mapped as "ShutdownReason". |
SSID |
sec_result.detection_fields.value |
Directly mapped. |
StaticGroupAssignment |
sec_result.detection_fields.value |
Directly mapped. |
Subject |
about.labels.value |
Directly mapped. |
Subject Alternative Name |
about.labels.value |
Directly mapped as "Subject Alternative Name". |
SysStatsCpuCount |
target.asset.hardware.cpu_number_cores |
Directly mapped. |
SysStatsProcessMemoryMB |
target.asset.hardware.ram |
Directly mapped as __hardware.ram. |
SysStatsUtilizationNetwork |
target.resource.name, network.sent_bytes, network.received_bytes |
Network adapter name, sent bytes, and received bytes are extracted and mapped. target.resource.resource_type is set to "UNSPECIFIED". |
TimeToProfile |
sec_result.detection_fields.value |
Directly mapped. |
Total Certainty Factor |
sec_result.detection_fields.value |
Directly mapped. |
TotalFailedTime |
sec_result.detection_fields.value |
Directly mapped. |
Tunnel-Client-Endpoint |
sec_result.detection_fields.value |
Directly mapped as "Tunnel Client Endpoint". |
UniqueConnectionIdentifier |
sec_result.detection_fields.value |
Directly mapped as "Unique Connection Identifier". |
UpdateTime |
sec_result.detection_fields.value |
Directly mapped. |
User |
principal.user.userid |
Directly mapped. |
User-Fetch-Email |
sec_result.detection_fields.value |
Directly mapped. |
User-Fetch-Last-Name |
principal.user.last_name |
Directly mapped. |
User-Fetch-LocalityName |
sec_result.detection_fields.value |
Directly mapped. |
User-Fetch-StateOrProvinceName |
sec_result.detection_fields.value |
Directly mapped. |
User-Fetch-Telephone |
principal.user.phone_numbers |
Directly mapped as PhoneID. |
UserName |
principal.user.userid |
Directly mapped. If not empty, and not "" or "unknown", it's converted to lowercase, hyphens are replaced with colons, and if it matches a MAC address pattern, it's also mapped to principal.mac. |
User-Name |
principal.user.userid |
Directly mapped. |
UserType |
principal.user.attribute.labels.value |
Directly mapped. |
(Parser Logic) action |
sec_result.action |
Set to "ALLOW" if msg_text contains success keywords, "BLOCK" if it contains failure keywords, and "UNKNOWN_ACTION" otherwise. |
(Parser Logic) about.hostname |
about.hostname |
Derived from StepData=4 or stepdata. |
(Parser Logic) event.idm.read_only_udm.about |
event.idm.read_only_udm.about |
Populated with various fields like about.hostname, about.application, and about.process.pid. |
(Parser Logic) event.idm.read_only_udm.extensions.auth.mechanism |
event.idm.read_only_udm.extensions.auth.mechanism |
Set to "NETWORK" in certain cases within the CISE_TACACS_Diagnostics category. |
(Parser Logic) event.idm.read_only_udm.extensions.auth.type |
event.idm.read_only_udm.extensions.auth.type |
Set to "MACHINE" for various login/logout events, "TACACS" for certain TACACS events, and "AUTHTYPE_UNSPECIFIED" for other login events. |
(Parser Logic) event.idm.read_only_udm.metadata.collected_timestamp |
event.idm.read_only_udm.metadata.collected_timestamp |
Parsed from logstash.process.timestamp if available. |
(Parser Logic) event.idm.read_only_udm.metadata.description |
event.idm.read_only_udm.metadata.description |
Constructed from msg_class and msg_text or just msg_text if msg_class is not available. |
(Parser Logic) event.idm.read_only_udm.metadata.event_timestamp |
event.idm.read_only_udm.metadata.event_timestamp |
Parsed from the datetime field, which is derived from either datetime and timezone or r_datetime. |
(Parser Logic) event.idm.read_only_udm.metadata.event_type |
event.idm.read_only_udm.metadata.event_type |
Determined based on r_cat_name, msg_code, and other fields. Can be GENERIC_EVENT, STATUS_UPDATE, NETWORK_CONNECTION, STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN, USER_LOGIN, USER_LOGOUT, USER_RESOURCE_ACCESS, USER_UNCATEGORIZED, RESOURCE_READ, SCAN_NETWORK, STATUS_UNCATEGORIZED, NETWORK_FLOW. |
(Parser Logic) event.idm.read_only_udm.metadata.ingested_timestamp |
event.idm.read_only_udm.metadata.ingested_timestamp |
Parsed from logstash.ingest.timestamp if available. |
(Parser Logic) event.idm.read_only_udm.metadata.log_type |
event.idm.read_only_udm.metadata.log_type |
Set to "CISCO_ISE". |
(Parser Logic) event.idm.read_only_udm.metadata.product_event_type |
event.idm.read_only_udm.metadata.product_event_type |
Derived from r_cat_name. |
(Parser Logic) event.idm.read_only_udm.metadata.product_log_id |
event.idm.read_only_udm.metadata.product_log_id |
Derived from sequence_num, r_seg_num, or r_msg_id depending on availability. |
(Parser Logic) event.idm.read_only_udm.metadata.product_name |
event.idm.read_only_udm.metadata.product_name |
Set to "ISE", or to MDMServerName if available. |
(Parser Logic) event.idm.read_only_udm.metadata.vendor_name |
event.idm.read_only_udm.metadata.vendor_name |
Set to "Cisco". |
(Parser Logic) event.idm.read_only_udm.network.http.user_agent |
event.idm.read_only_udm.network.http.user_agent |
Derived from ac-user-agent or EndpointUserAgent. |
(Parser Logic) event.idm.read_only_udm.network.ip_protocol |
event.idm.read_only_udm.network.ip_protocol |
Set to "TCP" for certain event types. |
(Parser Logic) event.idm.read_only_udm.network.session_id |
event.idm.read_only_udm.network.session_id |
Derived from SessionId. |
(Parser Logic) event.idm.read_only_udm.network.tls.cipher |
event.idm.read_only_udm.network.tls.cipher |
Derived from TLSCipher. |
(Parser Logic) event.idm.read_only_udm.network.tls.server.certificate.serial |
event.idm.read_only_udm.network.tls.server.certificate.serial |
Derived from Serial Number. |
(Parser Logic) event.idm.read_only_udm.network.tls.version |
event.idm.read_only_udm.network.tls.version |
Derived from TLSVersion. |
(Parser Logic) event.idm.read_only_udm.principal.asset.asset_id |
event.idm.read_only_udm.principal.asset.asset_id |
Derived from NetworkDeviceProfileId with prefix "Cisco_ISE:". |
(Parser Logic) event.idm.read_only_udm.principal.asset.hardware |
event.idm.read_only_udm.principal.asset.hardware |
Populated with fields like hardware.manufacturer and hardware.model. |
(Parser Logic) event.idm.read_only_udm.principal.asset.ip |
event.idm.read_only_udm.principal.asset.ip |
Derived from various IP address fields depending on the log category and other fields. |
(Parser Logic) event.idm.read_only_udm.principal.asset.mac |
event.idm.read_only_udm.principal.asset.mac |
Derived from EndpointMacAddress, parsed_endpoint_mac, or other MAC address fields after appropriate formatting. |
(Parser Logic) event.idm.read_only_udm.principal.asset.platform_software.platform_version |
event.idm.read_only_udm.principal.asset.platform_software.platform_version |
Derived from OperatingSystem, EndpointPolicy, or ad_operating_system. |
(Parser Logic) event.idm.read_only_udm.principal.group.group_display_name |
event.idm.read_only_udm.principal.group.group_display_name |
Derived from AD-Domain, IdentityGroup, or EndpointIdentityGroup. |
(Parser Logic) event.idm.read_only_udm.principal.group.product_object_id |
event.idm.read_only_udm.principal.group.product_object_id |
Derived from IdentityGroupID. |
(Parser Logic) event.idm.read_only_udm.principal.hostname |
event.idm.read_only_udm.principal.hostname |
Derived from r_ip_or_host, NetworkDeviceName, or other hostname fields depending on the log category and other fields. |
(Parser Logic) event.idm.read_only_udm.principal.ip |
event.idm.read_only_udm.principal.ip |
Derived from various IP address fields depending on the log category and other fields. |
(Parser Logic) event.idm.read_only_udm.principal.labels |
event.idm.read_only_udm.principal.labels |
Populated with fields like nas_identifier, nas_port_type, and nas_port_id. |
(Parser Logic) event.idm.read_only_udm.principal.location.country_or_region |
event.idm.read_only_udm.principal.location.country_or_region |
Derived from Location. |
(Parser Logic) event.idm.read_only_udm.principal.nat_ip |
event.idm.read_only_udm.principal.nat_ip |
Derived from NAS-IP-Address. |
(Parser Logic) event.idm.read_only_udm.principal.nat_port |
event.idm.read_only_udm.principal.nat_port |
Derived from NAS-Port if numeric and less than 2147483648. |
(Parser Logic) event.idm.read_only_udm.principal.platform |
event.idm.read_only_udm.principal.platform |
Derived from device-platform or OperatingSystem. Can be WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM. |
(Parser Logic) event.idm.read_only_udm.principal.platform_version |
event.idm.read_only_udm.principal.platform_version |
Derived from platform-version. |
(Parser Logic) event.idm.read_only_udm.principal.port |
event.idm.read_only_udm.principal.port |
Derived from Device Port or Port if numeric. |
(Parser Logic) event.idm.read_only_udm.principal.user.attribute.labels |
event.idm.read_only_udm.principal.user.attribute.labels |
Populated with fields like "Admin Interface", "UserType", and "Chargeable-User-Identity". |
(Parser Logic) event.idm.read_only_udm.principal.user.phone_numbers |
event.idm.read_only_udm.principal.user.phone_numbers |
Derived from PhoneID or PhoneNumber. |
(Parser Logic) event.idm.read_only_udm.principal.user.userid |
event.idm.read_only_udm.principal.user.userid |
Derived from User, UserName, User-Name, AdminName, OriginalUserName, or other username fields depending on the log category and other fields. |
(Parser Logic) event.idm.read_only_udm.security_result.about.labels |
event.idm.read_only_udm.security_result.about.labels |
Populated with fields like "IdentityPolicyMatchedRule", "EndPointMatchedProfile", "ObjectType", and "ObjectName". |
(Parser Logic) event.idm.read_only_udm.security_result.action |
event.idm.read_only_udm.security_result.action |
Derived from msg_text or AuthenticationStatus. Can be ALLOW, BLOCK, or UNKNOWN_ACTION. |
(Parser Logic) event.idm.read_only_udm.security_result.detection_fields |
event.idm.read_only_udm.security_result.detection_fields |
Populated with various fields depending on the log category and other fields. |
(Parser Logic) event.idm.read_only_udm.security_result.description |
event.idm.read_only_udm.security_result.description |
Derived from AD-Error-Details or DetailedInfo. |
(Parser Logic) event.idm.read_only_udm.security_result.rule_name |
event.idm.read_only_udm.security_result.rule_name |
Derived from AuthorizationPolicyMatchedRule or RegisterStatus. |
(Parser Logic) event.idm.read_only_udm.security_result.severity |
event.idm.read_only_udm.security_result.severity |
Derived from msg_sev. Can be CRITICAL, ERROR, HIGH, MEDIUM, or INFORMATIONAL. |
(Parser Logic) event.idm.read_only_udm.security_result.severity_details |
event.idm.read_only_udm.security_result.severity_details |
Derived from msg_sev. |
(Parser Logic) event.idm.read_only_udm.security_result.summary |
event.idm.read_only_udm.security_result.summary |
Derived from msg_text or FailureReason. |
(Parser Logic) event.idm.read_only_udm.src.ip |
event.idm.read_only_udm.src.ip |
Derived from source_ip extracted from OperationMessageText. |
(Parser Logic) event.idm.read_only_udm.src.port |
event.idm.read_only_udm.src.port |
Derived from source_port extracted from OperationMessageText if numeric. |
(Parser Logic) event.idm.read_only_udm.target.administrative_domain |
event.idm.read_only_udm.target.administrative_domain |
Derived from AD-Domain-Controller. |
(Parser Logic) event.idm.read_only_udm.target.asset.hardware |
event.idm.read_only_udm.target.asset.hardware |
Populated with fields like _hardware.cpu_number_cores. |
(Parser Logic) event.idm.read_only_udm.target.asset.hostname |
` |
Changes
2024-05-10
- Mapped "ExternalGroups" to "additional.fields".
2024-05-09
- Added Grok patterns to parse new formats of "CISE_Profiler".
- Mapped some fields for "CISE_Administrative_and_Operational_Audit" and "CISE_Alarm".
2024-04-18
- Mapped "msg_sev" to "security_result.severity_details".
- Mapped "r_total_seg", "r_seg_num", "msg_code", and "r_msg_id" to "security_result.detection_fields".
- Mapped "r_cat_name" to "security_result.category_details".
- Mapped "msg_text" and "msg_class" to "metadata.description".
- Aligned "target.ip" and "target.asset.ip" mappings.
- Aligned "target.hostname" and "target.asset.hostname" mappings.
- Aligned "principal.ip" and "principal.asset.ip" mappings.
- Aligned "principal.hostname" and "principal.asset.hostname" mappings.
- Added a Grok pattern to parse "msg_attrs".
2024-04-10
- Bug-Fix:
- Added Grok patterns to parse new formats of "PeerName".
2023-11-20
- Added new Grok patterns to parse failing Syslogs.
- Added "msg_code" "5412" to parse logs having the same "msg_code".
2023-09-29
- Added support for a new pattern of JSON logs.
- Mapped "EndpointSourceEvent", "NASIdentifier", "NAS-Port-Type", "NAS-Port-Id", "ProfilerServer" to "security_result.detection_fields" for 80002 and 80006 logs.
- Changed mapping of "Location" from "principal.location" to "target.location" for 80002 and 80006 logs.
- Added on_error check to replace and merge functions.
- Modified date mapping to parse date with "MEST" and "MESZ" timezones.
2023-08-02
- Enhancement -
- Added KV mapping to parse and map "cisco-av-pair=dhcp-option=host-name" to "target.hostname".
- Changed mapping of "security_result.action" from "FAIL" to "BLOCK" when "msg_text" contains "failed|dropped|stop|rejected|down|abandoned|block|blocking|invalid".
2023-07-18
- Enhancement -
- Mapped "cisco-av-pair=dhcp-option=host-name" to "target.hostname".
- Changed mapping of "User-Name" from "target.user.userid" to "principal.user.userid".
- Changed mapping of "UserName" from "target.user.userid" to "principal.user.userid".
- Changed mapping of "User" from "target.user.userid" to "principal.user.userid".
- Changed mapping of "PhoneNumber" from "target.user.phone_numbers" to "principal.user.phone_numbers".
- Mapped "FramedIPAddress" to "security_result.detection_fields" for Profiler event types 80002, 80006.
- Modified date mapping to parse date with "EASTERN" timezone.
- Added Grok pattern to match "PeerAddress".
2023-06-07
- Enhancement-
- Added Grok pattern to parse a new log pattern.
2023-05-26
- Enhancement-
- Modified date mapping to parse date with 'BJ' timezone.
2023-04-18
- Enhancement-
- Added a 'json' block to handle JSON logs.
- Mapped "logstash.irm_region" to "additional.fields".
- Mapped "logstash.irm_environment" to "additional.fields".
- Mapped "logstash.irm_site" to "additional.fields".
- Mapped "logstash.ingest.timestamp" to "metadata.ingested_timestamp".
- Mapped "logstash.process.timestamp" to "metadata.collected_timestamp".
2023-03-01
- Enhancement-
- Whenever 'Calling-Station-ID' is an IP address, then map it to 'principal.ip'.
- Added a regular expression condition to validate MAC address for field 'device-mac' before mapping to 'principal.mac'.
2022-12-08
- Enhancement-
- Mapped 'assetDeviceType' to 'principal.resource.name'.
- Mapped 'assetIncidentScore' to 'security_result.detection_fields'.
- Mapped 'PostureAssessmentStatus' to 'security_result.detection_fields'.
- Mapped 'PolicyVersion' to 'security_result.detection_fields'.
- Mapped 'EndPointVersion' to 'security_result.detection_fields'.
- Mapped 'EndPointPolicyID' to 'security_result.detection_fields'.
2022-10-13
- Enhancement- Corrected the date mapping for SYSLOGTIMESTAMP date formats.
2022-08-10
- Enhancement- Modified mappings for the following fields from 'additional.fields' to 'security_result.detection_fields'.
- 'CPMSessionID', 'NASPort', 'AD-Log-Id', 'AD-Srv-Query', 'AD-Srv-Record', 'Tunnel-Client-Endpoint', 'IsThirdPartyDeviceFlow', 'PostureStatus', 'OperationMessageText', 'AcsSessionID', 'SelectedAccessService', 'RadiusPacketType', 'ISELocalAddress', 'ISEModuleName', 'ISEServiceName', 'ConnectionStatus', 'UniqueConnectionIdentifier', 'Audit_session_id', 'EndpointCertainityMetric', 'EndpointNADAddress', 'EndpointOUI', 'EndpointProperty', 'AuthenticationIdentityStore', 'AD-Host-Candidate-Identities', 'PostureExpiry', 'allowEasyWiredSession', 'ConfigVersionId', 'RequestLatency', 'Service-Type', 'Framed-Protocol', 'Class', 'Called-Station-ID', 'Calling-Station-ID', 'Acct-Status-Type', 'Acct-Delay-Time', 'Acct-Input-Octets', 'Acct-Output-Octets', 'Acct-Session-Id', 'Acct-Authentic', 'Acct-Session-Time', 'Acct-Input-Packets', 'Acct-Output-Packets', 'Acct-Terminate-Cause', 'Protocol'.
2022-08-12
- Bug fix -
- Modified mapping for the field 'prinicipal.asset.hostname' to 'intermediary.hostname'.
- Modfied event_type from GENERIC_EVENT to STATUS_UPDATE or NETWORK_CONNECTION.
2022-07-11
- Bug-fix - Mapped NetworkDeviceName to "event.idm.read_only_udm.principal.hostname" where Product_event_type is 5440 RADIUS.
- Mapped r_ip_or_host to observer.ip or observer.hostname.
- Dropped malformed/encoded logs.
2022-05-02
- Bug-fix - Corrected mapping for 'security_result.action' from 'ALLOW' to 'FAIL' where the log_type is 'CISE_Failed_Attempts'.
2022-04-21
- Enhancement-Parsed the logs with log_type='CISE_Profiler'
- For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
- Added proper condition for 'NASPort' field and 'Port' field.
2022-04-18
- Mapped 'foreign_ip' to 'intermediary.ip'
- Parsed the logs with log_type='CISE_TACACS_Accounting' and 'CISE_RADIUS_Accounting'
- For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
- Added proper condition for 'NASPort' field.
2022-04-13
- Mapped NAS-Port-Id in event: 5200.
- Mapped hostname in events: 60188, 60125, 60116, 60115, 60081, 60080, 51021, 51020, 51003, 51002, 51001, 51000, 52000, 52001, 52002.
- Mapped Operation Message text in about.labels in event: 52000.
- Mapped Serial Number in additional_fields in event: 5200.