Collect Cisco ISE logs
Supported in:
This document describes how you can collect Cisco Identify Services Engine (ISE) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the
CISCO_ISE ingestion label.
Configure Cisco ISE
- Sign in to Cisco ISE console using administrator credentials.
- In the Cisco ISE console, select Administration > System > Logging > Remote logging targets.
- In the Remote logging targets window, click Add. The New logging target window appears.
In the Logging target section, specify values for the following fields:
Field Description Name Name of the Google Security Operations forwarder. Description Description of the Google Security Operations forwarder. Type Type of the remote log target, such as syslog. IP address IP address of the Google Security Operations forwarder. Target type Select TCP syslog or UDP syslog. Port Use a high port, such as 10514. Facility code You can specify one of the following values: - LOCAL0 (code = 16)
- LOCAL1 (code = 17)
- LOCAL2 (code = 18)
- LOCAL3 (code = 19)
- LOCAL4 (code = 20)
- LOCAL5 (code = 21)
- LOCAL6 (code = 22; default)
- LOCAL7 (code = 23)
Maximum length The recommended value is 1024. Click Submit. The Remote log targets window appears with the new Google Security Operations forwarder configuration.
In the Cisco ISE console, select Administration > System > Logging > Logging categories.
In the Logging categories window, select the categories for which you want to set the remote syslog target and add the remote syslog target.
The following are the sample categories: AAA audits, AAA diagnostics, accounting, administrative and operational audit, posture and client provisioning audit, posture and client provisioning diagnostics, profiler, system diagnostics, and system statistics.
Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Name field, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select Cisco ISE as the Log type.
- Select Syslog as the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser extracts Cisco ISE logs from syslog messages, normalizes the data into UDM format, and enriches the event with additional context. It handles various ISE log categories, including authentication successes and failures, administrative audits, system statistics, and more, mapping relevant fields to the UDM schema and adding specific labels for detailed analysis.
UDM mapping table
| Log field | UDM mapping | Remark |
|---|---|---|
AAA_Event |
security_result.detection_fields |
|
AAA_Security_Result.detection_fields |
aaa_service |
|
ac-user-agent |
network.http.user_agent |
|
Acct-Authentic |
security_result.detection_fields |
|
Acct-Delay-Time |
security_result.detection_fields |
|
Acct-Input-Octets |
security_result.detection_fields |
|
Acct-Input-Packets |
security_result.detection_fields |
|
Acct-Output-Octets |
security_result.detection_fields |
|
Acct-Output-Packets |
security_result.detection_fields |
|
Acct-Session-Id |
sec_result.detection_fieldsadditional.fields |
|
Acct-Session-Time |
security_result.detection_fields |
|
Acct-Status-Type |
security_result.detection_fields |
|
Acct-Terminate-Cause |
security_result.detection_fields |
|
AcctReply-Status |
security_result.detection_fields |
|
AcctRequest-Flags |
security_result.detection_fields |
|
ACS_CiscoSecure_Defined_ACL |
security_result.detection_fields |
|
AcsSessionID |
sec_result.detection_fieldsadditional.fields |
|
Action |
security_result.action_details |
|
action_details |
security_result.action_details |
|
ActiveSessionCount |
security_result.detection_fields |
|
ad_identifier |
about.hostname |
|
ad_join_point |
principal.administrative_domain |
|
ad_operating_system |
principal.platform |
|
AD-Account-Name |
principal.user.useridtarget.hostname |
|
AD-Domain |
principal.group.group_display_name |
|
AD-Domain-Controller |
target.administrative_domain |
|
AD-Error-Details |
security_result.description |
|
AD-Forest |
target.resource.attribute.labels |
|
AD-Groups-Names |
principal.user.group_identifiers |
|
AD-Host-Candidate-Identities |
sec_result.detection_fields |
|
AD-IP-Address |
target.iptarget.asset.ip |
|
AD-Log-Id |
sec_result.detection_fields |
|
AD-Site |
target.location.name |
|
AD-Srv-Query |
security_result.detection_fields |
|
AD-Srv-Record |
security_result.detection_fields |
|
AD-User-Candidate-Identities |
principal.user.attribute.labels |
|
AD-User-DNS-Domain |
network.dns_domain |
|
AD-User-Join-Point |
target.hostnametarget.asset.hostname |
|
AD-User-NetBios-Name |
principal.user.attribute.labels |
|
AD-User-Qualified-Name |
principal.user.email_addresses |
|
AD-User-Resolved-DNs |
principal.user.attribute.labels |
|
AD-User-Resolved-Identities |
sec_result.detection_fieldsprincipal.user.userid |
|
AD-User-Resolved-Identities |
||
AD-User-SamAccount-Name |
principal.user.attribute.labels |
|
Admin |
principal.user.userid |
|
AdminInterface |
principal.user.attribute.labels |
|
AdminIPAddress |
principal.ip |
|
AdminName |
principal.user.userid |
|
affected-dn |
target.resource.nametarget.resource.attribute.labelstarget.resource.resource_type |
target.resource.resource_type => "USER" |
Airespace-Wlan-Id |
additional.fields |
|
allowEasyWiredSession |
sec_result.detection_fieldsadditional.fields |
|
AMInstalled |
security_result.detection_fields |
|
assetDeviceType |
principal.resource.name |
|
assetIncidentScore |
security_result.detection_fields |
|
Audit_session_id |
sec_result.detection_fields |
|
AuditSessionId |
sec_result.detection_fields |
|
Authen-Reply-Status |
security_result.detection_fields |
|
AuthenticationIdentityStore |
sec_result.detection_fieldsadditional.fields |
|
AuthenticationMethod |
security_result.detection_fields |
|
AuthenticationResult |
security_result.action |
|
AuthenticationStatus |
security_result.actionsecurity_result.action_details |
|
Author-Reply-Status |
additional.fields |
|
AuthorizationFailureReason |
security_result.detection_fields |
|
AuthorizationPolicyMatchedRule |
security_result.rule_name |
|
av-pair-severity |
security_result.detection_fields |
|
BYODRegistration |
sec_result.detection_fields |
|
CacheUpdateTime |
security_result.detection_fields |
|
Called-Station-ID |
security_result.detection_fieldstarget.iptarget.mac |
|
Calling-Station-ID |
security_result.detection_fieldsprincipal.ipprincipal.mac |
|
cdpCacheAddressType |
security_result.detection_fields |
|
cdpCacheVersion |
security_result.detection_fields |
|
cdpUndefined28 |
security_result.detection_fields |
|
change-set |
additional.fields |
|
Chargeable-User-Identity |
principal.user.attribute.labels |
|
cisco-av-pair |
additional.fieldssecurity_result.detection_fields |
|
CiscoIOS |
security_result.detection_fields |
|
Class |
sec_result.detection_fields |
|
client_type |
additional.fields |
|
client-iif-id |
security_result.detection_fields |
|
ClientLatency |
security_result.detection_fieldsadditional.fields |
|
CmdSet |
target.process.command_line |
|
coa-push |
security_result.detection_fields |
|
CoAClientInstanceDestinationIPAddress |
target.iptarget.asset.ip |
|
coaReason |
security_result.detection_fields |
|
coaSourceComponent |
security_result.detection_fields |
|
coaType |
security_result.detection_fields |
|
Component |
security_result.detection_fields |
|
ConfigChangeData |
security_result.detection_fields |
|
ConfigVersionId |
sec_result.detection_fieldsadditional.fields |
|
connect-progress |
security_result.detection_fields |
|
ConnectionStatus |
sec_result.detection_fields |
|
ConnectionStatus=Failed |
security_result.action ="BLOCK" |
|
Constructeurs |
principal.asset.hardware.manufacturer |
|
counters_kvp |
event.idm.read_only_udm.target.asset.attribute.labels |
|
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.session_id |
|
CreateTime |
event.idm.read_only_udm.principal.asset.attribute.creation_time |
|
cts_security_group_tag |
security_result.detection_fields |
|
cts-pac-opaque |
security_result.detection_fields |
|
datetime |
metadata.event_timestamp |
|
days_to_expiry |
security_result.detection_fields |
|
DeltaRadiusRequestCount |
security_result.detection_fields |
|
DeltaTacacsRequestCount |
security_result.detection_fields |
|
Description |
security_result.detection_fields |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationPort |
target.port |
|
DetailedInfo |
sec_result.description |
|
Device_IP_Address |
principal.ipprincipal.asset.ip |
|
device-mac |
principal.mac |
|
device-platform |
principal.platform |
|
device-platform-version |
principal.platform_version |
|
device-public-mac |
principal.mac |
|
device-type |
principal.asset.hardware.model |
|
device-uid |
principal.resource.product_object_id |
|
device-uid-global |
principal.asset.product_object_id |
|
DeviceIPAddress |
principal.iptarget.ipintermediary.ip |
|
DevicePort |
principal.porttarget.portintermediary.port |
|
DeviceRegistrationStatus |
sec_result.detection_fields |
|
dhcp-class-identifier |
security_result.detection_fields |
|
dhcp-parameter-request-list |
additional.fields |
|
Domaines |
additional.fields |
|
DoReplicate |
security_result.detection_fields |
|
DTLSSupport |
security_result.detection_fields |
|
EAP-Key-Name |
additional.fields |
|
EapTunnel |
additional.fields |
|
EmailAddress |
principal.user.email_addresses |
|
EnableFlag |
additional.fields |
|
EnableSingleConnect |
security_result.detection_fields |
|
End-of-LLDPDU |
security_result.detection_fields |
|
endpoint_id |
principal.macprincipal.asset.mac |
|
EndpointCertainityMetric |
sec_result.detection_fields |
|
EndpointIdentityGroup |
principal.group.group_display_name |
|
EndpointIPAddress |
principal.asset.ip |
|
EndPointMACAddress |
principal.macprincipal.asset.mac |
|
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
|
EndpointNADAddress |
sec_result.detection_fields |
|
EndpointOUI |
sec_result.detection_fields |
|
EndpointPolicy |
principal.asset.platform_software.platform_versionsecurity_result.detection_fields |
|
EndPointPolicyID |
security_result.detection_fields |
|
EndPointProfilerServer |
target.hostname |
|
EndpointProperty |
sec_result.detection_fields |
|
EndPointSource |
target.resource.attribute.labels |
|
EndpointSourceEvent |
sec_result.detection_fields |
|
EndpointUserAgent |
network.http.user_agent |
|
EndPointVersion |
security_result.detection_fields |
|
epid |
security_result.detection_fields |
|
Error Message |
additional.fields |
|
event |
additional.fields |
|
extended_key_usage_oid |
additional.fields |
|
external_groups |
additional.fields |
|
FailureFlag |
security_result.detection_fields |
|
FailureReason |
sec_result.detection_fieldsadditional.fields |
|
FeedService |
security_result.detection_fields |
|
FirstCollection |
event.idm.read_only_udm.principal.asset.first_discover_time |
|
foreign_ip |
intermediary.ip |
|
FQSubjectName |
security_result.detection_fields |
|
Framed-MTU |
additional.fields |
|
Framed-Protocol |
sec_result.detection_fields |
|
FramedIPAddress |
security_result.detection_fields |
|
group_name |
principal.group.group_display_name |
|
Header-Flags |
security_result.detection_fields |
|
HostIdentityGroup |
additional.fields |
|
IdentityAccessRestricted |
security_result.detection_fields |
|
IdentityGroup |
principal.group.group_display_name |
|
IdentityGroupID |
principal.group.product_object_id |
|
IdentityPolicyMatchedRule |
sec_result.about.labelsadditional.fields |
|
IdentitySelectionMatchedRule |
sec_result.detection_fields |
|
Idle-Timeout |
security_result.detection_fields |
|
idletime |
security_result.detection_fields |
|
IMEI |
target.asset.product_object_id |
|
inacl_rule |
security_result.detection_fields |
|
intermediary_hostname |
intermediary.hostname |
|
ionTimeStamp |
security_result.detection_fields |
|
ios-version |
principal.asset.software.version |
|
ip_inacl_rule |
security_result.detection_fields |
|
ip_source_ip |
principal.ipprincipal.asset.ip |
|
IpAddress |
principal.ipprincipal.asset.ip |
|
IPSEC |
additional.fields |
|
ise_port |
principal.portintermediary.port |
|
ISELocalAddress |
intermediary.ipprincipal.ip |
|
ISEModuleName |
sec_result.detection_fields |
|
ISEPolicySetName |
target.resource.name |
|
ISEServiceName |
sec_result.detection_fields |
|
IsMachineAuthentication |
security_result.detection_fields |
|
IsMachineIdentity |
security_result.detection_fields |
|
IsRegistered |
security_result.detection_fields |
|
Issuer |
about.labels |
|
IsThirdPartyDeviceFlow |
sec_result.detection_fieldsadditional.fields |
|
key_usage |
additional.fields |
|
LastActivity |
event.idm.read_only_udm.principal.asset.last_discover_time |
|
LastNmapScanTime |
sec_result.detection_fields |
|
LicenseType |
additional.fields |
|
lldpManAddress |
security_result.detection_fields |
|
lldpPortDescription |
security_result.detection_fields |
|
lldpPortId |
security_result.detection_fields |
|
lldpSystemCapabilitiesMap |
security_result.detection_fields |
|
lldpSystemDescription |
security_result.detection_fields |
|
lldpTimeToLive |
security_result.detection_fields |
|
lldpUndefined127 |
security_result.detection_fields |
|
localport |
principal.port |
|
Location |
principal.location.country_or_regiontarget.location.country_or_regionsecurity_result.detection_fields |
|
log-id |
metadata.product_log_id |
|
logstash.ingest.host |
intermediary.hostname |
|
logstash.ingest.timestamp |
metadata.ingested_timestamp |
|
logstash.irm_environment |
additional.fields |
|
logstash.irm_region |
additional.fields |
|
logstash.irm_site |
additional.fields |
|
logstash.process.host |
intermediary.hostname |
|
logstash.process.timestamp |
metadata.collected_timestamp |
|
MAC |
principal.mac |
|
mac_UserName |
principal.mac |
|
MacAddress |
principal.mac |
|
MajorVersion |
security_result.detection_fields |
|
Manufacturer |
target.asset.hardware.manufacturer |
|
MatchedPolicy |
security_result.detection_fields |
|
MatchedPolicyID |
security_result.rule_id |
|
MDMFailureReason |
sec_result.detection_fields |
|
MDMServerName |
metadata.product_name |
|
mDNS |
security_result.detection_fields |
|
MESSAGE |
security_result.description |
|
MFCInfoEndpointType |
principal.asset.asset_typeprincipal.asset.attribute.labels |
|
MinorVersion |
security_result.detection_fields |
|
MisconfiguredClientFixReason |
security_result.detection_fields |
|
Model |
target.asset.hardware.model |
|
Model_Name |
principal.asset.attribute.labels |
|
msg_class |
metadata.description |
|
msg_sev |
security_result.severitysec_result.severity_details |
|
msg_text |
metadata.descriptionsecurity_result.severitysec_result.severity_details,security_result.action |
|
msg_text |
security_result.action |
|
NAD Address |
principal.ip |
|
NADAddress |
intermediary.ip |
|
Name |
principal.group.group_identifiers |
|
nas_ip_address |
principal.nat_ip |
|
NAS-Identifier |
principal.labels |
|
NAS-IP-Address |
principal.nat_ipprincipal.ip |
|
NAS-Port |
principal.portprincipal.labels |
|
nas-update |
security_result.detection_fields |
|
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
|
NASPort |
principal.nat_port if valid else to security_result.detection_fieldsprincipal.labels |
|
NASPortId |
security_result.detection_fieldsprincipal.labels |
|
NASPortType |
security_result.detection_fieldsprincipal.labels |
|
Network Device Name |
target.hostnametarget.asset.hostname |
|
network_adapter |
target.resource.name |
|
network_application_protocol_result |
network.application_protocol |
|
NetworkDeviceGroups |
sec_result.detection_fields |
|
NetworkDeviceGroups_IPSEC |
additional.fields |
|
NetworkDeviceProfileId |
principal.asset.asset_id |
|
NetworkDeviceProfileName |
principal.asset.attribute.labels |
|
NmapScanCount |
security_result.detection_fields |
|
ntp_server_1 |
target.iptarget.asset.ip |
|
ntp_server_2 |
target.iptarget.asset.ip |
|
ntp_server_3 |
target.iptarget.asset.ip |
|
ObjectInternalID |
security_result.detection_fields |
|
ObjectName |
security_result.about.labels |
|
ObjectType |
security_result.labout.abelsadditional.fields |
|
operating-system-result |
target.asset.platform_software.platform_version |
target.platform = WINDOWS |
OperatingSystem |
target.asset.platform_software.platform_version |
|
OperationMessageText |
sec_result.detection_fields |
|
OperationMessageText |
about.labels |
|
OUI |
security_result.detection_fields |
|
pad |
security_result.detection_fields |
|
PeerAddress |
target.mactarget.asset.mac |
|
PeerName |
target.hostnametarget.asset.hostname |
|
PhoneNumber |
principal.user.phone_numbers |
|
platform-version |
principal.platform_version |
|
PolicyVersion |
security_result.detection_fields |
|
Port |
principal.porttarget.port |
|
Portal_Name |
additional.fields |
|
PortalName |
target.url |
|
PortalUser |
principal.user.userid |
|
PortalUser_GuestSponsor |
principal.user.attribute.labels |
|
PortalUser_GuestType |
principal.user.attribute.labels |
|
PostureApplicable |
security_result.detection_fields |
|
PostureAssessmentStatus |
sec_result.detection_fieldsadditional.fields |
|
PostureExpiry |
sec_result.detection_fields |
|
PostureStatus |
sec_result.detection_fields |
|
principal_hostname |
principal.hostname |
|
principal_ip |
principal.ipprincipal.asset.ip |
|
profile-name |
security_result.detection_fields |
|
ProfilerServer |
sec_result.detection_fields |
|
Protocol |
security_result.detection_fields |
|
r_ip_or_host |
observer.ipobserver.hostnameintermediary.hostnameintermediary.ip |
|
r_seg_num |
metadata.product_log_id |
|
RadiusFlowType |
security_result.about.labelsadditional.fields |
|
RadiusPacketType |
security_result.detection_fields |
|
received_b |
network.received_bytes |
|
RegisterStatus |
security_result.rule_name |
|
RegistrationTimeStamp |
sec_result.detection_fields |
|
RemoteAddress |
principal.ipprincipal.asset.ip |
|
RequestLatency |
sec_result.detection_fieldsadditional.fields |
|
RequestResponseTypes |
security_result.detection_fields |
|
ResponseTime |
sec_result.detection_fields |
|
SelectedAccessService |
sec_result.detection_fieldsadditional.fields |
|
SelectedAuthenticationIdentityStores |
security_result.detection_fields |
|
SelectedAuthorizationProfiles |
sec_result.detection_fieldsadditional.fields |
|
SelectedShellProfile |
additional.fields |
|
sent_b |
network.sent_bytes |
|
sequence_num |
metadata.product_log_id |
|
Sequence-Number |
security_result.detection_fields |
|
serial_number |
about.labelsnetwork.tls.server.certificate.serial |
|
server_label |
principal.asset.attribute.labels |
|
Service-Type |
sec_result.detection_fieldsadditional.fields |
|
session-id |
network.session_id |
|
Session-Timeout |
network.session_duration |
|
shell_role |
principal.user.attribute.roles.name |
|
ShutdownReason |
security_result.detection_fields |
|
SkipProfiling |
security_result.detection_fields |
|
software_version |
principal.asset.platform_software.platform_version |
|
Source |
principal.ipprincipal.hostname |
|
source_ip |
src.ip |
|
source_port |
src.port |
|
SSID |
additional.fields |
|
start_time |
security_result.first_discovered_time |
|
StaticAssignment |
security_result.detection_fields |
|
StaticGroupAssignment |
sec_result.detection_fields |
|
Step |
additional.fields |
|
StepData |
about.hostnameadditional.fields |
|
StepLatency |
additional.fields |
|
stop_time |
security_result.last_discovered_time |
|
Subject |
about.labels |
|
subject_alt_name |
about.labels |
|
subscriber_command |
security_result.detection_fields |
|
syslog_host |
principal.ipprincipal.asset.ip |
|
SysStatsCpuCount |
target.asset.hardware.cpu_number_cores |
|
SysStatsProcessMemoryMB |
target.asset.hardware.ram |
|
SysStatsUtilizationDiskIO |
target.asset.attribute.labels |
|
SysStatsUtilizationDiskSpace |
target.asset.attribute.labels |
|
SysStatsUtilizationLoadAvg |
target.asset.attribute.labels |
|
SystemDomain |
principal.asset.network_domain |
|
SystemName |
principal.hostnameprincipal.hostname |
|
SystemUser |
principal.user.userid |
|
SystemUserDomain |
principal.administrative_domain |
|
target_email |
target.user.email_addresses |
|
target_group_identifiers |
target.user.group_identifiers |
|
target_hostname |
target.hostname |
|
target_ip |
target.iptarget.asset.ip |
|
target_port |
target.port |
|
target_user |
target.user.userid |
|
target.resource.resource_type |
DEVICE | |
task_id |
additional.fields |
|
TaskId |
security_result.detection_fields |
|
Template_Name |
additional.fields |
|
Termination-Action |
security_result.detection_fields |
|
threshold_value |
additional.fields |
|
TimeToProfile |
sec_result.detection_fields |
|
TLSCipher |
network.tls.cipher |
|
TLSVersion |
network.tls.version |
|
total_certainty_factor |
sec_result.detection_fields |
|
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
|
TotalFailedTime |
sec_result.detection_fields |
|
Tunnel-Client-Endpoint |
sec_result.detection_fields |
|
Type |
additional.fields |
|
undefined-151 |
additional.fields |
|
UniqueConnectionIdentifier |
sec_result.detection_fields |
|
UpdateTime |
sec_result.detection_fields |
|
url-redirect |
target.url |
|
url-redirect-acl |
security_result.detection_fields |
|
UseCase |
sec_result.detection_fields |
|
used_space_value |
additional.fields |
|
User |
principal.user.userid |
|
user |
principal.user.userid |
|
user_display_name |
principal.user.user_display_name |
|
User-AD-Last-Fetch-Time |
principal.user.attribute.labels |
|
User-Agent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
User-Fetch-Email |
sec_result.detection_fields |
|
User-Fetch-Last-Name |
principal.user.last_name |
|
User-Fetch-LocalityName |
sec_result.detection_fields |
|
User-Fetch-StateOrProvinceName |
sec_result.detection_fields |
|
User-Name |
target.user.userid |
|
UserAccountControl |
principal.user.attribute.labels |
|
UserAgreementStatus |
security_result.detection_fields |
|
UserName |
target.user.userid |
|
UserType |
principal.user.attribute.labels |
|
UseSingleConnect |
security_result.detection_fields |
|
vlan-id |
security_result.detection_fields |
|
principal.resource.resource_type |
Statically mapped to DEVICE. |
UDM mapping delta reference
On December 1, 2025, Google SecOps released a new version of the Cisco ISE parser, which includes significant changes to the mapping of Cisco ISE log fields to UDM fields and changes to the mapping of event types.
Log-field mapping delta
Globally, the timestamp that the Cisco ISE parser displays now is the raw log field Event-Timestamp. Previously, the timestamp that the Cisco ISE parser displayed was from the header.
The following table lists the mapping delta for Cisco ISE log-to-UDM fields exposed prior to December 1, 2025 and subsequently (listed in the Old mapping and Current mapping columns respectively):
| Log field | Old mapping | Current mapping |
|---|---|---|
Acct-Input-Gigawords |
additional.fields |
network.received_bytes |
Acct-Input-Packets |
security_result.detection_fields |
network.received_packets |
Acct-Output-Gigawords |
additional.fields |
network.sent_bytes |
Acct-Output-Packets |
security_result.detection_fields |
network.sent_packets |
Acct-Session-Id |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AcsSessionID |
security_result.detection_fieldsadditional.fields |
network.session_idsecurity_result.detection_fields |
AD-Log-Id |
security_result.detection_fields |
metadata.product_log_id |
AD-User-SamAccount-Name |
principal.user.attribute.labels |
principal.user.user_display_name |
allowEasyWiredSession |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AuthenticationIdentityStore |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Calling-Station-ID |
security_result.detection_fieldsadditional.fieldsprincipal.ip |
security_result.detection_fields |
ClientLatency |
security_result.detection_fieldsadditional.fields |
`security_result.detection_fields |
ConfigVersionId |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.sesson_id |
network.sesson_id |
DeviceIPAdresstarget.ip |
target.ip |
principal.ip |
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
HostIdentityGroup |
additional.fields |
principal.group.group_display_name |
IdentityGroup |
principal.group.group_display_name |
principal.user.group_identifiers |
IdentityPolicyMatchedRule |
security_result.about.labelsadditional.fields |
security_result.rule_labels |
IsThirdPartyDeviceFlow |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Issuer |
about.labels |
network.tls.server.certificate.issuer |
Location |
principal.location.country_or_regiontarget.location.country_or_region,security_result.detection_fields |
principal.location.country_or_region, |
NAS Identifier |
principal.labels |
principal.asset.attribute.labels |
NAS-IP-Address |
principal.nat_ip,principal.ipintermediary.ip |
principal.nat_ip,principal.ip, |
NAS-Port |
principal.labels |
principal.resource.attribute.labels |
NAS-Port-Id |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NAS-Port-Type |
security_result.detection_fieldsprincipal.labels |
`security_result.detection_fields |
NASIdentifier |
principal.resource.attribute.labels,security_result.detection_fields |
principal.resource.attribute.labels |
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NetworkDeviceGroups_Location |
intermediary.location.country_or_region |
principal.location.country_or_region, |
Object Name |
security_result.about.labels |
security_result.about.resource.attribute.labelsprincipal.mac if it is a MAC |
Object Type |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
PostureAssessmentStatus |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Privilege-Level |
additional.fields |
target.user.attribute.permissions.description |
ProfilerServer |
principal.hostnamesecurity_result.detection_fields |
principal.hostname |
RadiusFlowType |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
RequestLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
r_msg_id |
security_result.detection_fields |
metadata.product_log_id |
r_seg_num |
security_result.detection_fieldsadditional.fields |
additional.fields |
r_total_seg |
security_result.detection_fieldsadditional.fields |
additional.fields |
SelectedAccessService |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
SelectedAuthorizationProfiles |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Sequence-Number |
metadata.product_log_id |
security_result.detection_fields if AD-Log-Id is not null |
Server |
principal.asset.attribute.labels |
principal.hostnameprincipal.asset.hostname |
Service-Type |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
serial_number |
about.labels |
about.resource.attribute.labels |
ShutdownReason |
security_result.detection_fields |
security_result.description |
Subject |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
total_certainty_factor |
security_result.detection_fields |
security_result.confidence_score |
UniqueSubjectID |
additional.fields |
principal.user.userid.product_object_id |
Update Time |
security_result.detection_fields |
principal.asset.attribute.last_update_time |
User-Fetch-Email |
security_result.detection_fields |
principal.user.email_addresses |
User-Fetch-LocalityName |
security_result.detection_fields |
principal.location.name |
User-Fetch-StateOrProvinceName |
security_result.detection_fields |
principal.location.state |
User Name when [r_cat_name] =~ "CISE_Passed_Authentications" |
principal.user.useridtarget.user.userid |
principal.user.userid |
wlan-profile-name |
security_result.detection_fields |
principal.user.userid |
Event-type mapping delta
Multiple events that were classified generically are now properly classified with meaningful event types.
The following table lists the delta for the handling of Cisco ISE event types prior to December 1, 2025 and subsequently (listed in the Old event_type and Current event-type columns respectively):
| Event ID from log and logic | Old event_type | Current event_type |
|---|---|---|
(Based on event) [has_resource] == "true" |
GENERIC_EVENT |
USER_RESOURCE_ACCESS |
[Action] == "Login" |
NETWORK_CONNECTION |
USER_LOGIN |
[PRAAction] =~ "logoff" |
NETWORK_CONNECTION |
USER_LOGOUT |
[message] =~ "Administrator-Login" |
USER_UNCATEGORIZED |
USER_LOGIN |
[message] =~ "Change password failed" |
USER_LOGIN |
USER_CHANGE_PASSWORD |
[msg_text] =~ "Login Success" |
USER_UNCATEGORIZED |
USER_LOGIN |
Need more help? Get answers from Community members and Google SecOps professionals.