Raccogli i log di Cisco ISE
Supportato in:
Google secops
SIEM
Questo documento spiega come importare i log di Cisco ISE in Google Security Operations utilizzando Bindplane.
L'analizzatore sintattico estrae i campi dai log in formato syslog e CSV di Cisco ISE. Utilizza grok e/o kv per analizzare il messaggio di log e quindi mappa questi valori al modello UDM (Unified Data Model). Imposta anche i valori predefiniti dei metadati per l'origine e il tipo di evento.
Prima di iniziare
Assicurati di soddisfare i seguenti prerequisiti:
- Un'istanza Google SecOps
- Windows Server 2016 o versioni successive oppure host Linux con
systemd - Se l'agente viene eseguito dietro un proxy, assicurati che le porte del firewall siano aperte in base ai requisiti dell'agente Bindplane
- Accesso privilegiato al portale di amministrazione di Cisco ISE
Recuperare il file di autenticazione importazione di Google SecOps
- Accedi alla console Google SecOps.
- Vai a Impostazioni SIEM > Agenti di raccolta.
- Scarica il file di autenticazione importazione. Salva il file in modo sicuro sul sistema in cui verrà installato Bindplane.
Recuperare l'ID cliente Google SecOps
- Accedi alla console Google SecOps.
- Vai a Impostazioni SIEM > Profilo.
- Copia e salva l'ID cliente dalla sezione Dettagli dell'organizzazione.
Installa l'agente Bindplane
Installa l'agente Bindplane sul sistema operativo Windows o Linux seguendo le istruzioni riportate di seguito.
Installazione di Windows
- Apri Prompt dei comandi o PowerShell come amministratore.
Esegui questo comando:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietAttendi il completamento dell'installazione.
Verifica l'installazione eseguendo il comando:
sc query observiq-otel-collector
Il servizio dovrebbe essere visualizzato come IN ESECUZIONE.
Installazione di Linux
- Apri un terminale con privilegi di root o sudo.
Esegui questo comando:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shAttendi il completamento dell'installazione.
Verifica l'installazione eseguendo il comando:
sudo systemctl status observiq-otel-collector
Il servizio dovrebbe essere visualizzato come attivo (in esecuzione).
Risorse aggiuntive per l'installazione
Per ulteriori opzioni di installazione e risoluzione dei problemi, consulta la Guida all'installazione dell'agente Bindplane.
Configura l'agente Bindplane per importare syslog e inviarli a Google SecOps
Individua il file di configurazione
Linux:
sudo nano /etc/bindplane-agent/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Modifica il file di configurazione
Sostituisci l'intero contenuto di
config.yamlcon la seguente configurazione:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/chronicle_w_labels: compression: gzip creds_file_path: '/path/to/ingestion-authentication-file.json' customer_id: 'YOUR_CUSTOMER_ID' endpoint: malachiteingestion-pa.googleapis.com log_type: 'CISCO_ISE' raw_log_field: body ingestion_labels: service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - udplog exporters: - chronicle/chronicle_w_labels
Parametri di configurazione
Sostituisci i seguenti segnaposto:
Configurazione del ricevitore:
udplog: utilizzaudplogper syslog UDP otcplogper syslog TCP0.0.0.0: indirizzo IP su cui ascoltare (0.0.0.0per ascoltare su tutte le interfacce)514: Numero di porta su cui ascoltare (porta syslog standard)
Configurazione dell'esportatore:
creds_file_path: percorso completo del file di autenticazione importazione:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
YOUR_CUSTOMER_ID: l'ID cliente della sezione Recupera ID clienteendpoint: URL endpoint regionale:- Stati Uniti:
malachiteingestion-pa.googleapis.com - Europa:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - Per l'elenco completo, vedi Endpoint regionali.
- Stati Uniti:
log_type: Tipo di log esattamente come appare in Chronicle (CISCO_ISE)
Salvare il file di configurazione
- Dopo la modifica, salva il file:
- Linux: premi
Ctrl+O, poiEntere infineCtrl+X. - Windows: fai clic su File > Salva.
- Linux: premi
Riavvia l'agente Bindplane per applicare le modifiche
Per riavviare l'agente Bindplane in Linux, esegui questo comando:
sudo systemctl restart observiq-otel-collectorVerifica che il servizio sia in esecuzione:
sudo systemctl status observiq-otel-collectorControlla i log per individuare eventuali errori:
sudo journalctl -u observiq-otel-collector -f
Per riavviare l'agente Bindplane in Windows, scegli una delle seguenti opzioni:
Prompt dei comandi o PowerShell come amministratore:
net stop observiq-otel-collector && net start observiq-otel-collectorConsole dei servizi:
- Premi
Win+R, digitaservices.msce premi Invio. - Individua observIQ OpenTelemetry Collector.
Fai clic con il tasto destro del mouse e seleziona Riavvia.
Verifica che il servizio sia in esecuzione:
sc query observiq-otel-collectorControlla i log per individuare eventuali errori:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Premi
Configura l'inoltro di Syslog su Cisco ISE
- Accedi al portale Cisco ISE Administration.
- Vai ad Amministrazione > Sistema > Logging > Destinazioni di logging remoto.
- Fai clic su Aggiungi per creare una nuova destinazione di logging remoto.
- Fornisci i seguenti dettagli di configurazione:
- Nome: inserisci un nome descrittivo (ad esempio,
Google-SecOps-Bindplane). - Descrizione: (facoltativo) inserisci una descrizione.
- Indirizzo IP: inserisci l'indirizzo IP dell'host dell'agente Bindplane.
- Porta: inserisci
514. - Codice struttura: seleziona LOCAL6 (o la struttura che preferisci).
- Lunghezza massima: inserisci
8192(o il valore massimo supportato). - Includi allarmi nei messaggi Syslog: seleziona questa opzione se vuoi includere gli allarmi.
- Nome: inserisci un nome descrittivo (ad esempio,
- Fai clic su Salva.
- Vai a Amministrazione > Sistema > Logging > Categorie di logging.
- Seleziona ogni categoria di logging che vuoi inoltrare e fai clic su Modifica:
- AAA Audit
- Diagnostica AAA
- Contabilità
- Controllo amministratore
- Controllo della postura e del provisioning del client
- Profiler
- Diagnostica del sistema
- Nella sezione Destinazioni, sposta la destinazione di logging remoto
Google-SecOps-Bindplaneda Disponibile a Selezionata. - Fai clic su Salva.
- Verifica che i messaggi syslog vengano inviati controllando i log dell'agente Bindplane.
Tabella di mappatura UDM
| Campo log | Mappatura UDM | Remark |
|---|---|---|
| AAA_Event | security_result.detection_fields | |
| AAA_Security_Result.detection_fields | aaa_service | |
| ac-user-agent | network.http.user_agent | |
| Acct-Authentic | security_result.detection_fields | |
| Acct-Delay-Time | security_result.detection_fields | |
| Acct-Input-Octets | security_result.detection_fields | |
| Acct-Input-Packets | security_result.detection_fields | |
| Acct-Output-Octets | security_result.detection_fields | |
| Acct-Output-Packets | security_result.detection_fields | |
| Acct-Session-Id | sec_result.detection_fields, additional.fields | |
| Acct-Session-Time | security_result.detection_fields | |
| Acct-Status-Type | security_result.detection_fields | |
| Acct-Terminate-Cause | security_result.detection_fields | |
| AcctReply-Status | security_result.detection_fields | |
| AcctRequest-Flags | security_result.detection_fields | |
| ACS_CiscoSecure_Defined_ACL | security_result.detection_fields | |
| AcsSessionID | sec_result.detection_fields, additional.fields | |
| Azione | security_result.action_details | |
| action_details | security_result.action_details | |
| ActiveSessionCount | security_result.detection_fields | |
| ad_identifier | about.hostname | |
| ad_join_point | principal.administrative_domain | |
| ad_operating_system | principal.platform | |
| AD-Account-Name | principal.user.userid, target.hostname | |
| AD-Domain | principal.group.group_display_name | |
| AD-Domain-Controller | target.administrative_domain | |
| AD-Error-Details | security_result.description | |
| AD-Forest | target.resource.attribute.labels | |
| AD-Groups-Names | principal.user.group_identifiers | |
| AD-Host-Candidate-Identities | sec_result.detection_fields | |
| AD-IP-Address | target.ip, target.asset.ip | |
| AD-Log-Id | sec_result.detection_fields | |
| AD-Site | target.location.name | |
| AD-Srv-Query | security_result.detection_fields | |
| AD-Srv-Record | security_result.detection_fields | |
| AD-User-Candidate-Identities | principal.user.attribute.labels | |
| AD-User-DNS-Domain | network.dns_domain | |
| AD-User-Join-Point | target.hostname, target.asset.hostname | |
| AD-User-NetBios-Name | principal.user.attribute.labels | |
| AD-User-Qualified-Name | principal.user.email_addresses | |
| AD-User-Resolved-DNs | principal.user.attribute.labels | |
| AD-User-Resolved-Identities | sec_result.detection_fields, principal.user.userid | |
| AD-User-Resolved-Identities | ||
| AD-User-SamAccount-Name | principal.user.attribute.labels | |
| Amministratore | principal.user.userid | |
| AdminInterface | principal.user.attribute.labels | |
| AdminIPAddress | principal.ip | |
| AdminName | principal.user.userid | |
| affected-dn | target.resource.nametarget.resource.attribute.labels, target.resource.resource_type | target.resource.resource_type => "USER" |
| Airespace-Wlan-Id | additional.fields | |
| allowEasyWiredSession | sec_result.detection_fields, additional.fields | |
| AMInstalled | security_result.detection_fields | |
| assetDeviceType | principal.resource.name | |
| assetIncidentScore | security_result.detection_fields | |
| Audit_session_id | sec_result.detection_fields | |
| AuditSessionId | sec_result.detection_fields | |
| Authen-Reply-Status | security_result.detection_fields | |
| AuthenticationIdentityStore | sec_result.detection_fields, additional.fields | |
| AuthenticationMethod | security_result.detection_fields | |
| AuthenticationResult | security_result.action | |
| AuthenticationStatus | security_result.action, security_result.action_details | |
| Author-Reply-Status | additional.fields | |
| AuthorizationFailureReason | security_result.detection_fields | |
| AuthorizationPolicyMatchedRule | security_result.rule_name | |
| av-pair-severity | security_result.detection_fields | |
| BYODRegistration | sec_result.detection_fields | |
| CacheUpdateTime | security_result.detection_fields | |
| Called-Station-ID | security_result.detection_fields, target.ip, target.mac | |
| Calling-Station-ID | security_result.detection_fields, principal.ip, principal.mac | |
| cdpCacheAddressType | security_result.detection_fields | |
| cdpCacheVersion | security_result.detection_fields | |
| cdpUndefined28 | security_result.detection_fields | |
| change-set | additional.fields | |
| Chargeable-User-Identity | principal.user.attribute.labels | |
| cisco-av-pair | additional.fields, security_result.detection_fields | |
| CiscoIOS | security_result.detection_fields | |
| Classe | sec_result.detection_fields | |
| client_type | additional.fields | |
| client-iif-id | security_result.detection_fields | |
| ClientLatency | security_result.detection_fields, additional.fields | |
| CmdSet | target.process.command_line | |
| coa-push | security_result.detection_fields | |
| CoAClientInstanceDestinationIPAddress | target.ip, target.asset.ip | |
| coaReason | security_result.detection_fields | |
| coaSourceComponent | security_result.detection_fields | |
| coaType | security_result.detection_fields | |
| Componente | security_result.detection_fields | |
| ConfigChangeData | security_result.detection_fields | |
| ConfigVersionId | sec_result.detection_fields, additional.fields | |
| connettiti-avanza | security_result.detection_fields | |
| ConnectionStatus | sec_result.detection_fields | |
| ConnectionStatus=Failed | security_result.action ="BLOCK" | |
| Constructeurs | principal.asset.hardware.manufacturer | |
| counters_kvp | event.idm.read_only_udm.target.asset.attribute.labels | |
| CPMSessionID | security_result.detection_fields, additional.fields, network.session_id | |
| CreateTime | event.idm.read_only_udm.principal.asset.attribute.creation_time | |
| cts_security_group_tag | security_result.detection_fields | |
| cts-pac-opaque | security_result.detection_fields | |
| dataora | metadata.event_timestamp | |
| days_to_expiry | security_result.detection_fields | |
| DeltaRadiusRequestCount | security_result.detection_fields | |
| DeltaTacacsRequestCount | security_result.detection_fields | |
| Descrizione | security_result.detection_fields | |
| DestinationIPAddress | target.ip, target.asset.ip | |
| DestinationIPAddress | target.ip, target.asset.ip | |
| DestinationPort | target.port | |
| DetailedInfo | sec_result.description | |
| Device_IP_Address | principal.ip, principal.asset.ip | |
| device-mac | principal.mac | |
| device-platform | principal.platform | |
| device-platform-version | principal.platform_version | |
| device-public-mac | principal.mac | |
| device-type | principal.asset.hardware.model | |
| device-uid | principal.resource.product_object_id | |
| device-uid-global | principal.asset.product_object_id | |
| DeviceIPAddress | principal.ip, target.ip, intermediary.ip | |
| DevicePort | principal.port, target.port, intermediary.port | |
| DeviceRegistrationStatus | sec_result.detection_fields | |
| dhcp-class-identifier | security_result.detection_fields | |
| dhcp-parameter-request-list | additional.fields | |
| Domaines | additional.fields | |
| DoReplicate | security_result.detection_fields | |
| DTLSSupport | security_result.detection_fields | |
| EAP-Key-Name | additional.fields | |
| EapTunnel | additional.fields | |
| EmailAddress | principal.user.email_addresses | |
| EnableFlag | additional.fields | |
| EnableSingleConnect | security_result.detection_fields | |
| End-of-LLDPDU | security_result.detection_fields | |
| endpoint_id (ID endpoint) | principal.mac, principal.asset.mac | |
| EndpointCertainityMetric | sec_result.detection_fields | |
| EndpointIdentityGroup | principal.group.group_display_name | |
| EndpointIPAddress | principal.asset.ip | |
| EndPointMACAddress | principal.mac, principal.asset.mac | |
| EndPointMatchedProfile | security_result.about.labels, additional.fields | |
| EndpointNADAddress | sec_result.detection_fields | |
| EndpointOUI | sec_result.detection_fields | |
| EndpointPolicy | principal.asset.platform_software.platform_version, security_result.detection_fields | |
| EndPointPolicyID | security_result.detection_fields | |
| EndPointProfilerServer | target.hostname | |
| EndpointProperty | sec_result.detection_fields | |
| EndPointSource | target.resource.attribute.labels | |
| EndpointSourceEvent | sec_result.detection_fields | |
| EndpointUserAgent | network.http.user_agent | |
| EndPointVersion | security_result.detection_fields | |
| epid | security_result.detection_fields | |
| Messaggio di errore | additional.fields | |
| evento | additional.fields | |
| extended_key_usage_oid | additional.fields | |
| external_groups | additional.fields | |
| FailureFlag | security_result.detection_fields | |
| FailureReason | sec_result.detection_fields, additional.fields | |
| FeedService | security_result.detection_fields | |
| FirstCollection | event.idm.read_only_udm.principal.asset.first_discover_time | |
| foreign_ip | intermediary.ip | |
| FQSubjectName | security_result.detection_fields | |
| Framed-MTU | additional.fields | |
| Framed-Protocol | sec_result.detection_fields | |
| FramedIPAddress | security_result.detection_fields | |
| group_name | principal.group.group_display_name | |
| Header-Flags | security_result.detection_fields | |
| HostIdentityGroup | additional.fields | |
| IdentityAccessRestricted | security_result.detection_fields | |
| IdentityGroup | principal.group.group_display_name | |
| IdentityGroupID | principal.group.product_object_id | |
| IdentityPolicyMatchedRule | sec_result.about.labels, additional.fields | |
| IdentitySelectionMatchedRule | sec_result.detection_fields | |
| Idle-Timeout | security_result.detection_fields | |
| idletime | security_result.detection_fields | |
| IMEI | target.asset.product_object_id | |
| inacl_rule | security_result.detection_fields | |
| intermediary_hostname | intermediary.hostname | |
| ionTimeStamp | security_result.detection_fields | |
| ios-version | principal.asset.software.version | |
| ip_inacl_rule | security_result.detection_fields | |
| ip_source_ip | principal.ip, principal.asset.ip | |
| IpAddress | principal.ip, principal.asset.ip | |
| IPSEC | additional.fields | |
| ise_port | principal.port, intermediary.port | |
| ISELocalAddress | intermediary.ip, principal.ip | |
| ISEModuleName | sec_result.detection_fields | |
| ISEPolicySetName | target.resource.name | |
| ISEServiceName | sec_result.detection_fields | |
| IsMachineAuthentication | security_result.detection_fields | |
| IsMachineIdentity | security_result.detection_fields | |
| IsRegistered | security_result.detection_fields | |
| Emittente | about.labels | |
| IsThirdPartyDeviceFlow | sec_result.detection_fields, additional.fields | |
| key_usage | additional.fields | |
| LastActivity | event.idm.read_only_udm.principal.asset.last_discover_time | |
| LastNmapScanTime | sec_result.detection_fields | |
| LicenseType | additional.fields | |
| lldpManAddress | security_result.detection_fields | |
| lldpPortDescription | security_result.detection_fields | |
| lldpPortId | security_result.detection_fields | |
| lldpSystemCapabilitiesMap | security_result.detection_fields | |
| lldpSystemDescription | security_result.detection_fields | |
| lldpTimeToLive | security_result.detection_fields | |
| lldpUndefined127 | security_result.detection_fields | |
| localport | principal.port | |
| Località | principal.location.country_or_region, target.location.country_or_region, security_result.detection_fields | |
| log-id | metadata.product_log_id | |
| logstash.ingest.host | intermediary.hostname | |
| logstash.ingest.timestamp | metadata.ingested_timestamp | |
| logstash.irm_environment | additional.fields | |
| logstash.irm_region | additional.fields | |
| logstash.irm_site | additional.fields | |
| logstash.process.host | intermediary.hostname | |
| logstash.process.timestamp | metadata.collected_timestamp | |
| MAC | principal.mac | |
| mac_UserName | principal.mac | |
| MacAddress | principal.mac | |
| MajorVersion | security_result.detection_fields | |
| Produttore | target.asset.hardware.manufacturer | |
| MatchedPolicy | security_result.detection_fields | |
| MatchedPolicyID | security_result.rule_id | |
| MDMFailureReason | sec_result.detection_fields | |
| MDMServerName | metadata.product_name | |
| mDNS | security_result.detection_fields | |
| MESSAGE | security_result.description | |
| MFCInfoEndpointType | principal.asset.asset_type, principal.asset.attribute.labels | |
| MinorVersion | security_result.detection_fields | |
| MisconfiguredClientFixReason | security_result.detection_fields | |
| Modello | target.asset.hardware.model | |
| Model_Name | principal.asset.attribute.labels | |
| msg_class | metadata.description | |
| msg_sev | security_result.severity, sec_result.severity_details | |
| msg_text | metadata.description, security_result.severity, sec_result.severity_details,security_result.action | |
| msg_text | security_result.action | |
| Indirizzo NAD | principal.ip | |
| NADAddress | intermediary.ip | |
| Nome | principal.group.group_identifiers | |
| nas_ip_address | principal.nat_ip | |
| NAS-Identifier | principal.labels | |
| NAS-IP-Address | principal.nat_ip, principal.ip | |
| NAS-Port | principal.port, principal.labels | |
| nas-update | security_result.detection_fields | |
| NASIdentifier | security_result.detection_fields, principal.labels | |
| NASPort | principal.nat_port if valid else to security_result.detection_fields, principal.labels | |
| NASPortId | security_result.detection_fields, principal.labels | |
| NASPortType | security_result.detection_fields, principal.labels | |
| Nome del dispositivo di rete | target.hostname, target.asset.hostname | |
| network_adapter | target.resource.name | |
| network_application_protocol_result | network.application_protocol | |
| NetworkDeviceGroups | sec_result.detection_fields | |
| NetworkDeviceGroups_IPSEC | additional.fields | |
| NetworkDeviceProfileId | principal.asset.asset_id | |
| NetworkDeviceProfileName | principal.asset.attribute.labels | |
| NmapScanCount | security_result.detection_fields | |
| ntp_server_1 | target.ip, target.asset.ip | |
| ntp_server_2 | target.ip, target.asset.ip | |
| ntp_server_3 | target.ip, target.asset.ip | |
| ObjectInternalID | security_result.detection_fields | |
| ObjectName | security_result.about.labels | |
| ObjectType | security_result.labout.abels, additional.fields | |
| operating-system-result | target.asset.platform_software.platform_version | target.platform = WINDOWS |
| OperatingSystem | target.asset.platform_software.platform_version | |
| OperationMessageText | sec_result.detection_fields | |
| OperationMessageText | about.labels | |
| OUI | security_result.detection_fields | |
| pad | security_result.detection_fields | |
| PeerAddress | target.mac, target.asset.mac | |
| PeerName | target.hostname, target.asset.hostname | |
| PhoneNumber | principal.user.phone_numbers | |
| platform-version | principal.platform_version | |
| PolicyVersion | security_result.detection_fields | |
| Porta | principal.port, target.port | |
| Portal_Name | additional.fields | |
| PortalName | target.url | |
| PortalUser | principal.user.userid | |
| PortalUser_GuestSponsor | principal.user.attribute.labels | |
| PortalUser_GuestType | principal.user.attribute.labels | |
| PostureApplicable | security_result.detection_fields | |
| PostureAssessmentStatus | sec_result.detection_fields, additional.fields | |
| PostureExpiry | sec_result.detection_fields | |
| PostureStatus | sec_result.detection_fields | |
| principal_hostname | principal.hostname | |
| principal_ip | principal.ip, principal.asset.ip | |
| profile-name | security_result.detection_fields | |
| ProfilerServer | sec_result.detection_fields | |
| Protocollo | security_result.detection_fields | |
| r_ip_or_host | observer.ip, observer.hostname, intermediary.hostname, intermediary.ip | |
| r_seg_num | metadata.product_log_id | |
| RadiusFlowType | security_result.about.labels, additional.fields | |
| RadiusPacketType | security_result.detection_fields | |
| received_b | network.received_bytes | |
| RegisterStatus | security_result.rule_name | |
| RegistrationTimeStamp | sec_result.detection_fields | |
| RemoteAddress | principal.ip, principal.asset.ip | |
| RequestLatency | sec_result.detection_fields, additional.fields | |
| RequestResponseTypes | security_result.detection_fields | |
| ResponseTime | sec_result.detection_fields | |
| SelectedAccessService | sec_result.detection_fields, additional.fields | |
| SelectedAuthenticationIdentityStores | security_result.detection_fields | |
| SelectedAuthorizationProfiles | sec_result.detection_fields, additional.fields | |
| SelectedShellProfile | additional.fields | |
| sent_b | network.sent_bytes | |
| sequence_num | metadata.product_log_id | |
| Sequence-Number | security_result.detection_fields | |
| serial_number | about.labels, network.tls.server.certificate.serial | |
| server_label | principal.asset.attribute.labels | |
| Service-Type | sec_result.detection_fields, additional.fields | |
| session-id | network.session_id | |
| Session-Timeout | network.session_duration | |
| shell_role | principal.user.attribute.roles.name | |
| ShutdownReason | security_result.detection_fields | |
| SkipProfiling | security_result.detection_fields | |
| software_version | principal.asset.platform_software.platform_version | |
| Origine | principal.ip, principal.hostname | |
| source_ip | src.ip | |
| source_port | src.port | |
| SSID | additional.fields | |
| start_time | security_result.first_discovered_time | |
| StaticAssignment | security_result.detection_fields | |
| StaticGroupAssignment | sec_result.detection_fields | |
| Passaggio | additional.fields | |
| StepData | about.hostname, additional.fields | |
| StepLatency | additional.fields | |
| stop_time | security_result.last_discovered_time | |
| Oggetto | about.labels | |
| subject_alt_name | about.labels | |
| subscriber_command | security_result.detection_fields | |
| syslog_host | principal.ip, principal.asset.ip | |
| SysStatsCpuCount | target.asset.hardware.cpu_number_cores | |
| SysStatsProcessMemoryMB | target.asset.hardware.ram | |
| SysStatsUtilizationDiskIO | target.asset.attribute.labels | |
| SysStatsUtilizationDiskSpace | target.asset.attribute.labels | |
| SysStatsUtilizationLoadAvg | target.asset.attribute.labels | |
| SystemDomain | principal.asset.network_domain | |
| SystemName | principal.hostname, principal.hostname | |
| SystemUser | principal.user.userid | |
| SystemUserDomain | principal.administrative_domain | |
| target_email | target.user.email_addresses | |
| target_group_identifiers | target.user.group_identifiers | |
| target_hostname | target.hostname | |
| target_ip | target.ip, target.asset.ip | |
| target_port | target.port | |
| target_user | target.user.userid | |
| target.resource.resource_type | DISPOSITIVO | |
| task_id | additional.fields | |
| TaskId | security_result.detection_fields | |
| Template_Name | additional.fields | |
| Termination-Action | security_result.detection_fields | |
| threshold_value | additional.fields | |
| TimeToProfile | sec_result.detection_fields | |
| TLSCipher | network.tls.cipher | |
| TLSVersion | network.tls.version | |
| total_certainty_factor | sec_result.detection_fields | |
| TotalAuthenLatency | security_result.detection_fields, additional.fields | |
| TotalFailedTime | sec_result.detection_fields | |
| Tunnel-Client-Endpoint | sec_result.detection_fields | |
| Tipo | additional.fields | |
| undefined-151 | additional.fields | |
| UniqueConnectionIdentifier | sec_result.detection_fields | |
| UpdateTime | sec_result.detection_fields | |
| url-redirect | target.url | |
| url-redirect-acl | security_result.detection_fields | |
| UseCase | sec_result.detection_fields | |
| used_space_value | additional.fields | |
| Utente | principal.user.userid | |
| utente | principal.user.userid | |
| user_display_name | principal.user.user_display_name | |
| User-AD-Last-Fetch-Time | principal.user.attribute.labels | |
| User-Agent | network.http.user_agent, network.http.parsed_user_agent | |
| User-Fetch-Email | sec_result.detection_fields | |
| User-Fetch-Last-Name | principal.user.last_name | |
| User-Fetch-LocalityName | sec_result.detection_fields | |
| User-Fetch-StateOrProvinceName | sec_result.detection_fields | |
| User-Name | target.user.userid | |
| UserAccountControl | principal.user.attribute.labels | |
| UserAgreementStatus | security_result.detection_fields | |
| Nome utente | target.user.userid | |
| UserType | principal.user.attribute.labels | |
| UseSingleConnect | security_result.detection_fields | |
| vlan-id | security_result.detection_fields | |
| principal.resource.resource_type | Mappato staticamente su DEVICE. |
Hai bisogno di ulteriore assistenza? Ricevi risposte dai membri della community e dai professionisti di Google SecOps.