Esta página se ha traducido con Cloud Translation API.

Recoger registros de Cisco ISE

Disponible en:

SecOps de Google SIEM

En este documento se describe cómo puede recoger registros de Cisco Identity Services Engine (ISE) mediante un reenviador de Google Security Operations.

Para obtener más información, consulta Ingestión de datos en Google Security Operations.

Una etiqueta de ingestión identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de ingestión CISCO_ISE.

Configurar Cisco ISE

Inicia sesión en la consola de Cisco ISE con las credenciales de administrador.
En la consola de Cisco ISE, selecciona Administración > Sistema > Registro > Destinos de registro remoto.
En la ventana Destinos de registro remoto, haz clic en Añadir. Se abrirá la ventana Nuevo destino de registro.

En la sección Destino de registro, especifique los valores de los siguientes campos:

Campo	Descripción
Nombre	Nombre del reenviador de Google Security Operations.
Descripción	Descripción del reenviador de Google Security Operations.
Tipo	Tipo de destino del registro remoto, como syslog.
Dirección IP	Dirección IP del reenviador de Google Security Operations.
Tipo de destino	Selecciona Syslog TCP o Syslog UDP.
Puerto	Usa un puerto alto, como 10514.
Código de centro	Puedes especificar uno de los siguientes valores: LOCAL0 (código = 16) LOCAL1 (código = 17) LOCAL2 (código = 18) LOCAL3 (código = 19) LOCAL4 (código = 20) LOCAL5 (código = 21) LOCAL6 (código = 22; predeterminado) LOCAL7 (código = 23)
Longitud máxima	El valor recomendado es 1024.

Haz clic en Enviar. Aparecerá la ventana Destinos de registro remotos con la nueva configuración del reenviador de Google Security Operations.
En la consola de Cisco ISE, selecciona Administración > Sistema > Registro > Categorías de registro.
En la ventana Categorías de registro, seleccione las categorías para las que quiera definir el destino syslog remoto y añádalo.

Estas son las categorías de ejemplo: auditorías AAA, diagnósticos AAA, contabilidad, auditoría administrativa y operativa, auditoría de aprovisionamiento de postura y cliente, diagnósticos de aprovisionamiento de postura y cliente, creación de perfiles, diagnósticos del sistema y estadísticas del sistema.

Configurar el reenviador de Google Security Operations y syslog para ingerir registros de Cisco Secure ACS

Ve a Configuración de SIEM > Reenviadores.
Haz clic en Añadir nuevo remitente.
En el campo Nombre del reenviador, introduce un nombre único para el reenviador.
Haz clic en Enviar. Se añade el reenviador y se muestra la ventana Añadir configuración de recopilador.
En el campo Nombre del recolector, escribe un nombre.
Selecciona Cisco ISE como Tipo de registro.
Seleccione Syslog como Tipo de recolector.
Configure los siguientes parámetros de entrada obligatorios:
- Protocolo: especifica el protocolo.
- Dirección: especifica la dirección IP o el nombre de host de destino donde reside el recolector y las direcciones de los datos de syslog.
- Puerto: especifica el puerto de destino en el que reside el recopilador y en el que escucha los datos de syslog.
Haz clic en Enviar.

Para obtener más información sobre los reenviadores de Google Security Operations, consulta la documentación de los reenviadores de Google Security Operations. Para obtener información sobre los requisitos de cada tipo de reenviador, consulta Configuración de reenviadores por tipo. Si tienes problemas al crear reenviadores, ponte en contacto con el equipo de Asistencia de Operaciones de Seguridad de Google.

Referencia de asignación de campos

Este analizador extrae los registros de Cisco ISE de los mensajes syslog, normaliza los datos en formato UDM y enriquece el evento con contexto adicional. Gestiona varias categorías de registros de ISE, como los éxitos y los fallos de autenticación, las auditorías administrativas y las estadísticas del sistema, entre otras. Asigna los campos relevantes al esquema de UDM y añade etiquetas específicas para realizar análisis detallados.

Tabla de asignación de UDM

Campo de registro	Asignación de UDM	Observación
`AAA_Event`	`security_result.detection_fields`
`AAA_Security_Result.detection_fields`	`aaa_service`
`ac-user-agent`	`network.http.user_agent`
`Acct-Authentic`	`security_result.detection_fields`
`Acct-Delay-Time`	`security_result.detection_fields`
`Acct-Input-Octets`	`security_result.detection_fields`
`Acct-Input-Packets`	`security_result.detection_fields`
`Acct-Output-Octets`	`security_result.detection_fields`
`Acct-Output-Packets`	`security_result.detection_fields`
`Acct-Session-Id`	`sec_result.detection_fields` `additional.fields`
`Acct-Session-Time`	`security_result.detection_fields`
`Acct-Status-Type`	`security_result.detection_fields`
`Acct-Terminate-Cause`	`security_result.detection_fields`
`AcctReply-Status`	`security_result.detection_fields`
`AcctRequest-Flags`	`security_result.detection_fields`
`ACS_CiscoSecure_Defined_ACL`	`security_result.detection_fields`
`AcsSessionID`	`sec_result.detection_fields` `additional.fields`
`Action`	`security_result.action_details`
`action_details`	`security_result.action_details`
`ActiveSessionCount`	`security_result.detection_fields`
`ad_identifier`	`about.hostname`
`ad_join_point`	`principal.administrative_domain`
`ad_operating_system`	`principal.platform`
`AD-Account-Name`	`principal.user.userid` `target.hostname`
`AD-Domain`	`principal.group.group_display_name`
`AD-Domain-Controller`	`target.administrative_domain`
`AD-Error-Details`	`security_result.description`
`AD-Forest`	`target.resource.attribute.labels`
`AD-Groups-Names`	`principal.user.group_identifiers`
`AD-Host-Candidate-Identities`	`sec_result.detection_fields`
`AD-IP-Address`	`target.ip` `target.asset.ip`
`AD-Log-Id`	`sec_result.detection_fields`
`AD-Site`	`target.location.name`
`AD-Srv-Query`	`security_result.detection_fields`
`AD-Srv-Record`	`security_result.detection_fields`
`AD-User-Candidate-Identities`	`principal.user.attribute.labels`
`AD-User-DNS-Domain`	`network.dns_domain`
`AD-User-Join-Point`	`target.hostname` `target.asset.hostname`
`AD-User-NetBios-Name`	`principal.user.attribute.labels`
`AD-User-Qualified-Name`	`principal.user.email_addresses`
`AD-User-Resolved-DNs`	`principal.user.attribute.labels`
`AD-User-Resolved-Identities`	`sec_result.detection_fields` `principal.user.userid`
`AD-User-Resolved-Identities`
`AD-User-SamAccount-Name`	`principal.user.attribute.labels`
`Admin`	`principal.user.userid`
`AdminInterface`	`principal.user.attribute.labels`
`AdminIPAddress`	`principal.ip`
`AdminName`	`principal.user.userid`
`affected-dn`	`target.resource.nametarget.resource.attribute.labels` `target.resource.resource_type`	`target.resource.resource_type` => `"USER"`
`Airespace-Wlan-Id`	`additional.fields`
`allowEasyWiredSession`	`sec_result.detection_fields` `additional.fields`
`AMInstalled`	`security_result.detection_fields`
`assetDeviceType`	`principal.resource.name`
`assetIncidentScore`	`security_result.detection_fields`
`Audit_session_id`	`sec_result.detection_fields`
`AuditSessionId`	`sec_result.detection_fields`
`Authen-Reply-Status`	`security_result.detection_fields`
`AuthenticationIdentityStore`	`sec_result.detection_fields` `additional.fields`
`AuthenticationMethod`	`security_result.detection_fields`
`AuthenticationResult`	`security_result.action`
`AuthenticationStatus`	`security_result.action` `security_result.action_details`
`Author-Reply-Status`	`additional.fields`
`AuthorizationFailureReason`	`security_result.detection_fields`
`AuthorizationPolicyMatchedRule`	`security_result.rule_name`
`av-pair-severity`	`security_result.detection_fields`
`BYODRegistration`	`sec_result.detection_fields`
`CacheUpdateTime`	`security_result.detection_fields`
`Called-Station-ID`	`security_result.detection_fields` `target.ip` `target.mac`
`Calling-Station-ID`	`security_result.detection_fields` `principal.ip` `principal.mac`
`cdpCacheAddressType`	`security_result.detection_fields`
`cdpCacheVersion`	`security_result.detection_fields`
`cdpUndefined28`	`security_result.detection_fields`
`change-set`	`additional.fields`
`Chargeable-User-Identity`	`principal.user.attribute.labels`
`cisco-av-pair`	`additional.fields` `security_result.detection_fields`
`CiscoIOS`	`security_result.detection_fields`
`Class`	`sec_result.detection_fields`
`client_type`	`additional.fields`
`client-iif-id`	`security_result.detection_fields`
`ClientLatency`	`security_result.detection_fields` `additional.fields`
`CmdSet`	`target.process.command_line`
`coa-push`	`security_result.detection_fields`
`CoAClientInstanceDestinationIPAddress`	`target.ip` `target.asset.ip`
`coaReason`	`security_result.detection_fields`
`coaSourceComponent`	`security_result.detection_fields`
`coaType`	`security_result.detection_fields`
`Component`	`security_result.detection_fields`
`ConfigChangeData`	`security_result.detection_fields`
`ConfigVersionId`	`sec_result.detection_fields` `additional.fields`
`connect-progress`	`security_result.detection_fields`
`ConnectionStatus`	`sec_result.detection_fields`
`ConnectionStatus=Failed`	`security_result.action ="BLOCK"`
`Constructeurs`	`principal.asset.hardware.manufacturer`
`counters_kvp`	`event.idm.read_only_udm.target.asset.attribute.labels`
`CPMSessionID`	`security_result.detection_fields` `additional.fields` `network.session_id`
`CreateTime`	`event.idm.read_only_udm.principal.asset.attribute.creation_time`
`cts_security_group_tag`	`security_result.detection_fields`
`cts-pac-opaque`	`security_result.detection_fields`
`datetime`	`metadata.event_timestamp`
`days_to_expiry`	`security_result.detection_fields`
`DeltaRadiusRequestCount`	`security_result.detection_fields`
`DeltaTacacsRequestCount`	`security_result.detection_fields`
`Description`	`security_result.detection_fields`
`DestinationIPAddress`	`target.ip` `target.asset.ip`
`DestinationIPAddress`	`target.ip` `target.asset.ip`
`DestinationPort`	`target.port`
`DetailedInfo`	`sec_result.description`
`Device_IP_Address`	`principal.ip` `principal.asset.ip`
`device-mac`	`principal.mac`
`device-platform`	`principal.platform`
`device-platform-version`	`principal.platform_version`
`device-public-mac`	`principal.mac`
`device-type`	`principal.asset.hardware.model`
`device-uid`	`principal.resource.product_object_id`
`device-uid-global`	`principal.asset.product_object_id`
`DeviceIPAddress`	`principal.ip` `target.ip` `intermediary.ip`
`DevicePort`	`principal.port` `target.port` `intermediary.port`
`DeviceRegistrationStatus`	`sec_result.detection_fields`
`dhcp-class-identifier`	`security_result.detection_fields`
`dhcp-parameter-request-list`	`additional.fields`
`Domaines`	`additional.fields`
`DoReplicate`	`security_result.detection_fields`
`DTLSSupport`	`security_result.detection_fields`
`EAP-Key-Name`	`additional.fields`
`EapTunnel`	`additional.fields`
`EmailAddress`	`principal.user.email_addresses`
`EnableFlag`	`additional.fields`
`EnableSingleConnect`	`security_result.detection_fields`
`End-of-LLDPDU`	`security_result.detection_fields`
`endpoint_id`	`principal.mac` `principal.asset.mac`
`EndpointCertainityMetric`	`sec_result.detection_fields`
`EndpointIdentityGroup`	`principal.group.group_display_name`
`EndpointIPAddress`	`principal.asset.ip`
`EndPointMACAddress`	`principal.mac` `principal.asset.mac`
`EndPointMatchedProfile`	`security_result.about.labels` `additional.fields`
`EndpointNADAddress`	`sec_result.detection_fields`
`EndpointOUI`	`sec_result.detection_fields`
`EndpointPolicy`	`principal.asset.platform_software.platform_version` `security_result.detection_fields`
`EndPointPolicyID`	`security_result.detection_fields`
`EndPointProfilerServer`	`target.hostname`
`EndpointProperty`	`sec_result.detection_fields`
`EndPointSource`	`target.resource.attribute.labels`
`EndpointSourceEvent`	`sec_result.detection_fields`
`EndpointUserAgent`	`network.http.user_agent`
`EndPointVersion`	`security_result.detection_fields`
`epid`	`security_result.detection_fields`
`Error Message`	`additional.fields`
`event`	`additional.fields`
`extended_key_usage_oid`	`additional.fields`
`external_groups`	`additional.fields`
`FailureFlag`	`security_result.detection_fields`
`FailureReason`	`sec_result.detection_fields` `additional.fields`
`FeedService`	`security_result.detection_fields`
`FirstCollection`	`event.idm.read_only_udm.principal.asset.first_discover_time`
`foreign_ip`	`intermediary.ip`
`FQSubjectName`	`security_result.detection_fields`
`Framed-MTU`	`additional.fields`
`Framed-Protocol`	`sec_result.detection_fields`
`FramedIPAddress`	`security_result.detection_fields`
`group_name`	`principal.group.group_display_name`
`Header-Flags`	`security_result.detection_fields`
`HostIdentityGroup`	`additional.fields`
`IdentityAccessRestricted`	`security_result.detection_fields`
`IdentityGroup`	`principal.group.group_display_name`
`IdentityGroupID`	`principal.group.product_object_id`
`IdentityPolicyMatchedRule`	`sec_result.about.labels` `additional.fields`
`IdentitySelectionMatchedRule`	`sec_result.detection_fields`
`Idle-Timeout`	`security_result.detection_fields`
`idletime`	`security_result.detection_fields`
`IMEI`	`target.asset.product_object_id`
`inacl_rule`	`security_result.detection_fields`
`intermediary_hostname`	`intermediary.hostname`
`ionTimeStamp`	`security_result.detection_fields`
`ios-version`	`principal.asset.software.version`
`ip_inacl_rule`	`security_result.detection_fields`
`ip_source_ip`	`principal.ip` `principal.asset.ip`
`IpAddress`	`principal.ip` `principal.asset.ip`
`IPSEC`	`additional.fields`
`ise_port`	`principal.port` `intermediary.port`
`ISELocalAddress`	`intermediary.ip` `principal.ip`
`ISEModuleName`	`sec_result.detection_fields`
`ISEPolicySetName`	`target.resource.name`
`ISEServiceName`	`sec_result.detection_fields`
`IsMachineAuthentication`	`security_result.detection_fields`
`IsMachineIdentity`	`security_result.detection_fields`
`IsRegistered`	`security_result.detection_fields`
`Issuer`	`about.labels`
`IsThirdPartyDeviceFlow`	`sec_result.detection_fields` `additional.fields`
`key_usage`	`additional.fields`
`LastActivity`	`event.idm.read_only_udm.principal.asset.last_discover_time`
`LastNmapScanTime`	`sec_result.detection_fields`
`LicenseType`	`additional.fields`
`lldpManAddress`	`security_result.detection_fields`
`lldpPortDescription`	`security_result.detection_fields`
`lldpPortId`	`security_result.detection_fields`
`lldpSystemCapabilitiesMap`	`security_result.detection_fields`
`lldpSystemDescription`	`security_result.detection_fields`
`lldpTimeToLive`	`security_result.detection_fields`
`lldpUndefined127`	`security_result.detection_fields`
`localport`	`principal.port`
`Location`	`principal.location.country_or_region` `target.location.country_or_region` `security_result.detection_fields`
`log-id`	`metadata.product_log_id`
`logstash.ingest.host`	`intermediary.hostname`
`logstash.ingest.timestamp`	`metadata.ingested_timestamp`
`logstash.irm_environment`	`additional.fields`
`logstash.irm_region`	`additional.fields`
`logstash.irm_site`	`additional.fields`
`logstash.process.host`	`intermediary.hostname`
`logstash.process.timestamp`	`metadata.collected_timestamp`
`MAC`	`principal.mac`
`mac_UserName`	`principal.mac`
`MacAddress`	`principal.mac`
`MajorVersion`	`security_result.detection_fields`
`Manufacturer`	`target.asset.hardware.manufacturer`
`MatchedPolicy`	`security_result.detection_fields`
`MatchedPolicyID`	`security_result.rule_id`
`MDMFailureReason`	`sec_result.detection_fields`
`MDMServerName`	`metadata.product_name`
`mDNS`	`security_result.detection_fields`
`MESSAGE`	`security_result.description`
`MFCInfoEndpointType`	`principal.asset.asset_type` `principal.asset.attribute.labels`
`MinorVersion`	`security_result.detection_fields`
`MisconfiguredClientFixReason`	`security_result.detection_fields`
`Model`	`target.asset.hardware.model`
`Model_Name`	`principal.asset.attribute.labels`
`msg_class`	`metadata.description`
`msg_sev`	`security_result.severity` `sec_result.severity_details`
`msg_text`	`metadata.description` `security_result.severity` `sec_result.severity_details,security_result.action`
`msg_text`	`security_result.action`
`NAD Address`	`principal.ip`
`NADAddress`	`intermediary.ip`
`Name`	`principal.group.group_identifiers`
`nas_ip_address`	`principal.nat_ip`
`NAS-Identifier`	`principal.labels`
`NAS-IP-Address`	`principal.nat_ip` `principal.ip`
`NAS-Port`	`principal.port` `principal.labels`
`nas-update`	`security_result.detection_fields`
`NASIdentifier`	`security_result.detection_fields` `principal.labels`
`NASPort`	`principal.nat_port if valid else to security_result.detection_fields` `principal.labels`
`NASPortId`	`security_result.detection_fields` `principal.labels`
`NASPortType`	`security_result.detection_fields` `principal.labels`
`Network Device Name`	`target.hostname` `target.asset.hostname`
`network_adapter`	`target.resource.name`
`network_application_protocol_result`	`network.application_protocol`
`NetworkDeviceGroups`	`sec_result.detection_fields`
`NetworkDeviceGroups_IPSEC`	`additional.fields`
`NetworkDeviceProfileId`	`principal.asset.asset_id`
`NetworkDeviceProfileName`	`principal.asset.attribute.labels`
`NmapScanCount`	`security_result.detection_fields`
`ntp_server_1`	`target.ip` `target.asset.ip`
`ntp_server_2`	`target.ip` `target.asset.ip`
`ntp_server_3`	`target.ip` `target.asset.ip`
`ObjectInternalID`	`security_result.detection_fields`
`ObjectName`	`security_result.about.labels`
`ObjectType`	`security_result.labout.abels` `additional.fields`
`operating-system-result`	`target.asset.platform_software.platform_version`	`target.platform` = `WINDOWS`
`OperatingSystem`	`target.asset.platform_software.platform_version`
`OperationMessageText`	`sec_result.detection_fields`
`OperationMessageText`	`about.labels`
`OUI`	`security_result.detection_fields`
`pad`	`security_result.detection_fields`
`PeerAddress`	`target.mac` `target.asset.mac`
`PeerName`	`target.hostname` `target.asset.hostname`
`PhoneNumber`	`principal.user.phone_numbers`
`platform-version`	`principal.platform_version`
`PolicyVersion`	`security_result.detection_fields`
`Port`	`principal.port` `target.port`
`Portal_Name`	`additional.fields`
`PortalName`	`target.url`
`PortalUser`	`principal.user.userid`
`PortalUser_GuestSponsor`	`principal.user.attribute.labels`
`PortalUser_GuestType`	`principal.user.attribute.labels`
`PostureApplicable`	`security_result.detection_fields`
`PostureAssessmentStatus`	`sec_result.detection_fields` `additional.fields`
`PostureExpiry`	`sec_result.detection_fields`
`PostureStatus`	`sec_result.detection_fields`
`principal_hostname`	`principal.hostname`
`principal_ip`	`principal.ip` `principal.asset.ip`
`profile-name`	`security_result.detection_fields`
`ProfilerServer`	`sec_result.detection_fields`
`Protocol`	`security_result.detection_fields`
`r_ip_or_host`	`observer.ip` `observer.hostname` `intermediary.hostname` `intermediary.ip`
`r_seg_num`	`metadata.product_log_id`
`RadiusFlowType`	`security_result.about.labels` `additional.fields`
`RadiusPacketType`	`security_result.detection_fields`
`received_b`	`network.received_bytes`
`RegisterStatus`	`security_result.rule_name`
`RegistrationTimeStamp`	`sec_result.detection_fields`
`RemoteAddress`	`principal.ip` `principal.asset.ip`
`RequestLatency`	`sec_result.detection_fields` `additional.fields`
`RequestResponseTypes`	`security_result.detection_fields`
`ResponseTime`	`sec_result.detection_fields`
`SelectedAccessService`	`sec_result.detection_fields` `additional.fields`
`SelectedAuthenticationIdentityStores`	`security_result.detection_fields`
`SelectedAuthorizationProfiles`	`sec_result.detection_fields` `additional.fields`
`SelectedShellProfile`	`additional.fields`
`sent_b`	`network.sent_bytes`
`sequence_num`	`metadata.product_log_id`
`Sequence-Number`	`security_result.detection_fields`
`serial_number`	`about.labels` `network.tls.server.certificate.serial`
`server_label`	`principal.asset.attribute.labels`
`Service-Type`	`sec_result.detection_fields` `additional.fields`
`session-id`	`network.session_id`
`Session-Timeout`	`network.session_duration`
`shell_role`	`principal.user.attribute.roles.name`
`ShutdownReason`	`security_result.detection_fields`
`SkipProfiling`	`security_result.detection_fields`
`software_version`	`principal.asset.platform_software.platform_version`
`Source`	`principal.ip` `principal.hostname`
`source_ip`	`src.ip`
`source_port`	`src.port`
`SSID`	`additional.fields`
`start_time`	`security_result.first_discovered_time`
`StaticAssignment`	`security_result.detection_fields`
`StaticGroupAssignment`	`sec_result.detection_fields`
`Step`	`additional.fields`
`StepData`	`about.hostname` `additional.fields`
`StepLatency`	`additional.fields`
`stop_time`	`security_result.last_discovered_time`
`Subject`	`about.labels`
`subject_alt_name`	`about.labels`
`subscriber_command`	`security_result.detection_fields`
`syslog_host`	`principal.ip` `principal.asset.ip`
`SysStatsCpuCount`	`target.asset.hardware.cpu_number_cores`
`SysStatsProcessMemoryMB`	`target.asset.hardware.ram`
`SysStatsUtilizationDiskIO`	`target.asset.attribute.labels`
`SysStatsUtilizationDiskSpace`	`target.asset.attribute.labels`
`SysStatsUtilizationLoadAvg`	`target.asset.attribute.labels`
`SystemDomain`	`principal.asset.network_domain`
`SystemName`	`principal.hostname` `principal.hostname`
`SystemUser`	`principal.user.userid`
`SystemUserDomain`	`principal.administrative_domain`
`target_email`	`target.user.email_addresses`
`target_group_identifiers`	`target.user.group_identifiers`
`target_hostname`	`target.hostname`
`target_ip`	`target.ip` `target.asset.ip`
`target_port`	`target.port`
`target_user`	`target.user.userid`
`target.resource.resource_type`		DISPOSITIVO
`task_id`	`additional.fields`
`TaskId`	`security_result.detection_fields`
`Template_Name`	`additional.fields`
`Termination-Action`	`security_result.detection_fields`
`threshold_value`	`additional.fields`
`TimeToProfile`	`sec_result.detection_fields`
`TLSCipher`	`network.tls.cipher`
`TLSVersion`	`network.tls.version`
`total_certainty_factor`	`sec_result.detection_fields`
`TotalAuthenLatency`	`security_result.detection_fields` `additional.fields`
`TotalFailedTime`	`sec_result.detection_fields`
`Tunnel-Client-Endpoint`	`sec_result.detection_fields`
`Type`	`additional.fields`
`undefined-151`	`additional.fields`
`UniqueConnectionIdentifier`	`sec_result.detection_fields`
`UpdateTime`	`sec_result.detection_fields`
`url-redirect`	`target.url`
`url-redirect-acl`	`security_result.detection_fields`
`UseCase`	`sec_result.detection_fields`
`used_space_value`	`additional.fields`
`User`	`principal.user.userid`
`user`	`principal.user.userid`
`user_display_name`	`principal.user.user_display_name`
`User-AD-Last-Fetch-Time`	`principal.user.attribute.labels`
`User-Agent`	`network.http.user_agent` `network.http.parsed_user_agent`
`User-Fetch-Email`	`sec_result.detection_fields`
`User-Fetch-Last-Name`	`principal.user.last_name`
`User-Fetch-LocalityName`	`sec_result.detection_fields`
`User-Fetch-StateOrProvinceName`	`sec_result.detection_fields`
`User-Name`	`target.user.userid`
`UserAccountControl`	`principal.user.attribute.labels`
`UserAgreementStatus`	`security_result.detection_fields`
`UserName`	`target.user.userid`
`UserType`	`principal.user.attribute.labels`
`UseSingleConnect`	`security_result.detection_fields`
`vlan-id`	`security_result.detection_fields`
	`principal.resource.resource_type`	Se asigna de forma estática a `DEVICE`.

Referencia de delta de asignación de UDM

El 1 de diciembre del 2025, Google SecOps lanzó una nueva versión del analizador de Cisco ISE, que incluye cambios significativos en la asignación de campos de registro de Cisco ISE a campos de UDM y en la asignación de tipos de eventos.

Delta de asignación de campos de registro

A nivel mundial, la marca de tiempo que muestra el analizador de Cisco ISE ahora es el campo de registro sin procesar Event-Timestamp. Anteriormente, la marca de tiempo que mostraba el analizador de Cisco ISE procedía del encabezado.

En la siguiente tabla se muestra la diferencia de asignación entre los campos de registro de Cisco ISE y UDM expuestos antes del 1 de diciembre del 2025 y posteriormente (se indican en las columnas Asignación antigua y Asignación actual, respectivamente):

Campo de registro	Asignación antigua	Asignación actual
`Acct-Input-Gigawords`	`additional.fields`	`network.received_bytes`
`Acct-Input-Packets`	`security_result.detection_fields`	`network.received_packets`
`Acct-Output-Gigawords`	`additional.fields`	`network.sent_bytes`
`Acct-Output-Packets`	`security_result.detection_fields`	`network.sent_packets`
`Acct-Session-Id`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`AcsSessionID`	`security_result.detection_fields` `additional.fields`	`network.session_id` `security_result.detection_fields`
`AD-Log-Id`	`security_result.detection_fields`	`metadata.product_log_id`
`AD-User-SamAccount-Name`	`principal.user.attribute.labels`	`principal.user.user_display_name`
`allowEasyWiredSession`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`AuthenticationIdentityStore`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Calling-Station-ID`	`security_result.detection_fields` `additional.fields` `principal.ip`	`security_result.detection_fields`
`ClientLatency`	`security_result.detection_fields` `additional.fields`	``security_result.detection_fields`
`ConfigVersionId`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`CPMSessionID`	`security_result.detection_fields` `additional.fields` `network.sesson_id`	`network.sesson_id`
`DeviceIPAdresstarget.ip`	`target.ip`	`principal.ip`
`EndPointMatchedProfile`	`security_result.about.labels` `additional.fields`	`security_result.about.resource.attribute.labels`
`HostIdentityGroup`	`additional.fields`	`principal.group.group_display_name`
`IdentityGroup`	`principal.group.group_display_name`	`principal.user.group_identifiers`
`IdentityPolicyMatchedRule`	`security_result.about.labels` `additional.fields`	`security_result.rule_labels`
`IsThirdPartyDeviceFlow`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Issuer`	`about.labels`	`network.tls.server.certificate.issuer`
`Location`	`principal.location.country_or_region` `target.location.country_or_region,security_result.detection_fields`	`principal.location.country_or_region,`
`NAS Identifier`	`principal.labels`	`principal.asset.attribute.labels`
`NAS-IP-Address`	`principal.nat_ip,principal.ip` `intermediary.ip`	`principal.nat_ip,principal.ip,`
`NAS-Port`	`principal.labels`	`principal.resource.attribute.labels`
`NAS-Port-Id`	`security_result.detection_fields` `principal.labels`	`security_result.detection_fields`
`NAS-Port-Type`	`security_result.detection_fields` `principal.labels`	``security_result.detection_fields`
`NASIdentifier`	`principal.resource.attribute.labels,security_result.detection_fields`	`principal.resource.attribute.labels`
`NASIdentifier`	`security_result.detection_fields` `principal.labels`	`security_result.detection_fields`
`NetworkDeviceGroups_Location`	`intermediary.location.country_or_region`	`principal.location.country_or_region,`
`Object Name`	`security_result.about.labels`	`security_result.about.resource.attribute.labels` `principal.mac` si es un MAC
`Object Type`	`security_result.about.labels` `additional.fields`	`security_result.about.resource.attribute.labels`
`PostureAssessmentStatus`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Privilege-Level`	`additional.fields`	`target.user.attribute.permissions.description`
`ProfilerServer`	`principal.hostname` `security_result.detection_fields`	`principal.hostname`
`RadiusFlowType`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`RequestLatency`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`r_msg_id`	`security_result.detection_fields`	`metadata.product_log_id`
`r_seg_num`	`security_result.detection_fields` `additional.fields`	`additional.fields`
`r_total_seg`	`security_result.detection_fields` `additional.fields`	`additional.fields`
`SelectedAccessService`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`SelectedAuthorizationProfiles`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Sequence-Number`	`metadata.product_log_id`	`security_result.detection_fields` si `AD-Log-Id` no es nulo
`Server`	`principal.asset.attribute.labels`	`principal.hostname` `principal.asset.hostname`
`Service-Type`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`serial_number`	`about.labels`	`about.resource.attribute.labels`
`ShutdownReason`	`security_result.detection_fields`	`security_result.description`
`Subject`	`about.labels`	`about.resource.attribute.labels`
`subject_alt_name`	`about.labels`	`about.resource.attribute.labels`
`subject_alt_name`	`about.labels`	`about.resource.attribute.labels`
`TotalAuthenLatency`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`total_certainty_factor`	`security_result.detection_fields`	`security_result.confidence_score`
`UniqueSubjectID`	`additional.fields`	`principal.user.userid.product_object_id`
`Update Time`	`security_result.detection_fields`	`principal.asset.attribute.last_update_time`
`User-Fetch-Email`	`security_result.detection_fields`	`principal.user.email_addresses`
`User-Fetch-LocalityName`	`security_result.detection_fields`	`principal.location.name`
`User-Fetch-StateOrProvinceName`	`security_result.detection_fields`	`principal.location.state`
`User Name when [r_cat_name] =~ "CISE_Passed_Authentications"`	`principal.user.userid` `target.user.userid`	`principal.user.userid`
`wlan-profile-name`	`security_result.detection_fields`	`principal.user.userid`

Delta de asignación de tipos de eventos

Varios eventos que se habían clasificado de forma genérica ahora se clasifican correctamente con tipos de eventos significativos.

En la siguiente tabla se muestra la diferencia en la gestión de los tipos de eventos de Cisco ISE antes del 1 de diciembre del 2025 y después (se indican en las columnas Old event_type y Current event-type, respectivamente):

ID de evento del registro y la lógica	Old event_type	Current event_type
(Según el evento) `[has_resource] == "true"`	`GENERIC_EVENT`	`USER_RESOURCE_ACCESS`
`[Action] == "Login"`	`NETWORK_CONNECTION`	`USER_LOGIN`
`[PRAAction] =~ "logoff"`	`NETWORK_CONNECTION`	`USER_LOGOUT`
`[message] =~ "Administrator-Login"`	`USER_UNCATEGORIZED`	`USER_LOGIN`
`[message] =~ "Change password failed"`	`USER_LOGIN`	`USER_CHANGE_PASSWORD`
`[msg_text] =~ "Login Success"`	`USER_UNCATEGORIZED`	`USER_LOGIN`

¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.