Mengumpulkan log Cisco ISE

Didukung di:

Google SecOps SIEM

Dokumen ini menjelaskan cara menyerap log Cisco ISE ke Google Security Operations menggunakan Bindplane.

Parser mengekstrak kolom dari syslog Cisco ISE dan log berformat CSV. Log ini menggunakan grok dan/atau kv untuk mengurai pesan log, lalu memetakan nilai ini ke Model Data Terpadu (UDM). Selain itu, fungsi ini juga menetapkan nilai metadata default untuk sumber dan jenis peristiwa.

Sebelum memulai

Pastikan Anda memiliki prasyarat berikut:

Instance Google SecOps
Windows Server 2016 atau yang lebih baru, atau host Linux dengan systemd
Jika beroperasi dari balik proxy, pastikan port firewall terbuka sesuai dengan persyaratan agen Bindplane
Akses istimewa ke portal Administrasi Cisco ISE

Mendapatkan file autentikasi penyerapan Google SecOps

Login ke konsol Google SecOps.
Buka Setelan SIEM > Agen Pengumpulan.
Download File Autentikasi Penyerapan. Simpan file dengan aman di sistem tempat BindPlane akan diinstal.

Mendapatkan ID pelanggan Google SecOps

Login ke konsol Google SecOps.
Buka Setelan SIEM > Profil.
Salin dan simpan ID Pelanggan dari bagian Detail Organisasi.

Menginstal agen Bindplane

Instal agen Bindplane di sistem operasi Windows atau Linux Anda sesuai dengan petunjuk berikut.

Penginstalan Windows

Buka Command Prompt atau PowerShell sebagai administrator.

Jalankan perintah berikut:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Tunggu hingga penginstalan selesai.
Verifikasi penginstalan dengan menjalankan:
```
sc query observiq-otel-collector
```

Layanan akan ditampilkan sebagai RUNNING.

Penginstalan Linux

Buka terminal dengan hak istimewa root atau sudo.

Jalankan perintah berikut:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Tunggu hingga penginstalan selesai.

Verifikasi penginstalan dengan menjalankan:

sudo systemctl status observiq-otel-collector

Layanan akan ditampilkan sebagai aktif (berjalan).

Referensi penginstalan tambahan

Untuk opsi penginstalan dan pemecahan masalah tambahan, lihat Panduan penginstalan agen BindPlane.

Mengonfigurasi agen BindPlane untuk menyerap syslog dan mengirimkannya ke Google SecOps

Cari file konfigurasi

Linux:

sudo nano /etc/bindplane-agent/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit file konfigurasi

Ganti seluruh konten config.yaml dengan konfigurasi berikut:

receivers:
    udplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        creds_file_path: '/path/to/ingestion-authentication-file.json'
        customer_id: 'YOUR_CUSTOMER_ID'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: 'CISCO_ISE'
        raw_log_field: body
        ingestion_labels:

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

Parameter konfigurasi

Ganti placeholder berikut:
- Konfigurasi penerima:
  - udplog: Gunakan udplog untuk syslog UDP atau tcplog untuk syslog TCP
  - 0.0.0.0: Alamat IP yang akan didengarkan (0.0.0.0 untuk mendengarkan semua antarmuka)
  - 514: Nomor port yang akan diproses (port syslog standar)
- Konfigurasi eksportir:
  - creds_file_path: Jalur lengkap ke file autentikasi penyerapan:
    - Linux: /etc/bindplane-agent/ingestion-auth.json
    - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
  - YOUR_CUSTOMER_ID: ID Pelanggan dari bagian Dapatkan ID pelanggan
  - endpoint: URL endpoint regional:
    - Amerika Serikat: malachiteingestion-pa.googleapis.com
    - Eropa: europe-malachiteingestion-pa.googleapis.com
    - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
    - Lihat Endpoint Regional untuk mengetahui daftar lengkapnya
  - log_type: Jenis log persis seperti yang muncul di Chronicle (CISCO_ISE)

Simpan file konfigurasi

Setelah mengedit, simpan file:
- Linux: Tekan Ctrl+O, lalu Enter, lalu Ctrl+X
- Windows: Klik File > Save

Mulai ulang agen Bindplane untuk menerapkan perubahan

Untuk memulai ulang agen Bindplane di Linux, jalankan perintah berikut:

sudo systemctl restart observiq-otel-collector

Pastikan layanan sedang berjalan:

  sudo systemctl status observiq-otel-collector

Periksa log untuk mengetahui error:

  sudo journalctl -u observiq-otel-collector -f

Untuk memulai ulang agen Bindplane di Windows, pilih salah satu opsi berikut:
- Command Prompt atau PowerShell sebagai administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Konsol layanan:
  1. Tekan Win+R, ketik services.msc, lalu tekan Enter.
  2. Temukan observIQ OpenTelemetry Collector.
  3. Klik kanan, lalu pilih Mulai Ulang.
  4. Pastikan layanan sedang berjalan:
```
sc query observiq-otel-collector
```
  5. Periksa log untuk mengetahui error:
```
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Mengonfigurasi penerusan Syslog di Cisco ISE

Login ke portal Cisco ISE Administration.
Buka Administrasi > Sistem > Logging > Target Logging Jarak Jauh.
Klik Tambahkan untuk membuat target logging jarak jauh baru.
Berikan detail konfigurasi berikut:
- Name: Masukkan nama deskriptif (misalnya, Google-SecOps-Bindplane).
- Deskripsi: Masukkan deskripsi (opsional).
- Alamat IP: Masukkan alamat IP host agen Bindplane.
- Port: Masukkan 514.
- Kode Fasilitas: Pilih LOCAL6 (atau fasilitas pilihan Anda).
- Panjang Maksimum: Masukkan 8192 (atau nilai maksimum yang didukung).
- Sertakan Alarm dalam Pesan Syslog: Centang jika Anda ingin menyertakan alarm.
Klik Simpan.
Buka Administrasi > Sistem > Logging > Kategori Logging.
Pilih setiap kategori logging yang ingin Anda teruskan, lalu klik Edit:
- Audit AAA
- Diagnostik AAA
- Akuntansi
- Audit Administrator
- Audit Postur dan Penyediaan Klien
- Profiler
- Diagnostik Sistem
Di bagian Targets, pindahkan target logging jarak jauh Google-SecOps-Bindplane dari Available ke Selected.
Klik Simpan.
Pastikan pesan syslog dikirim dengan memeriksa log agen Bindplane.

Tabel pemetaan UDM

Kolom log	Pemetaan UDM	Keterangan
`AAA_Event`	`security_result.detection_fields`
`AAA_Security_Result.detection_fields`	`aaa_service`
`ac-user-agent`	`network.http.user_agent`
`Acct-Authentic`	`security_result.detection_fields`
`Acct-Delay-Time`	`security_result.detection_fields`
`Acct-Input-Octets`	`security_result.detection_fields`
`Acct-Input-Packets`	`security_result.detection_fields`
`Acct-Output-Octets`	`security_result.detection_fields`
`Acct-Output-Packets`	`security_result.detection_fields`
`Acct-Session-Id`	`sec_result.detection_fields` `additional.fields`
`Acct-Session-Time`	`security_result.detection_fields`
`Acct-Status-Type`	`security_result.detection_fields`
`Acct-Terminate-Cause`	`security_result.detection_fields`
`AcctReply-Status`	`security_result.detection_fields`
`AcctRequest-Flags`	`security_result.detection_fields`
`ACS_CiscoSecure_Defined_ACL`	`security_result.detection_fields`
`AcsSessionID`	`sec_result.detection_fields` `additional.fields`
`Action`	`security_result.action_details`
`action_details`	`security_result.action_details`
`ActiveSessionCount`	`security_result.detection_fields`
`ad_identifier`	`about.hostname`
`ad_join_point`	`principal.administrative_domain`
`ad_operating_system`	`principal.platform`
`AD-Account-Name`	`principal.user.userid` `target.hostname`
`AD-Domain`	`principal.group.group_display_name`
`AD-Domain-Controller`	`target.administrative_domain`
`AD-Error-Details`	`security_result.description`
`AD-Forest`	`target.resource.attribute.labels`
`AD-Groups-Names`	`principal.user.group_identifiers`
`AD-Host-Candidate-Identities`	`sec_result.detection_fields`
`AD-IP-Address`	`target.ip` `target.asset.ip`
`AD-Log-Id`	`sec_result.detection_fields`
`AD-Site`	`target.location.name`
`AD-Srv-Query`	`security_result.detection_fields`
`AD-Srv-Record`	`security_result.detection_fields`
`AD-User-Candidate-Identities`	`principal.user.attribute.labels`
`AD-User-DNS-Domain`	`network.dns_domain`
`AD-User-Join-Point`	`target.hostname` `target.asset.hostname`
`AD-User-NetBios-Name`	`principal.user.attribute.labels`
`AD-User-Qualified-Name`	`principal.user.email_addresses`
`AD-User-Resolved-DNs`	`principal.user.attribute.labels`
`AD-User-Resolved-Identities`	`sec_result.detection_fields` `principal.user.userid`
`AD-User-Resolved-Identities`
`AD-User-SamAccount-Name`	`principal.user.attribute.labels`
`Admin`	`principal.user.userid`
`AdminInterface`	`principal.user.attribute.labels`
`AdminIPAddress`	`principal.ip`
`AdminName`	`principal.user.userid`
`affected-dn`	`target.resource.nametarget.resource.attribute.labels` `target.resource.resource_type`	`target.resource.resource_type` => `"USER"`
`Airespace-Wlan-Id`	`additional.fields`
`allowEasyWiredSession`	`sec_result.detection_fields` `additional.fields`
`AMInstalled`	`security_result.detection_fields`
`assetDeviceType`	`principal.resource.name`
`assetIncidentScore`	`security_result.detection_fields`
`Audit_session_id`	`sec_result.detection_fields`
`AuditSessionId`	`sec_result.detection_fields`
`Authen-Reply-Status`	`security_result.detection_fields`
`AuthenticationIdentityStore`	`sec_result.detection_fields` `additional.fields`
`AuthenticationMethod`	`security_result.detection_fields`
`AuthenticationResult`	`security_result.action`
`AuthenticationStatus`	`security_result.action` `security_result.action_details`
`Author-Reply-Status`	`additional.fields`
`AuthorizationFailureReason`	`security_result.detection_fields`
`AuthorizationPolicyMatchedRule`	`security_result.rule_name`
`av-pair-severity`	`security_result.detection_fields`
`BYODRegistration`	`sec_result.detection_fields`
`CacheUpdateTime`	`security_result.detection_fields`
`Called-Station-ID`	`security_result.detection_fields` `target.ip` `target.mac`
`Calling-Station-ID`	`security_result.detection_fields` `principal.ip` `principal.mac`
`cdpCacheAddressType`	`security_result.detection_fields`
`cdpCacheVersion`	`security_result.detection_fields`
`cdpUndefined28`	`security_result.detection_fields`
`change-set`	`additional.fields`
`Chargeable-User-Identity`	`principal.user.attribute.labels`
`cisco-av-pair`	`additional.fields` `security_result.detection_fields`
`CiscoIOS`	`security_result.detection_fields`
`Class`	`sec_result.detection_fields`
`client_type`	`additional.fields`
`client-iif-id`	`security_result.detection_fields`
`ClientLatency`	`security_result.detection_fields` `additional.fields`
`CmdSet`	`target.process.command_line`
`coa-push`	`security_result.detection_fields`
`CoAClientInstanceDestinationIPAddress`	`target.ip` `target.asset.ip`
`coaReason`	`security_result.detection_fields`
`coaSourceComponent`	`security_result.detection_fields`
`coaType`	`security_result.detection_fields`
`Component`	`security_result.detection_fields`
`ConfigChangeData`	`security_result.detection_fields`
`ConfigVersionId`	`sec_result.detection_fields` `additional.fields`
`connect-progress`	`security_result.detection_fields`
`ConnectionStatus`	`sec_result.detection_fields`
`ConnectionStatus=Failed`	`security_result.action ="BLOCK"`
`Constructeurs`	`principal.asset.hardware.manufacturer`
`counters_kvp`	`event.idm.read_only_udm.target.asset.attribute.labels`
`CPMSessionID`	`security_result.detection_fields` `additional.fields` `network.session_id`
`CreateTime`	`event.idm.read_only_udm.principal.asset.attribute.creation_time`
`cts_security_group_tag`	`security_result.detection_fields`
`cts-pac-opaque`	`security_result.detection_fields`
`datetime`	`metadata.event_timestamp`
`days_to_expiry`	`security_result.detection_fields`
`DeltaRadiusRequestCount`	`security_result.detection_fields`
`DeltaTacacsRequestCount`	`security_result.detection_fields`
`Description`	`security_result.detection_fields`
`DestinationIPAddress`	`target.ip` `target.asset.ip`
`DestinationIPAddress`	`target.ip` `target.asset.ip`
`DestinationPort`	`target.port`
`DetailedInfo`	`sec_result.description`
`Device_IP_Address`	`principal.ip` `principal.asset.ip`
`device-mac`	`principal.mac`
`device-platform`	`principal.platform`
`device-platform-version`	`principal.platform_version`
`device-public-mac`	`principal.mac`
`device-type`	`principal.asset.hardware.model`
`device-uid`	`principal.resource.product_object_id`
`device-uid-global`	`principal.asset.product_object_id`
`DeviceIPAddress`	`principal.ip` `target.ip` `intermediary.ip`
`DevicePort`	`principal.port` `target.port` `intermediary.port`
`DeviceRegistrationStatus`	`sec_result.detection_fields`
`dhcp-class-identifier`	`security_result.detection_fields`
`dhcp-parameter-request-list`	`additional.fields`
`Domaines`	`additional.fields`
`DoReplicate`	`security_result.detection_fields`
`DTLSSupport`	`security_result.detection_fields`
`EAP-Key-Name`	`additional.fields`
`EapTunnel`	`additional.fields`
`EmailAddress`	`principal.user.email_addresses`
`EnableFlag`	`additional.fields`
`EnableSingleConnect`	`security_result.detection_fields`
`End-of-LLDPDU`	`security_result.detection_fields`
`endpoint_id`	`principal.mac` `principal.asset.mac`
`EndpointCertainityMetric`	`sec_result.detection_fields`
`EndpointIdentityGroup`	`principal.group.group_display_name`
`EndpointIPAddress`	`principal.asset.ip`
`EndPointMACAddress`	`principal.mac` `principal.asset.mac`
`EndPointMatchedProfile`	`security_result.about.labels` `additional.fields`
`EndpointNADAddress`	`sec_result.detection_fields`
`EndpointOUI`	`sec_result.detection_fields`
`EndpointPolicy`	`principal.asset.platform_software.platform_version` `security_result.detection_fields`
`EndPointPolicyID`	`security_result.detection_fields`
`EndPointProfilerServer`	`target.hostname`
`EndpointProperty`	`sec_result.detection_fields`
`EndPointSource`	`target.resource.attribute.labels`
`EndpointSourceEvent`	`sec_result.detection_fields`
`EndpointUserAgent`	`network.http.user_agent`
`EndPointVersion`	`security_result.detection_fields`
`epid`	`security_result.detection_fields`
`Error Message`	`additional.fields`
`event`	`additional.fields`
`extended_key_usage_oid`	`additional.fields`
`external_groups`	`additional.fields`
`FailureFlag`	`security_result.detection_fields`
`FailureReason`	`sec_result.detection_fields` `additional.fields`
`FeedService`	`security_result.detection_fields`
`FirstCollection`	`event.idm.read_only_udm.principal.asset.first_discover_time`
`foreign_ip`	`intermediary.ip`
`FQSubjectName`	`security_result.detection_fields`
`Framed-MTU`	`additional.fields`
`Framed-Protocol`	`sec_result.detection_fields`
`FramedIPAddress`	`security_result.detection_fields`
`group_name`	`principal.group.group_display_name`
`Header-Flags`	`security_result.detection_fields`
`HostIdentityGroup`	`additional.fields`
`IdentityAccessRestricted`	`security_result.detection_fields`
`IdentityGroup`	`principal.group.group_display_name`
`IdentityGroupID`	`principal.group.product_object_id`
`IdentityPolicyMatchedRule`	`sec_result.about.labels` `additional.fields`
`IdentitySelectionMatchedRule`	`sec_result.detection_fields`
`Idle-Timeout`	`security_result.detection_fields`
`idletime`	`security_result.detection_fields`
`IMEI`	`target.asset.product_object_id`
`inacl_rule`	`security_result.detection_fields`
`intermediary_hostname`	`intermediary.hostname`
`ionTimeStamp`	`security_result.detection_fields`
`ios-version`	`principal.asset.software.version`
`ip_inacl_rule`	`security_result.detection_fields`
`ip_source_ip`	`principal.ip` `principal.asset.ip`
`IpAddress`	`principal.ip` `principal.asset.ip`
`IPSEC`	`additional.fields`
`ise_port`	`principal.port` `intermediary.port`
`ISELocalAddress`	`intermediary.ip` `principal.ip`
`ISEModuleName`	`sec_result.detection_fields`
`ISEPolicySetName`	`target.resource.name`
`ISEServiceName`	`sec_result.detection_fields`
`IsMachineAuthentication`	`security_result.detection_fields`
`IsMachineIdentity`	`security_result.detection_fields`
`IsRegistered`	`security_result.detection_fields`
`Issuer`	`about.labels`
`IsThirdPartyDeviceFlow`	`sec_result.detection_fields` `additional.fields`
`key_usage`	`additional.fields`
`LastActivity`	`event.idm.read_only_udm.principal.asset.last_discover_time`
`LastNmapScanTime`	`sec_result.detection_fields`
`LicenseType`	`additional.fields`
`lldpManAddress`	`security_result.detection_fields`
`lldpPortDescription`	`security_result.detection_fields`
`lldpPortId`	`security_result.detection_fields`
`lldpSystemCapabilitiesMap`	`security_result.detection_fields`
`lldpSystemDescription`	`security_result.detection_fields`
`lldpTimeToLive`	`security_result.detection_fields`
`lldpUndefined127`	`security_result.detection_fields`
`localport`	`principal.port`
`Location`	`principal.location.country_or_region` `target.location.country_or_region` `security_result.detection_fields`
`log-id`	`metadata.product_log_id`
`logstash.ingest.host`	`intermediary.hostname`
`logstash.ingest.timestamp`	`metadata.ingested_timestamp`
`logstash.irm_environment`	`additional.fields`
`logstash.irm_region`	`additional.fields`
`logstash.irm_site`	`additional.fields`
`logstash.process.host`	`intermediary.hostname`
`logstash.process.timestamp`	`metadata.collected_timestamp`
`MAC`	`principal.mac`
`mac_UserName`	`principal.mac`
`MacAddress`	`principal.mac`
`MajorVersion`	`security_result.detection_fields`
`Manufacturer`	`target.asset.hardware.manufacturer`
`MatchedPolicy`	`security_result.detection_fields`
`MatchedPolicyID`	`security_result.rule_id`
`MDMFailureReason`	`sec_result.detection_fields`
`MDMServerName`	`metadata.product_name`
`mDNS`	`security_result.detection_fields`
`MESSAGE`	`security_result.description`
`MFCInfoEndpointType`	`principal.asset.asset_type` `principal.asset.attribute.labels`
`MinorVersion`	`security_result.detection_fields`
`MisconfiguredClientFixReason`	`security_result.detection_fields`
`Model`	`target.asset.hardware.model`
`Model_Name`	`principal.asset.attribute.labels`
`msg_class`	`metadata.description`
`msg_sev`	`security_result.severity` `sec_result.severity_details`
`msg_text`	`metadata.description` `security_result.severity` `sec_result.severity_details,security_result.action`
`msg_text`	`security_result.action`
`NAD Address`	`principal.ip`
`NADAddress`	`intermediary.ip`
`Name`	`principal.group.group_identifiers`
`nas_ip_address`	`principal.nat_ip`
`NAS-Identifier`	`principal.labels`
`NAS-IP-Address`	`principal.nat_ip` `principal.ip`
`NAS-Port`	`principal.port` `principal.labels`
`nas-update`	`security_result.detection_fields`
`NASIdentifier`	`security_result.detection_fields` `principal.labels`
`NASPort`	`principal.nat_port if valid else to security_result.detection_fields` `principal.labels`
`NASPortId`	`security_result.detection_fields` `principal.labels`
`NASPortType`	`security_result.detection_fields` `principal.labels`
`Network Device Name`	`target.hostname` `target.asset.hostname`
`network_adapter`	`target.resource.name`
`network_application_protocol_result`	`network.application_protocol`
`NetworkDeviceGroups`	`sec_result.detection_fields`
`NetworkDeviceGroups_IPSEC`	`additional.fields`
`NetworkDeviceProfileId`	`principal.asset.asset_id`
`NetworkDeviceProfileName`	`principal.asset.attribute.labels`
`NmapScanCount`	`security_result.detection_fields`
`ntp_server_1`	`target.ip` `target.asset.ip`
`ntp_server_2`	`target.ip` `target.asset.ip`
`ntp_server_3`	`target.ip` `target.asset.ip`
`ObjectInternalID`	`security_result.detection_fields`
`ObjectName`	`security_result.about.labels`
`ObjectType`	`security_result.labout.abels` `additional.fields`
`operating-system-result`	`target.asset.platform_software.platform_version`	`target.platform` = `WINDOWS`
`OperatingSystem`	`target.asset.platform_software.platform_version`
`OperationMessageText`	`sec_result.detection_fields`
`OperationMessageText`	`about.labels`
`OUI`	`security_result.detection_fields`
`pad`	`security_result.detection_fields`
`PeerAddress`	`target.mac` `target.asset.mac`
`PeerName`	`target.hostname` `target.asset.hostname`
`PhoneNumber`	`principal.user.phone_numbers`
`platform-version`	`principal.platform_version`
`PolicyVersion`	`security_result.detection_fields`
`Port`	`principal.port` `target.port`
`Portal_Name`	`additional.fields`
`PortalName`	`target.url`
`PortalUser`	`principal.user.userid`
`PortalUser_GuestSponsor`	`principal.user.attribute.labels`
`PortalUser_GuestType`	`principal.user.attribute.labels`
`PostureApplicable`	`security_result.detection_fields`
`PostureAssessmentStatus`	`sec_result.detection_fields` `additional.fields`
`PostureExpiry`	`sec_result.detection_fields`
`PostureStatus`	`sec_result.detection_fields`
`principal_hostname`	`principal.hostname`
`principal_ip`	`principal.ip` `principal.asset.ip`
`profile-name`	`security_result.detection_fields`
`ProfilerServer`	`sec_result.detection_fields`
`Protocol`	`security_result.detection_fields`
`r_ip_or_host`	`observer.ip` `observer.hostname` `intermediary.hostname` `intermediary.ip`
`r_seg_num`	`metadata.product_log_id`
`RadiusFlowType`	`security_result.about.labels` `additional.fields`
`RadiusPacketType`	`security_result.detection_fields`
`received_b`	`network.received_bytes`
`RegisterStatus`	`security_result.rule_name`
`RegistrationTimeStamp`	`sec_result.detection_fields`
`RemoteAddress`	`principal.ip` `principal.asset.ip`
`RequestLatency`	`sec_result.detection_fields` `additional.fields`
`RequestResponseTypes`	`security_result.detection_fields`
`ResponseTime`	`sec_result.detection_fields`
`SelectedAccessService`	`sec_result.detection_fields` `additional.fields`
`SelectedAuthenticationIdentityStores`	`security_result.detection_fields`
`SelectedAuthorizationProfiles`	`sec_result.detection_fields` `additional.fields`
`SelectedShellProfile`	`additional.fields`
`sent_b`	`network.sent_bytes`
`sequence_num`	`metadata.product_log_id`
`Sequence-Number`	`security_result.detection_fields`
`serial_number`	`about.labels` `network.tls.server.certificate.serial`
`server_label`	`principal.asset.attribute.labels`
`Service-Type`	`sec_result.detection_fields` `additional.fields`
`session-id`	`network.session_id`
`Session-Timeout`	`network.session_duration`
`shell_role`	`principal.user.attribute.roles.name`
`ShutdownReason`	`security_result.detection_fields`
`SkipProfiling`	`security_result.detection_fields`
`software_version`	`principal.asset.platform_software.platform_version`
`Source`	`principal.ip` `principal.hostname`
`source_ip`	`src.ip`
`source_port`	`src.port`
`SSID`	`additional.fields`
`start_time`	`security_result.first_discovered_time`
`StaticAssignment`	`security_result.detection_fields`
`StaticGroupAssignment`	`sec_result.detection_fields`
`Step`	`additional.fields`
`StepData`	`about.hostname` `additional.fields`
`StepLatency`	`additional.fields`
`stop_time`	`security_result.last_discovered_time`
`Subject`	`about.labels`
`subject_alt_name`	`about.labels`
`subscriber_command`	`security_result.detection_fields`
`syslog_host`	`principal.ip` `principal.asset.ip`
`SysStatsCpuCount`	`target.asset.hardware.cpu_number_cores`
`SysStatsProcessMemoryMB`	`target.asset.hardware.ram`
`SysStatsUtilizationDiskIO`	`target.asset.attribute.labels`
`SysStatsUtilizationDiskSpace`	`target.asset.attribute.labels`
`SysStatsUtilizationLoadAvg`	`target.asset.attribute.labels`
`SystemDomain`	`principal.asset.network_domain`
`SystemName`	`principal.hostname` `principal.hostname`
`SystemUser`	`principal.user.userid`
`SystemUserDomain`	`principal.administrative_domain`
`target_email`	`target.user.email_addresses`
`target_group_identifiers`	`target.user.group_identifiers`
`target_hostname`	`target.hostname`
`target_ip`	`target.ip` `target.asset.ip`
`target_port`	`target.port`
`target_user`	`target.user.userid`
`target.resource.resource_type`		DEVICE
`task_id`	`additional.fields`
`TaskId`	`security_result.detection_fields`
`Template_Name`	`additional.fields`
`Termination-Action`	`security_result.detection_fields`
`threshold_value`	`additional.fields`
`TimeToProfile`	`sec_result.detection_fields`
`TLSCipher`	`network.tls.cipher`
`TLSVersion`	`network.tls.version`
`total_certainty_factor`	`sec_result.detection_fields`
`TotalAuthenLatency`	`security_result.detection_fields` `additional.fields`
`TotalFailedTime`	`sec_result.detection_fields`
`Tunnel-Client-Endpoint`	`sec_result.detection_fields`
`Type`	`additional.fields`
`undefined-151`	`additional.fields`
`UniqueConnectionIdentifier`	`sec_result.detection_fields`
`UpdateTime`	`sec_result.detection_fields`
`url-redirect`	`target.url`
`url-redirect-acl`	`security_result.detection_fields`
`UseCase`	`sec_result.detection_fields`
`used_space_value`	`additional.fields`
`User`	`principal.user.userid`
`user`	`principal.user.userid`
`user_display_name`	`principal.user.user_display_name`
`User-AD-Last-Fetch-Time`	`principal.user.attribute.labels`
`User-Agent`	`network.http.user_agent` `network.http.parsed_user_agent`
`User-Fetch-Email`	`sec_result.detection_fields`
`User-Fetch-Last-Name`	`principal.user.last_name`
`User-Fetch-LocalityName`	`sec_result.detection_fields`
`User-Fetch-StateOrProvinceName`	`sec_result.detection_fields`
`User-Name`	`target.user.userid`
`UserAccountControl`	`principal.user.attribute.labels`
`UserAgreementStatus`	`security_result.detection_fields`
`UserName`	`target.user.userid`
`UserType`	`principal.user.attribute.labels`
`UseSingleConnect`	`security_result.detection_fields`
`vlan-id`	`security_result.detection_fields`
	`principal.resource.resource_type`	Dipetakan secara statis ke `DEVICE`.

Referensi delta pemetaan UDM

Pada 1 Desember 2025, Google SecOps merilis versi baru parser Cisco ISE, yang mencakup perubahan signifikan pada pemetaan kolom log Cisco ISE ke kolom UDM dan perubahan pada pemetaan jenis peristiwa.

Delta pemetaan kolom log

Secara global, stempel waktu yang ditampilkan parser Cisco ISE sekarang adalah kolom log mentah Event-Timestamp. Sebelumnya, stempel waktu yang ditampilkan parser Cisco ISE berasal dari header.

Tabel berikut mencantumkan delta pemetaan untuk kolom log Cisco ISE ke UDM yang diekspos sebelum 1 Desember 2025 dan setelahnya (masing-masing tercantum dalam kolom Pemetaan lama dan Pemetaan saat ini):

Kolom log	Pemetaan lama	Pemetaan saat ini
`Acct-Input-Gigawords`	`additional.fields`	`network.received_bytes`
`Acct-Input-Packets`	`security_result.detection_fields`	`network.received_packets`
`Acct-Output-Gigawords`	`additional.fields`	`network.sent_bytes`
`Acct-Output-Packets`	`security_result.detection_fields`	`network.sent_packets`
`Acct-Session-Id`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`AcsSessionID`	`security_result.detection_fields` `additional.fields`	`network.session_id` `security_result.detection_fields`
`AD-Log-Id`	`security_result.detection_fields`	`metadata.product_log_id`
`AD-User-SamAccount-Name`	`principal.user.attribute.labels`	`principal.user.user_display_name`
`allowEasyWiredSession`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`AuthenticationIdentityStore`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Calling-Station-ID`	`security_result.detection_fields` `additional.fields` `principal.ip`	`security_result.detection_fields`
`ClientLatency`	`security_result.detection_fields` `additional.fields`	``security_result.detection_fields`
`ConfigVersionId`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`CPMSessionID`	`security_result.detection_fields` `additional.fields` `network.sesson_id`	`network.sesson_id`
`DeviceIPAdresstarget.ip`	`target.ip`	`principal.ip`
`EndPointMatchedProfile`	`security_result.about.labels` `additional.fields`	`security_result.about.resource.attribute.labels`
`HostIdentityGroup`	`additional.fields`	`principal.group.group_display_name`
`IdentityGroup`	`principal.group.group_display_name`	`principal.user.group_identifiers`
`IdentityPolicyMatchedRule`	`security_result.about.labels` `additional.fields`	`security_result.rule_labels`
`IsThirdPartyDeviceFlow`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Issuer`	`about.labels`	`network.tls.server.certificate.issuer`
`Location`	`principal.location.country_or_region` `target.location.country_or_region,security_result.detection_fields`	`principal.location.country_or_region,`
`NAS Identifier`	`principal.labels`	`principal.asset.attribute.labels`
`NAS-IP-Address`	`principal.nat_ip,principal.ip` `intermediary.ip`	`principal.nat_ip,principal.ip,`
`NAS-Port`	`principal.labels`	`principal.resource.attribute.labels`
`NAS-Port-Id`	`security_result.detection_fields` `principal.labels`	`security_result.detection_fields`
`NAS-Port-Type`	`security_result.detection_fields` `principal.labels`	``security_result.detection_fields`
`NASIdentifier`	`principal.resource.attribute.labels,security_result.detection_fields`	`principal.resource.attribute.labels`
`NASIdentifier`	`security_result.detection_fields` `principal.labels`	`security_result.detection_fields`
`NetworkDeviceGroups_Location`	`intermediary.location.country_or_region`	`principal.location.country_or_region,`
`Object Name`	`security_result.about.labels`	`security_result.about.resource.attribute.labels` `principal.mac` jika itu adalah MAC
`Object Type`	`security_result.about.labels` `additional.fields`	`security_result.about.resource.attribute.labels`
`PostureAssessmentStatus`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Privilege-Level`	`additional.fields`	`target.user.attribute.permissions.description`
`ProfilerServer`	`principal.hostname` `security_result.detection_fields`	`principal.hostname`
`RadiusFlowType`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`RequestLatency`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`r_msg_id`	`security_result.detection_fields`	`metadata.product_log_id`
`r_seg_num`	`security_result.detection_fields` `additional.fields`	`additional.fields`
`r_total_seg`	`security_result.detection_fields` `additional.fields`	`additional.fields`
`SelectedAccessService`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`SelectedAuthorizationProfiles`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Sequence-Number`	`metadata.product_log_id`	`security_result.detection_fields` jika `AD-Log-Id` bukan null
`Server`	`principal.asset.attribute.labels`	`principal.hostname` `principal.asset.hostname`
`Service-Type`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`serial_number`	`about.labels`	`about.resource.attribute.labels`
`ShutdownReason`	`security_result.detection_fields`	`security_result.description`
`Subject`	`about.labels`	`about.resource.attribute.labels`
`subject_alt_name`	`about.labels`	`about.resource.attribute.labels`
`subject_alt_name`	`about.labels`	`about.resource.attribute.labels`
`TotalAuthenLatency`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`total_certainty_factor`	`security_result.detection_fields`	`security_result.confidence_score`
`UniqueSubjectID`	`additional.fields`	`principal.user.userid.product_object_id`
`Update Time`	`security_result.detection_fields`	`principal.asset.attribute.last_update_time`
`User-Fetch-Email`	`security_result.detection_fields`	`principal.user.email_addresses`
`User-Fetch-LocalityName`	`security_result.detection_fields`	`principal.location.name`
`User-Fetch-StateOrProvinceName`	`security_result.detection_fields`	`principal.location.state`
`User Name when [r_cat_name] =~ "CISE_Passed_Authentications"`	`principal.user.userid` `target.user.userid`	`principal.user.userid`
`wlan-profile-name`	`security_result.detection_fields`	`principal.user.userid`

Delta pemetaan jenis peristiwa

Beberapa peristiwa yang diklasifikasikan secara umum kini diklasifikasikan dengan benar menggunakan jenis peristiwa yang bermakna.

Tabel berikut mencantumkan perbedaan penanganan jenis peristiwa Cisco ISE sebelum 1 Desember 2025 dan setelahnya (masing-masing tercantum di kolom Old event_type dan Current event-type):

ID peristiwa dari log dan logika	event_type lama	event_type saat ini
(Berdasarkan acara) `[has_resource] == "true"`	`GENERIC_EVENT`	`USER_RESOURCE_ACCESS`
`[Action] == "Login"`	`NETWORK_CONNECTION`	`USER_LOGIN`
`[PRAAction] =~ "logoff"`	`NETWORK_CONNECTION`	`USER_LOGOUT`
`[message] =~ "Administrator-Login"`	`USER_UNCATEGORIZED`	`USER_LOGIN`
`[message] =~ "Change password failed"`	`USER_LOGIN`	`USER_CHANGE_PASSWORD`
`[msg_text] =~ "Login Success"`	`USER_UNCATEGORIZED`	`USER_LOGIN`

Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.