Cisco ISE 로그 수집
다음에서 지원:
Google secops
SIEM
이 문서에서는 Google Security Operations 전달자를 사용하여 Cisco Identify Services Engine (ISE) 로그를 수집하는 방법을 설명합니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 CISCO_ISE 수집 라벨이 있는 파서에 적용됩니다.
Cisco ISE 구성
- 관리자 사용자 인증 정보를 사용하여 Cisco ISE 콘솔에 로그인합니다.
- Cisco ISE 콘솔에서 Administration > System > Logging > Remote logging targets를 선택합니다.
- 원격 로깅 타겟 창에서 추가를 클릭합니다. 새 로깅 타겟 창이 표시됩니다.
로깅 타겟 섹션에서 다음 필드의 값을 지정합니다.
필드 설명 이름 Google Security Operations 전달자의 이름입니다. 설명 Google Security Operations 전달자에 대한 설명입니다. 유형 syslog와 같은 원격 로그 대상의 유형입니다. IP 주소 Google Security Operations 전달자의 IP 주소입니다. 대상 유형 TCP syslog 또는 UDP syslog를 선택합니다. 포트 10514와 같은 높은 포트를 사용합니다. 시설 코드 다음 값 중 하나를 지정할 수 있습니다. - LOCAL0 (코드 = 16)
- LOCAL1 (코드 = 17)
- LOCAL2 (코드 = 18)
- LOCAL3 (코드 = 19)
- LOCAL4 (코드 = 20)
- LOCAL5 (코드 = 21)
- LOCAL6 (코드 = 22, 기본값)
- LOCAL7 (코드 = 23)
최대 길이 권장값은 1024입니다. 제출을 클릭합니다. 새 Google Security Operations 전달자 구성이 포함된 원격 로그 타겟 창이 표시됩니다.
Cisco ISE 콘솔에서 Administration(관리) > System(시스템) > Logging(로깅) > Logging categories(로깅 카테고리)를 선택합니다.
로깅 카테고리 창에서 원격 syslog 타겟을 설정할 카테고리를 선택하고 원격 syslog 타겟을 추가합니다.
샘플 카테고리는 AAA 감사, AAA 진단, 회계, 관리 및 운영 감사, 자세 및 클라이언트 프로비저닝 감사, 자세 및 클라이언트 프로비저닝 진단, 프로파일러, 시스템 진단, 시스템 통계입니다.
Cisco Secure ACS 로그를 수집하도록 Google Security Operations 전달자 및 syslog 구성
- SIEM 설정 > 포워더로 이동합니다.
- 새 전달자 추가를 클릭합니다.
- 전달자 이름 필드에 전달자의 고유한 이름을 입력합니다.
- 제출을 클릭합니다. 전달자가 추가되고 수집기 구성 추가 창이 표시됩니다.
- 수집기 이름 필드에 이름을 입력합니다.
- 로그 유형으로 Cisco ISE를 선택합니다.
- 수집기 유형으로 Syslog를 선택합니다.
- 다음 필수 입력 매개변수를 구성합니다.
- 프로토콜: 프로토콜을 지정합니다.
- 주소: 수집기가 상주하고 syslog 데이터를 처리하는 대상 IP 주소 또는 호스트 이름을 지정합니다.
- 포트: 수집기가 상주하고 syslog 데이터를 수신 대기하는 대상 포트를 지정합니다.
- 제출을 클릭합니다.
Google Security Operations 전달자에 대한 자세한 내용은 Google Security Operations 전달자 문서를 참고하세요. 각 전달자 유형의 요구사항은 유형별 전달자 구성을 참고하세요. 포워더를 만들 때 문제가 발생하면 Google Security Operations 지원팀에 문의하세요.
필드 매핑 참조
이 파서는 syslog 메시지에서 Cisco ISE 로그를 추출하고, 데이터를 UDM 형식으로 정규화하고, 추가 컨텍스트로 이벤트를 보강합니다. 인증 성공 및 실패, 관리 감사, 시스템 통계 등 다양한 ISE 로그 카테고리를 처리하여 관련 필드를 UDM 스키마에 매핑하고 세부 분석을 위한 특정 라벨을 추가합니다.
UDM 매핑 테이블
| 로그 필드 | UDM 매핑 | 설명 |
|---|---|---|
AAA_Event |
security_result.detection_fields |
|
AAA_Security_Result.detection_fields |
aaa_service |
|
ac-user-agent |
network.http.user_agent |
|
Acct-Authentic |
security_result.detection_fields |
|
Acct-Delay-Time |
security_result.detection_fields |
|
Acct-Input-Octets |
security_result.detection_fields |
|
Acct-Input-Packets |
security_result.detection_fields |
|
Acct-Output-Octets |
security_result.detection_fields |
|
Acct-Output-Packets |
security_result.detection_fields |
|
Acct-Session-Id |
sec_result.detection_fieldsadditional.fields |
|
Acct-Session-Time |
security_result.detection_fields |
|
Acct-Status-Type |
security_result.detection_fields |
|
Acct-Terminate-Cause |
security_result.detection_fields |
|
AcctReply-Status |
security_result.detection_fields |
|
AcctRequest-Flags |
security_result.detection_fields |
|
ACS_CiscoSecure_Defined_ACL |
security_result.detection_fields |
|
AcsSessionID |
sec_result.detection_fieldsadditional.fields |
|
Action |
security_result.action_details |
|
action_details |
security_result.action_details |
|
ActiveSessionCount |
security_result.detection_fields |
|
ad_identifier |
about.hostname |
|
ad_join_point |
principal.administrative_domain |
|
ad_operating_system |
principal.platform |
|
AD-Account-Name |
principal.user.useridtarget.hostname |
|
AD-Domain |
principal.group.group_display_name |
|
AD-Domain-Controller |
target.administrative_domain |
|
AD-Error-Details |
security_result.description |
|
AD-Forest |
target.resource.attribute.labels |
|
AD-Groups-Names |
principal.user.group_identifiers |
|
AD-Host-Candidate-Identities |
sec_result.detection_fields |
|
AD-IP-Address |
target.iptarget.asset.ip |
|
AD-Log-Id |
sec_result.detection_fields |
|
AD-Site |
target.location.name |
|
AD-Srv-Query |
security_result.detection_fields |
|
AD-Srv-Record |
security_result.detection_fields |
|
AD-User-Candidate-Identities |
principal.user.attribute.labels |
|
AD-User-DNS-Domain |
network.dns_domain |
|
AD-User-Join-Point |
target.hostnametarget.asset.hostname |
|
AD-User-NetBios-Name |
principal.user.attribute.labels |
|
AD-User-Qualified-Name |
principal.user.email_addresses |
|
AD-User-Resolved-DNs |
principal.user.attribute.labels |
|
AD-User-Resolved-Identities |
sec_result.detection_fieldsprincipal.user.userid |
|
AD-User-Resolved-Identities |
||
AD-User-SamAccount-Name |
principal.user.attribute.labels |
|
Admin |
principal.user.userid |
|
AdminInterface |
principal.user.attribute.labels |
|
AdminIPAddress |
principal.ip |
|
AdminName |
principal.user.userid |
|
affected-dn |
target.resource.nametarget.resource.attribute.labelstarget.resource.resource_type |
target.resource.resource_type => "USER" |
Airespace-Wlan-Id |
additional.fields |
|
allowEasyWiredSession |
sec_result.detection_fieldsadditional.fields |
|
AMInstalled |
security_result.detection_fields |
|
assetDeviceType |
principal.resource.name |
|
assetIncidentScore |
security_result.detection_fields |
|
Audit_session_id |
sec_result.detection_fields |
|
AuditSessionId |
sec_result.detection_fields |
|
Authen-Reply-Status |
security_result.detection_fields |
|
AuthenticationIdentityStore |
sec_result.detection_fieldsadditional.fields |
|
AuthenticationMethod |
security_result.detection_fields |
|
AuthenticationResult |
security_result.action |
|
AuthenticationStatus |
security_result.actionsecurity_result.action_details |
|
Author-Reply-Status |
additional.fields |
|
AuthorizationFailureReason |
security_result.detection_fields |
|
AuthorizationPolicyMatchedRule |
security_result.rule_name |
|
av-pair-severity |
security_result.detection_fields |
|
BYODRegistration |
sec_result.detection_fields |
|
CacheUpdateTime |
security_result.detection_fields |
|
Called-Station-ID |
security_result.detection_fieldstarget.iptarget.mac |
|
Calling-Station-ID |
security_result.detection_fieldsprincipal.ipprincipal.mac |
|
cdpCacheAddressType |
security_result.detection_fields |
|
cdpCacheVersion |
security_result.detection_fields |
|
cdpUndefined28 |
security_result.detection_fields |
|
change-set |
additional.fields |
|
Chargeable-User-Identity |
principal.user.attribute.labels |
|
cisco-av-pair |
additional.fieldssecurity_result.detection_fields |
|
CiscoIOS |
security_result.detection_fields |
|
Class |
sec_result.detection_fields |
|
client_type |
additional.fields |
|
client-iif-id |
security_result.detection_fields |
|
ClientLatency |
security_result.detection_fieldsadditional.fields |
|
CmdSet |
target.process.command_line |
|
coa-push |
security_result.detection_fields |
|
CoAClientInstanceDestinationIPAddress |
target.iptarget.asset.ip |
|
coaReason |
security_result.detection_fields |
|
coaSourceComponent |
security_result.detection_fields |
|
coaType |
security_result.detection_fields |
|
Component |
security_result.detection_fields |
|
ConfigChangeData |
security_result.detection_fields |
|
ConfigVersionId |
sec_result.detection_fieldsadditional.fields |
|
connect-progress |
security_result.detection_fields |
|
ConnectionStatus |
sec_result.detection_fields |
|
ConnectionStatus=Failed |
security_result.action ="BLOCK" |
|
Constructeurs |
principal.asset.hardware.manufacturer |
|
counters_kvp |
event.idm.read_only_udm.target.asset.attribute.labels |
|
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.session_id |
|
CreateTime |
event.idm.read_only_udm.principal.asset.attribute.creation_time |
|
cts_security_group_tag |
security_result.detection_fields |
|
cts-pac-opaque |
security_result.detection_fields |
|
datetime |
metadata.event_timestamp |
|
days_to_expiry |
security_result.detection_fields |
|
DeltaRadiusRequestCount |
security_result.detection_fields |
|
DeltaTacacsRequestCount |
security_result.detection_fields |
|
Description |
security_result.detection_fields |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationPort |
target.port |
|
DetailedInfo |
sec_result.description |
|
Device_IP_Address |
principal.ipprincipal.asset.ip |
|
device-mac |
principal.mac |
|
device-platform |
principal.platform |
|
device-platform-version |
principal.platform_version |
|
device-public-mac |
principal.mac |
|
device-type |
principal.asset.hardware.model |
|
device-uid |
principal.resource.product_object_id |
|
device-uid-global |
principal.asset.product_object_id |
|
DeviceIPAddress |
principal.iptarget.ipintermediary.ip |
|
DevicePort |
principal.porttarget.portintermediary.port |
|
DeviceRegistrationStatus |
sec_result.detection_fields |
|
dhcp-class-identifier |
security_result.detection_fields |
|
dhcp-parameter-request-list |
additional.fields |
|
Domaines |
additional.fields |
|
DoReplicate |
security_result.detection_fields |
|
DTLSSupport |
security_result.detection_fields |
|
EAP-Key-Name |
additional.fields |
|
EapTunnel |
additional.fields |
|
EmailAddress |
principal.user.email_addresses |
|
EnableFlag |
additional.fields |
|
EnableSingleConnect |
security_result.detection_fields |
|
End-of-LLDPDU |
security_result.detection_fields |
|
endpoint_id |
principal.macprincipal.asset.mac |
|
EndpointCertainityMetric |
sec_result.detection_fields |
|
EndpointIdentityGroup |
principal.group.group_display_name |
|
EndpointIPAddress |
principal.asset.ip |
|
EndPointMACAddress |
principal.macprincipal.asset.mac |
|
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
|
EndpointNADAddress |
sec_result.detection_fields |
|
EndpointOUI |
sec_result.detection_fields |
|
EndpointPolicy |
principal.asset.platform_software.platform_versionsecurity_result.detection_fields |
|
EndPointPolicyID |
security_result.detection_fields |
|
EndPointProfilerServer |
target.hostname |
|
EndpointProperty |
sec_result.detection_fields |
|
EndPointSource |
target.resource.attribute.labels |
|
EndpointSourceEvent |
sec_result.detection_fields |
|
EndpointUserAgent |
network.http.user_agent |
|
EndPointVersion |
security_result.detection_fields |
|
epid |
security_result.detection_fields |
|
Error Message |
additional.fields |
|
event |
additional.fields |
|
extended_key_usage_oid |
additional.fields |
|
external_groups |
additional.fields |
|
FailureFlag |
security_result.detection_fields |
|
FailureReason |
sec_result.detection_fieldsadditional.fields |
|
FeedService |
security_result.detection_fields |
|
FirstCollection |
event.idm.read_only_udm.principal.asset.first_discover_time |
|
foreign_ip |
intermediary.ip |
|
FQSubjectName |
security_result.detection_fields |
|
Framed-MTU |
additional.fields |
|
Framed-Protocol |
sec_result.detection_fields |
|
FramedIPAddress |
security_result.detection_fields |
|
group_name |
principal.group.group_display_name |
|
Header-Flags |
security_result.detection_fields |
|
HostIdentityGroup |
additional.fields |
|
IdentityAccessRestricted |
security_result.detection_fields |
|
IdentityGroup |
principal.group.group_display_name |
|
IdentityGroupID |
principal.group.product_object_id |
|
IdentityPolicyMatchedRule |
sec_result.about.labelsadditional.fields |
|
IdentitySelectionMatchedRule |
sec_result.detection_fields |
|
Idle-Timeout |
security_result.detection_fields |
|
idletime |
security_result.detection_fields |
|
IMEI |
target.asset.product_object_id |
|
inacl_rule |
security_result.detection_fields |
|
intermediary_hostname |
intermediary.hostname |
|
ionTimeStamp |
security_result.detection_fields |
|
ios-version |
principal.asset.software.version |
|
ip_inacl_rule |
security_result.detection_fields |
|
ip_source_ip |
principal.ipprincipal.asset.ip |
|
IpAddress |
principal.ipprincipal.asset.ip |
|
IPSEC |
additional.fields |
|
ise_port |
principal.portintermediary.port |
|
ISELocalAddress |
intermediary.ipprincipal.ip |
|
ISEModuleName |
sec_result.detection_fields |
|
ISEPolicySetName |
target.resource.name |
|
ISEServiceName |
sec_result.detection_fields |
|
IsMachineAuthentication |
security_result.detection_fields |
|
IsMachineIdentity |
security_result.detection_fields |
|
IsRegistered |
security_result.detection_fields |
|
Issuer |
about.labels |
|
IsThirdPartyDeviceFlow |
sec_result.detection_fieldsadditional.fields |
|
key_usage |
additional.fields |
|
LastActivity |
event.idm.read_only_udm.principal.asset.last_discover_time |
|
LastNmapScanTime |
sec_result.detection_fields |
|
LicenseType |
additional.fields |
|
lldpManAddress |
security_result.detection_fields |
|
lldpPortDescription |
security_result.detection_fields |
|
lldpPortId |
security_result.detection_fields |
|
lldpSystemCapabilitiesMap |
security_result.detection_fields |
|
lldpSystemDescription |
security_result.detection_fields |
|
lldpTimeToLive |
security_result.detection_fields |
|
lldpUndefined127 |
security_result.detection_fields |
|
localport |
principal.port |
|
Location |
principal.location.country_or_regiontarget.location.country_or_regionsecurity_result.detection_fields |
|
log-id |
metadata.product_log_id |
|
logstash.ingest.host |
intermediary.hostname |
|
logstash.ingest.timestamp |
metadata.ingested_timestamp |
|
logstash.irm_environment |
additional.fields |
|
logstash.irm_region |
additional.fields |
|
logstash.irm_site |
additional.fields |
|
logstash.process.host |
intermediary.hostname |
|
logstash.process.timestamp |
metadata.collected_timestamp |
|
MAC |
principal.mac |
|
mac_UserName |
principal.mac |
|
MacAddress |
principal.mac |
|
MajorVersion |
security_result.detection_fields |
|
Manufacturer |
target.asset.hardware.manufacturer |
|
MatchedPolicy |
security_result.detection_fields |
|
MatchedPolicyID |
security_result.rule_id |
|
MDMFailureReason |
sec_result.detection_fields |
|
MDMServerName |
metadata.product_name |
|
mDNS |
security_result.detection_fields |
|
MESSAGE |
security_result.description |
|
MFCInfoEndpointType |
principal.asset.asset_typeprincipal.asset.attribute.labels |
|
MinorVersion |
security_result.detection_fields |
|
MisconfiguredClientFixReason |
security_result.detection_fields |
|
Model |
target.asset.hardware.model |
|
Model_Name |
principal.asset.attribute.labels |
|
msg_class |
metadata.description |
|
msg_sev |
security_result.severitysec_result.severity_details |
|
msg_text |
metadata.descriptionsecurity_result.severitysec_result.severity_details,security_result.action |
|
msg_text |
security_result.action |
|
NAD Address |
principal.ip |
|
NADAddress |
intermediary.ip |
|
Name |
principal.group.group_identifiers |
|
nas_ip_address |
principal.nat_ip |
|
NAS-Identifier |
principal.labels |
|
NAS-IP-Address |
principal.nat_ipprincipal.ip |
|
NAS-Port |
principal.portprincipal.labels |
|
nas-update |
security_result.detection_fields |
|
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
|
NASPort |
principal.nat_port if valid else to security_result.detection_fieldsprincipal.labels |
|
NASPortId |
security_result.detection_fieldsprincipal.labels |
|
NASPortType |
security_result.detection_fieldsprincipal.labels |
|
Network Device Name |
target.hostnametarget.asset.hostname |
|
network_adapter |
target.resource.name |
|
network_application_protocol_result |
network.application_protocol |
|
NetworkDeviceGroups |
sec_result.detection_fields |
|
NetworkDeviceGroups_IPSEC |
additional.fields |
|
NetworkDeviceProfileId |
principal.asset.asset_id |
|
NetworkDeviceProfileName |
principal.asset.attribute.labels |
|
NmapScanCount |
security_result.detection_fields |
|
ntp_server_1 |
target.iptarget.asset.ip |
|
ntp_server_2 |
target.iptarget.asset.ip |
|
ntp_server_3 |
target.iptarget.asset.ip |
|
ObjectInternalID |
security_result.detection_fields |
|
ObjectName |
security_result.about.labels |
|
ObjectType |
security_result.labout.abelsadditional.fields |
|
operating-system-result |
target.asset.platform_software.platform_version |
target.platform = WINDOWS |
OperatingSystem |
target.asset.platform_software.platform_version |
|
OperationMessageText |
sec_result.detection_fields |
|
OperationMessageText |
about.labels |
|
OUI |
security_result.detection_fields |
|
pad |
security_result.detection_fields |
|
PeerAddress |
target.mactarget.asset.mac |
|
PeerName |
target.hostnametarget.asset.hostname |
|
PhoneNumber |
principal.user.phone_numbers |
|
platform-version |
principal.platform_version |
|
PolicyVersion |
security_result.detection_fields |
|
Port |
principal.porttarget.port |
|
Portal_Name |
additional.fields |
|
PortalName |
target.url |
|
PortalUser |
principal.user.userid |
|
PortalUser_GuestSponsor |
principal.user.attribute.labels |
|
PortalUser_GuestType |
principal.user.attribute.labels |
|
PostureApplicable |
security_result.detection_fields |
|
PostureAssessmentStatus |
sec_result.detection_fieldsadditional.fields |
|
PostureExpiry |
sec_result.detection_fields |
|
PostureStatus |
sec_result.detection_fields |
|
principal_hostname |
principal.hostname |
|
principal_ip |
principal.ipprincipal.asset.ip |
|
profile-name |
security_result.detection_fields |
|
ProfilerServer |
sec_result.detection_fields |
|
Protocol |
security_result.detection_fields |
|
r_ip_or_host |
observer.ipobserver.hostnameintermediary.hostnameintermediary.ip |
|
r_seg_num |
metadata.product_log_id |
|
RadiusFlowType |
security_result.about.labelsadditional.fields |
|
RadiusPacketType |
security_result.detection_fields |
|
received_b |
network.received_bytes |
|
RegisterStatus |
security_result.rule_name |
|
RegistrationTimeStamp |
sec_result.detection_fields |
|
RemoteAddress |
principal.ipprincipal.asset.ip |
|
RequestLatency |
sec_result.detection_fieldsadditional.fields |
|
RequestResponseTypes |
security_result.detection_fields |
|
ResponseTime |
sec_result.detection_fields |
|
SelectedAccessService |
sec_result.detection_fieldsadditional.fields |
|
SelectedAuthenticationIdentityStores |
security_result.detection_fields |
|
SelectedAuthorizationProfiles |
sec_result.detection_fieldsadditional.fields |
|
SelectedShellProfile |
additional.fields |
|
sent_b |
network.sent_bytes |
|
sequence_num |
metadata.product_log_id |
|
Sequence-Number |
security_result.detection_fields |
|
serial_number |
about.labelsnetwork.tls.server.certificate.serial |
|
server_label |
principal.asset.attribute.labels |
|
Service-Type |
sec_result.detection_fieldsadditional.fields |
|
session-id |
network.session_id |
|
Session-Timeout |
network.session_duration |
|
shell_role |
principal.user.attribute.roles.name |
|
ShutdownReason |
security_result.detection_fields |
|
SkipProfiling |
security_result.detection_fields |
|
software_version |
principal.asset.platform_software.platform_version |
|
Source |
principal.ipprincipal.hostname |
|
source_ip |
src.ip |
|
source_port |
src.port |
|
SSID |
additional.fields |
|
start_time |
security_result.first_discovered_time |
|
StaticAssignment |
security_result.detection_fields |
|
StaticGroupAssignment |
sec_result.detection_fields |
|
Step |
additional.fields |
|
StepData |
about.hostnameadditional.fields |
|
StepLatency |
additional.fields |
|
stop_time |
security_result.last_discovered_time |
|
Subject |
about.labels |
|
subject_alt_name |
about.labels |
|
subscriber_command |
security_result.detection_fields |
|
syslog_host |
principal.ipprincipal.asset.ip |
|
SysStatsCpuCount |
target.asset.hardware.cpu_number_cores |
|
SysStatsProcessMemoryMB |
target.asset.hardware.ram |
|
SysStatsUtilizationDiskIO |
target.asset.attribute.labels |
|
SysStatsUtilizationDiskSpace |
target.asset.attribute.labels |
|
SysStatsUtilizationLoadAvg |
target.asset.attribute.labels |
|
SystemDomain |
principal.asset.network_domain |
|
SystemName |
principal.hostnameprincipal.hostname |
|
SystemUser |
principal.user.userid |
|
SystemUserDomain |
principal.administrative_domain |
|
target_email |
target.user.email_addresses |
|
target_group_identifiers |
target.user.group_identifiers |
|
target_hostname |
target.hostname |
|
target_ip |
target.iptarget.asset.ip |
|
target_port |
target.port |
|
target_user |
target.user.userid |
|
target.resource.resource_type |
DEVICE | |
task_id |
additional.fields |
|
TaskId |
security_result.detection_fields |
|
Template_Name |
additional.fields |
|
Termination-Action |
security_result.detection_fields |
|
threshold_value |
additional.fields |
|
TimeToProfile |
sec_result.detection_fields |
|
TLSCipher |
network.tls.cipher |
|
TLSVersion |
network.tls.version |
|
total_certainty_factor |
sec_result.detection_fields |
|
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
|
TotalFailedTime |
sec_result.detection_fields |
|
Tunnel-Client-Endpoint |
sec_result.detection_fields |
|
Type |
additional.fields |
|
undefined-151 |
additional.fields |
|
UniqueConnectionIdentifier |
sec_result.detection_fields |
|
UpdateTime |
sec_result.detection_fields |
|
url-redirect |
target.url |
|
url-redirect-acl |
security_result.detection_fields |
|
UseCase |
sec_result.detection_fields |
|
used_space_value |
additional.fields |
|
User |
principal.user.userid |
|
user |
principal.user.userid |
|
user_display_name |
principal.user.user_display_name |
|
User-AD-Last-Fetch-Time |
principal.user.attribute.labels |
|
User-Agent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
User-Fetch-Email |
sec_result.detection_fields |
|
User-Fetch-Last-Name |
principal.user.last_name |
|
User-Fetch-LocalityName |
sec_result.detection_fields |
|
User-Fetch-StateOrProvinceName |
sec_result.detection_fields |
|
User-Name |
target.user.userid |
|
UserAccountControl |
principal.user.attribute.labels |
|
UserAgreementStatus |
security_result.detection_fields |
|
UserName |
target.user.userid |
|
UserType |
principal.user.attribute.labels |
|
UseSingleConnect |
security_result.detection_fields |
|
vlan-id |
security_result.detection_fields |
|
principal.resource.resource_type |
DEVICE에 정적으로 매핑됩니다. |
UDM 매핑 델타 참조
2025년 12월 1일에 Google SecOps에서 Cisco ISE 로그 필드를 UDM 필드에 매핑하는 방식과 이벤트 유형 매핑에 상당한 변경사항이 포함된 새로운 버전의 Cisco ISE 파서를 출시했습니다.
로그 필드 매핑 델타
이제 전역적으로 Cisco ISE 파서에 표시되는 타임스탬프는 원시 로그 필드 Event-Timestamp입니다. 이전에는 Cisco ISE 파서에 헤더의 타임스탬프가 표시되었습니다.
다음 표에는 2025년 12월 1일 이전에 노출된 Cisco ISE 로그-UDM 필드와 그 이후의 매핑 델타가 나와 있습니다 (각각 이전 매핑 및 현재 매핑 열에 나열됨).
| 로그 필드 | 이전 매핑 | 현재 매핑 |
|---|---|---|
Acct-Input-Gigawords |
additional.fields |
network.received_bytes |
Acct-Input-Packets |
security_result.detection_fields |
network.received_packets |
Acct-Output-Gigawords |
additional.fields |
network.sent_bytes |
Acct-Output-Packets |
security_result.detection_fields |
network.sent_packets |
Acct-Session-Id |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AcsSessionID |
security_result.detection_fieldsadditional.fields |
network.session_idsecurity_result.detection_fields |
AD-Log-Id |
security_result.detection_fields |
metadata.product_log_id |
AD-User-SamAccount-Name |
principal.user.attribute.labels |
principal.user.user_display_name |
allowEasyWiredSession |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AuthenticationIdentityStore |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Calling-Station-ID |
security_result.detection_fieldsadditional.fieldsprincipal.ip |
security_result.detection_fields |
ClientLatency |
security_result.detection_fieldsadditional.fields |
`security_result.detection_fields |
ConfigVersionId |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.sesson_id |
network.sesson_id |
DeviceIPAdresstarget.ip |
target.ip |
principal.ip |
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
HostIdentityGroup |
additional.fields |
principal.group.group_display_name |
IdentityGroup |
principal.group.group_display_name |
principal.user.group_identifiers |
IdentityPolicyMatchedRule |
security_result.about.labelsadditional.fields |
security_result.rule_labels |
IsThirdPartyDeviceFlow |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Issuer |
about.labels |
network.tls.server.certificate.issuer |
Location |
principal.location.country_or_regiontarget.location.country_or_region,security_result.detection_fields |
principal.location.country_or_region, |
NAS Identifier |
principal.labels |
principal.asset.attribute.labels |
NAS-IP-Address |
principal.nat_ip,principal.ipintermediary.ip |
principal.nat_ip,principal.ip, |
NAS-Port |
principal.labels |
principal.resource.attribute.labels |
NAS-Port-Id |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NAS-Port-Type |
security_result.detection_fieldsprincipal.labels |
`security_result.detection_fields |
NASIdentifier |
principal.resource.attribute.labels,security_result.detection_fields |
principal.resource.attribute.labels |
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NetworkDeviceGroups_Location |
intermediary.location.country_or_region |
principal.location.country_or_region, |
Object Name |
security_result.about.labels |
security_result.about.resource.attribute.labelsprincipal.mac(MAC인 경우) |
Object Type |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
PostureAssessmentStatus |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Privilege-Level |
additional.fields |
target.user.attribute.permissions.description |
ProfilerServer |
principal.hostnamesecurity_result.detection_fields |
principal.hostname |
RadiusFlowType |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
RequestLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
r_msg_id |
security_result.detection_fields |
metadata.product_log_id |
r_seg_num |
security_result.detection_fieldsadditional.fields |
additional.fields |
r_total_seg |
security_result.detection_fieldsadditional.fields |
additional.fields |
SelectedAccessService |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
SelectedAuthorizationProfiles |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Sequence-Number |
metadata.product_log_id |
security_result.detection_fields(AD-Log-Id이 null이 아닌 경우) |
Server |
principal.asset.attribute.labels |
principal.hostnameprincipal.asset.hostname |
Service-Type |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
serial_number |
about.labels |
about.resource.attribute.labels |
ShutdownReason |
security_result.detection_fields |
security_result.description |
Subject |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
total_certainty_factor |
security_result.detection_fields |
security_result.confidence_score |
UniqueSubjectID |
additional.fields |
principal.user.userid.product_object_id |
Update Time |
security_result.detection_fields |
principal.asset.attribute.last_update_time |
User-Fetch-Email |
security_result.detection_fields |
principal.user.email_addresses |
User-Fetch-LocalityName |
security_result.detection_fields |
principal.location.name |
User-Fetch-StateOrProvinceName |
security_result.detection_fields |
principal.location.state |
User Name when [r_cat_name] =~ "CISE_Passed_Authentications" |
principal.user.useridtarget.user.userid |
principal.user.userid |
wlan-profile-name |
security_result.detection_fields |
principal.user.userid |
이벤트 유형 매핑 델타
일반적으로 분류된 여러 이벤트가 이제 의미 있는 이벤트 유형으로 올바르게 분류됩니다.
다음 표에는 2025년 12월 1일 이전과 이후의 Cisco ISE 이벤트 유형 처리의 차이가 나와 있습니다 (각각 이전 event_type 및 현재 event_type 열에 나열됨).
| 로그 및 로직의 이벤트 ID | 이전 event_type | 현재 event_type |
|---|---|---|
(이벤트 기반) [has_resource] == "true" |
GENERIC_EVENT |
USER_RESOURCE_ACCESS |
[Action] == "Login" |
NETWORK_CONNECTION |
USER_LOGIN |
[PRAAction] =~ "logoff" |
NETWORK_CONNECTION |
USER_LOGOUT |
[message] =~ "Administrator-Login" |
USER_UNCATEGORIZED |
USER_LOGIN |
[message] =~ "Change password failed" |
USER_LOGIN |
USER_CHANGE_PASSWORD |
[msg_text] =~ "Login Success" |
USER_UNCATEGORIZED |
USER_LOGIN |
도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가에게 문의하여 답변을 받으세요.