Mengumpulkan log Cisco ISE
Didukung di:
Google secops
SIEM
Dokumen ini menjelaskan cara mengumpulkan log Cisco Identity Services Engine (ISE) menggunakan penerusan Google Security Operations.
Untuk mengetahui informasi selengkapnya, lihat Penyerapan data ke Google Security Operations.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser dengan label penyerapan
CISCO_ISE.
Mengonfigurasi Cisco ISE
- Login ke konsol Cisco ISE menggunakan kredensial administrator.
- Di konsol Cisco ISE, pilih Administration > System > Logging > Remote logging targets.
- Di jendela Remote logging targets, klik Add. Jendela New logging target akan muncul.
Di bagian Target logging, tentukan nilai untuk kolom berikut:
Kolom Deskripsi Nama Nama penerusan Google Security Operations. Deskripsi Deskripsi penerusan Google Security Operations. Jenis Jenis target log jarak jauh, seperti syslog. Alamat IP Alamat IP penerusan Google Security Operations. Jenis target Pilih syslog TCP atau syslog UDP. Port Gunakan port tinggi, seperti 10514. Kode fasilitas Anda dapat menentukan salah satu nilai berikut: - LOCAL0 (kode = 16)
- LOCAL1 (kode = 17)
- LOCAL2 (kode = 18)
- LOCAL3 (kode = 19)
- LOCAL4 (kode = 20)
- LOCAL5 (kode = 21)
- LOCAL6 (code = 22; default)
- LOCAL7 (kode = 23)
Panjang maksimum Nilai yang direkomendasikan adalah 1024. Klik Kirim. Jendela Target log jarak jauh akan muncul dengan konfigurasi penerusan Google Security Operations yang baru.
Di konsol Cisco ISE, pilih Administration > System > Logging > Logging categories.
Di jendela Logging categories, pilih kategori yang ingin Anda tetapkan target syslog jarak jauhnya dan tambahkan target syslog jarak jauh.
Berikut adalah contoh kategori: audit AAA, diagnostik AAA, akuntansi, audit administratif dan operasional, audit penyediaan klien dan postur keamanan, diagnostik penyediaan klien dan postur keamanan, profiler, diagnostik sistem, dan statistik sistem.
Mengonfigurasi penerusan dan syslog Google Security Operations untuk menyerap log Cisco Secure ACS
- Buka Setelan SIEM > Pengirim.
- Klik Tambahkan penerusan baru.
- Di kolom Forwarder Name, masukkan nama unik untuk penerusan.
- Klik Kirim. Forwarder ditambahkan dan jendela Add collector configuration akan muncul.
- Di kolom Collector name, ketik nama.
- Pilih Cisco ISE sebagai Jenis log.
- Pilih Syslog sebagai Collector type.
- Konfigurasikan parameter input wajib berikut:
- Protocol: tentukan protokol.
- Alamat: tentukan alamat IP atau nama host target tempat pengumpul berada dan alamat ke data syslog.
- Port: tentukan port target tempat pengumpul berada dan memproses data syslog.
- Klik Kirim.
Untuk mengetahui informasi selengkapnya tentang penerus Google Security Operations, lihat dokumentasi penerus Google Security Operations. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis penerusan, lihat Konfigurasi penerusan menurut jenis. Jika Anda mengalami masalah saat membuat penerusan, hubungi dukungan Operasi Keamanan Google.
Referensi pemetaan kolom
Parser ini mengekstrak log Cisco ISE dari pesan syslog, menormalisasi data ke dalam format UDM, dan melengkapi peristiwa dengan konteks tambahan. Alat ini menangani berbagai kategori log ISE, termasuk keberhasilan dan kegagalan autentikasi, audit administratif, statistik sistem, dan lainnya, memetakan kolom yang relevan ke skema UDM, dan menambahkan label tertentu untuk analisis mendetail.
Tabel pemetaan UDM
| Kolom log | Pemetaan UDM | Keterangan |
|---|---|---|
AAA_Event |
security_result.detection_fields |
|
AAA_Security_Result.detection_fields |
aaa_service |
|
ac-user-agent |
network.http.user_agent |
|
Acct-Authentic |
security_result.detection_fields |
|
Acct-Delay-Time |
security_result.detection_fields |
|
Acct-Input-Octets |
security_result.detection_fields |
|
Acct-Input-Packets |
security_result.detection_fields |
|
Acct-Output-Octets |
security_result.detection_fields |
|
Acct-Output-Packets |
security_result.detection_fields |
|
Acct-Session-Id |
sec_result.detection_fieldsadditional.fields |
|
Acct-Session-Time |
security_result.detection_fields |
|
Acct-Status-Type |
security_result.detection_fields |
|
Acct-Terminate-Cause |
security_result.detection_fields |
|
AcctReply-Status |
security_result.detection_fields |
|
AcctRequest-Flags |
security_result.detection_fields |
|
ACS_CiscoSecure_Defined_ACL |
security_result.detection_fields |
|
AcsSessionID |
sec_result.detection_fieldsadditional.fields |
|
Action |
security_result.action_details |
|
action_details |
security_result.action_details |
|
ActiveSessionCount |
security_result.detection_fields |
|
ad_identifier |
about.hostname |
|
ad_join_point |
principal.administrative_domain |
|
ad_operating_system |
principal.platform |
|
AD-Account-Name |
principal.user.useridtarget.hostname |
|
AD-Domain |
principal.group.group_display_name |
|
AD-Domain-Controller |
target.administrative_domain |
|
AD-Error-Details |
security_result.description |
|
AD-Forest |
target.resource.attribute.labels |
|
AD-Groups-Names |
principal.user.group_identifiers |
|
AD-Host-Candidate-Identities |
sec_result.detection_fields |
|
AD-IP-Address |
target.iptarget.asset.ip |
|
AD-Log-Id |
sec_result.detection_fields |
|
AD-Site |
target.location.name |
|
AD-Srv-Query |
security_result.detection_fields |
|
AD-Srv-Record |
security_result.detection_fields |
|
AD-User-Candidate-Identities |
principal.user.attribute.labels |
|
AD-User-DNS-Domain |
network.dns_domain |
|
AD-User-Join-Point |
target.hostnametarget.asset.hostname |
|
AD-User-NetBios-Name |
principal.user.attribute.labels |
|
AD-User-Qualified-Name |
principal.user.email_addresses |
|
AD-User-Resolved-DNs |
principal.user.attribute.labels |
|
AD-User-Resolved-Identities |
sec_result.detection_fieldsprincipal.user.userid |
|
AD-User-Resolved-Identities |
||
AD-User-SamAccount-Name |
principal.user.attribute.labels |
|
Admin |
principal.user.userid |
|
AdminInterface |
principal.user.attribute.labels |
|
AdminIPAddress |
principal.ip |
|
AdminName |
principal.user.userid |
|
affected-dn |
target.resource.nametarget.resource.attribute.labelstarget.resource.resource_type |
target.resource.resource_type => "USER" |
Airespace-Wlan-Id |
additional.fields |
|
allowEasyWiredSession |
sec_result.detection_fieldsadditional.fields |
|
AMInstalled |
security_result.detection_fields |
|
assetDeviceType |
principal.resource.name |
|
assetIncidentScore |
security_result.detection_fields |
|
Audit_session_id |
sec_result.detection_fields |
|
AuditSessionId |
sec_result.detection_fields |
|
Authen-Reply-Status |
security_result.detection_fields |
|
AuthenticationIdentityStore |
sec_result.detection_fieldsadditional.fields |
|
AuthenticationMethod |
security_result.detection_fields |
|
AuthenticationResult |
security_result.action |
|
AuthenticationStatus |
security_result.actionsecurity_result.action_details |
|
Author-Reply-Status |
additional.fields |
|
AuthorizationFailureReason |
security_result.detection_fields |
|
AuthorizationPolicyMatchedRule |
security_result.rule_name |
|
av-pair-severity |
security_result.detection_fields |
|
BYODRegistration |
sec_result.detection_fields |
|
CacheUpdateTime |
security_result.detection_fields |
|
Called-Station-ID |
security_result.detection_fieldstarget.iptarget.mac |
|
Calling-Station-ID |
security_result.detection_fieldsprincipal.ipprincipal.mac |
|
cdpCacheAddressType |
security_result.detection_fields |
|
cdpCacheVersion |
security_result.detection_fields |
|
cdpUndefined28 |
security_result.detection_fields |
|
change-set |
additional.fields |
|
Chargeable-User-Identity |
principal.user.attribute.labels |
|
cisco-av-pair |
additional.fieldssecurity_result.detection_fields |
|
CiscoIOS |
security_result.detection_fields |
|
Class |
sec_result.detection_fields |
|
client_type |
additional.fields |
|
client-iif-id |
security_result.detection_fields |
|
ClientLatency |
security_result.detection_fieldsadditional.fields |
|
CmdSet |
target.process.command_line |
|
coa-push |
security_result.detection_fields |
|
CoAClientInstanceDestinationIPAddress |
target.iptarget.asset.ip |
|
coaReason |
security_result.detection_fields |
|
coaSourceComponent |
security_result.detection_fields |
|
coaType |
security_result.detection_fields |
|
Component |
security_result.detection_fields |
|
ConfigChangeData |
security_result.detection_fields |
|
ConfigVersionId |
sec_result.detection_fieldsadditional.fields |
|
connect-progress |
security_result.detection_fields |
|
ConnectionStatus |
sec_result.detection_fields |
|
ConnectionStatus=Failed |
security_result.action ="BLOCK" |
|
Constructeurs |
principal.asset.hardware.manufacturer |
|
counters_kvp |
event.idm.read_only_udm.target.asset.attribute.labels |
|
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.session_id |
|
CreateTime |
event.idm.read_only_udm.principal.asset.attribute.creation_time |
|
cts_security_group_tag |
security_result.detection_fields |
|
cts-pac-opaque |
security_result.detection_fields |
|
datetime |
metadata.event_timestamp |
|
days_to_expiry |
security_result.detection_fields |
|
DeltaRadiusRequestCount |
security_result.detection_fields |
|
DeltaTacacsRequestCount |
security_result.detection_fields |
|
Description |
security_result.detection_fields |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationPort |
target.port |
|
DetailedInfo |
sec_result.description |
|
Device_IP_Address |
principal.ipprincipal.asset.ip |
|
device-mac |
principal.mac |
|
device-platform |
principal.platform |
|
device-platform-version |
principal.platform_version |
|
device-public-mac |
principal.mac |
|
device-type |
principal.asset.hardware.model |
|
device-uid |
principal.resource.product_object_id |
|
device-uid-global |
principal.asset.product_object_id |
|
DeviceIPAddress |
principal.iptarget.ipintermediary.ip |
|
DevicePort |
principal.porttarget.portintermediary.port |
|
DeviceRegistrationStatus |
sec_result.detection_fields |
|
dhcp-class-identifier |
security_result.detection_fields |
|
dhcp-parameter-request-list |
additional.fields |
|
Domaines |
additional.fields |
|
DoReplicate |
security_result.detection_fields |
|
DTLSSupport |
security_result.detection_fields |
|
EAP-Key-Name |
additional.fields |
|
EapTunnel |
additional.fields |
|
EmailAddress |
principal.user.email_addresses |
|
EnableFlag |
additional.fields |
|
EnableSingleConnect |
security_result.detection_fields |
|
End-of-LLDPDU |
security_result.detection_fields |
|
endpoint_id |
principal.macprincipal.asset.mac |
|
EndpointCertainityMetric |
sec_result.detection_fields |
|
EndpointIdentityGroup |
principal.group.group_display_name |
|
EndpointIPAddress |
principal.asset.ip |
|
EndPointMACAddress |
principal.macprincipal.asset.mac |
|
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
|
EndpointNADAddress |
sec_result.detection_fields |
|
EndpointOUI |
sec_result.detection_fields |
|
EndpointPolicy |
principal.asset.platform_software.platform_versionsecurity_result.detection_fields |
|
EndPointPolicyID |
security_result.detection_fields |
|
EndPointProfilerServer |
target.hostname |
|
EndpointProperty |
sec_result.detection_fields |
|
EndPointSource |
target.resource.attribute.labels |
|
EndpointSourceEvent |
sec_result.detection_fields |
|
EndpointUserAgent |
network.http.user_agent |
|
EndPointVersion |
security_result.detection_fields |
|
epid |
security_result.detection_fields |
|
Error Message |
additional.fields |
|
event |
additional.fields |
|
extended_key_usage_oid |
additional.fields |
|
external_groups |
additional.fields |
|
FailureFlag |
security_result.detection_fields |
|
FailureReason |
sec_result.detection_fieldsadditional.fields |
|
FeedService |
security_result.detection_fields |
|
FirstCollection |
event.idm.read_only_udm.principal.asset.first_discover_time |
|
foreign_ip |
intermediary.ip |
|
FQSubjectName |
security_result.detection_fields |
|
Framed-MTU |
additional.fields |
|
Framed-Protocol |
sec_result.detection_fields |
|
FramedIPAddress |
security_result.detection_fields |
|
group_name |
principal.group.group_display_name |
|
Header-Flags |
security_result.detection_fields |
|
HostIdentityGroup |
additional.fields |
|
IdentityAccessRestricted |
security_result.detection_fields |
|
IdentityGroup |
principal.group.group_display_name |
|
IdentityGroupID |
principal.group.product_object_id |
|
IdentityPolicyMatchedRule |
sec_result.about.labelsadditional.fields |
|
IdentitySelectionMatchedRule |
sec_result.detection_fields |
|
Idle-Timeout |
security_result.detection_fields |
|
idletime |
security_result.detection_fields |
|
IMEI |
target.asset.product_object_id |
|
inacl_rule |
security_result.detection_fields |
|
intermediary_hostname |
intermediary.hostname |
|
ionTimeStamp |
security_result.detection_fields |
|
ios-version |
principal.asset.software.version |
|
ip_inacl_rule |
security_result.detection_fields |
|
ip_source_ip |
principal.ipprincipal.asset.ip |
|
IpAddress |
principal.ipprincipal.asset.ip |
|
IPSEC |
additional.fields |
|
ise_port |
principal.portintermediary.port |
|
ISELocalAddress |
intermediary.ipprincipal.ip |
|
ISEModuleName |
sec_result.detection_fields |
|
ISEPolicySetName |
target.resource.name |
|
ISEServiceName |
sec_result.detection_fields |
|
IsMachineAuthentication |
security_result.detection_fields |
|
IsMachineIdentity |
security_result.detection_fields |
|
IsRegistered |
security_result.detection_fields |
|
Issuer |
about.labels |
|
IsThirdPartyDeviceFlow |
sec_result.detection_fieldsadditional.fields |
|
key_usage |
additional.fields |
|
LastActivity |
event.idm.read_only_udm.principal.asset.last_discover_time |
|
LastNmapScanTime |
sec_result.detection_fields |
|
LicenseType |
additional.fields |
|
lldpManAddress |
security_result.detection_fields |
|
lldpPortDescription |
security_result.detection_fields |
|
lldpPortId |
security_result.detection_fields |
|
lldpSystemCapabilitiesMap |
security_result.detection_fields |
|
lldpSystemDescription |
security_result.detection_fields |
|
lldpTimeToLive |
security_result.detection_fields |
|
lldpUndefined127 |
security_result.detection_fields |
|
localport |
principal.port |
|
Location |
principal.location.country_or_regiontarget.location.country_or_regionsecurity_result.detection_fields |
|
log-id |
metadata.product_log_id |
|
logstash.ingest.host |
intermediary.hostname |
|
logstash.ingest.timestamp |
metadata.ingested_timestamp |
|
logstash.irm_environment |
additional.fields |
|
logstash.irm_region |
additional.fields |
|
logstash.irm_site |
additional.fields |
|
logstash.process.host |
intermediary.hostname |
|
logstash.process.timestamp |
metadata.collected_timestamp |
|
MAC |
principal.mac |
|
mac_UserName |
principal.mac |
|
MacAddress |
principal.mac |
|
MajorVersion |
security_result.detection_fields |
|
Manufacturer |
target.asset.hardware.manufacturer |
|
MatchedPolicy |
security_result.detection_fields |
|
MatchedPolicyID |
security_result.rule_id |
|
MDMFailureReason |
sec_result.detection_fields |
|
MDMServerName |
metadata.product_name |
|
mDNS |
security_result.detection_fields |
|
MESSAGE |
security_result.description |
|
MFCInfoEndpointType |
principal.asset.asset_typeprincipal.asset.attribute.labels |
|
MinorVersion |
security_result.detection_fields |
|
MisconfiguredClientFixReason |
security_result.detection_fields |
|
Model |
target.asset.hardware.model |
|
Model_Name |
principal.asset.attribute.labels |
|
msg_class |
metadata.description |
|
msg_sev |
security_result.severitysec_result.severity_details |
|
msg_text |
metadata.descriptionsecurity_result.severitysec_result.severity_details,security_result.action |
|
msg_text |
security_result.action |
|
NAD Address |
principal.ip |
|
NADAddress |
intermediary.ip |
|
Name |
principal.group.group_identifiers |
|
nas_ip_address |
principal.nat_ip |
|
NAS-Identifier |
principal.labels |
|
NAS-IP-Address |
principal.nat_ipprincipal.ip |
|
NAS-Port |
principal.portprincipal.labels |
|
nas-update |
security_result.detection_fields |
|
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
|
NASPort |
principal.nat_port if valid else to security_result.detection_fieldsprincipal.labels |
|
NASPortId |
security_result.detection_fieldsprincipal.labels |
|
NASPortType |
security_result.detection_fieldsprincipal.labels |
|
Network Device Name |
target.hostnametarget.asset.hostname |
|
network_adapter |
target.resource.name |
|
network_application_protocol_result |
network.application_protocol |
|
NetworkDeviceGroups |
sec_result.detection_fields |
|
NetworkDeviceGroups_IPSEC |
additional.fields |
|
NetworkDeviceProfileId |
principal.asset.asset_id |
|
NetworkDeviceProfileName |
principal.asset.attribute.labels |
|
NmapScanCount |
security_result.detection_fields |
|
ntp_server_1 |
target.iptarget.asset.ip |
|
ntp_server_2 |
target.iptarget.asset.ip |
|
ntp_server_3 |
target.iptarget.asset.ip |
|
ObjectInternalID |
security_result.detection_fields |
|
ObjectName |
security_result.about.labels |
|
ObjectType |
security_result.labout.abelsadditional.fields |
|
operating-system-result |
target.asset.platform_software.platform_version |
target.platform = WINDOWS |
OperatingSystem |
target.asset.platform_software.platform_version |
|
OperationMessageText |
sec_result.detection_fields |
|
OperationMessageText |
about.labels |
|
OUI |
security_result.detection_fields |
|
pad |
security_result.detection_fields |
|
PeerAddress |
target.mactarget.asset.mac |
|
PeerName |
target.hostnametarget.asset.hostname |
|
PhoneNumber |
principal.user.phone_numbers |
|
platform-version |
principal.platform_version |
|
PolicyVersion |
security_result.detection_fields |
|
Port |
principal.porttarget.port |
|
Portal_Name |
additional.fields |
|
PortalName |
target.url |
|
PortalUser |
principal.user.userid |
|
PortalUser_GuestSponsor |
principal.user.attribute.labels |
|
PortalUser_GuestType |
principal.user.attribute.labels |
|
PostureApplicable |
security_result.detection_fields |
|
PostureAssessmentStatus |
sec_result.detection_fieldsadditional.fields |
|
PostureExpiry |
sec_result.detection_fields |
|
PostureStatus |
sec_result.detection_fields |
|
principal_hostname |
principal.hostname |
|
principal_ip |
principal.ipprincipal.asset.ip |
|
profile-name |
security_result.detection_fields |
|
ProfilerServer |
sec_result.detection_fields |
|
Protocol |
security_result.detection_fields |
|
r_ip_or_host |
observer.ipobserver.hostnameintermediary.hostnameintermediary.ip |
|
r_seg_num |
metadata.product_log_id |
|
RadiusFlowType |
security_result.about.labelsadditional.fields |
|
RadiusPacketType |
security_result.detection_fields |
|
received_b |
network.received_bytes |
|
RegisterStatus |
security_result.rule_name |
|
RegistrationTimeStamp |
sec_result.detection_fields |
|
RemoteAddress |
principal.ipprincipal.asset.ip |
|
RequestLatency |
sec_result.detection_fieldsadditional.fields |
|
RequestResponseTypes |
security_result.detection_fields |
|
ResponseTime |
sec_result.detection_fields |
|
SelectedAccessService |
sec_result.detection_fieldsadditional.fields |
|
SelectedAuthenticationIdentityStores |
security_result.detection_fields |
|
SelectedAuthorizationProfiles |
sec_result.detection_fieldsadditional.fields |
|
SelectedShellProfile |
additional.fields |
|
sent_b |
network.sent_bytes |
|
sequence_num |
metadata.product_log_id |
|
Sequence-Number |
security_result.detection_fields |
|
serial_number |
about.labelsnetwork.tls.server.certificate.serial |
|
server_label |
principal.asset.attribute.labels |
|
Service-Type |
sec_result.detection_fieldsadditional.fields |
|
session-id |
network.session_id |
|
Session-Timeout |
network.session_duration |
|
shell_role |
principal.user.attribute.roles.name |
|
ShutdownReason |
security_result.detection_fields |
|
SkipProfiling |
security_result.detection_fields |
|
software_version |
principal.asset.platform_software.platform_version |
|
Source |
principal.ipprincipal.hostname |
|
source_ip |
src.ip |
|
source_port |
src.port |
|
SSID |
additional.fields |
|
start_time |
security_result.first_discovered_time |
|
StaticAssignment |
security_result.detection_fields |
|
StaticGroupAssignment |
sec_result.detection_fields |
|
Step |
additional.fields |
|
StepData |
about.hostnameadditional.fields |
|
StepLatency |
additional.fields |
|
stop_time |
security_result.last_discovered_time |
|
Subject |
about.labels |
|
subject_alt_name |
about.labels |
|
subscriber_command |
security_result.detection_fields |
|
syslog_host |
principal.ipprincipal.asset.ip |
|
SysStatsCpuCount |
target.asset.hardware.cpu_number_cores |
|
SysStatsProcessMemoryMB |
target.asset.hardware.ram |
|
SysStatsUtilizationDiskIO |
target.asset.attribute.labels |
|
SysStatsUtilizationDiskSpace |
target.asset.attribute.labels |
|
SysStatsUtilizationLoadAvg |
target.asset.attribute.labels |
|
SystemDomain |
principal.asset.network_domain |
|
SystemName |
principal.hostnameprincipal.hostname |
|
SystemUser |
principal.user.userid |
|
SystemUserDomain |
principal.administrative_domain |
|
target_email |
target.user.email_addresses |
|
target_group_identifiers |
target.user.group_identifiers |
|
target_hostname |
target.hostname |
|
target_ip |
target.iptarget.asset.ip |
|
target_port |
target.port |
|
target_user |
target.user.userid |
|
target.resource.resource_type |
DEVICE | |
task_id |
additional.fields |
|
TaskId |
security_result.detection_fields |
|
Template_Name |
additional.fields |
|
Termination-Action |
security_result.detection_fields |
|
threshold_value |
additional.fields |
|
TimeToProfile |
sec_result.detection_fields |
|
TLSCipher |
network.tls.cipher |
|
TLSVersion |
network.tls.version |
|
total_certainty_factor |
sec_result.detection_fields |
|
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
|
TotalFailedTime |
sec_result.detection_fields |
|
Tunnel-Client-Endpoint |
sec_result.detection_fields |
|
Type |
additional.fields |
|
undefined-151 |
additional.fields |
|
UniqueConnectionIdentifier |
sec_result.detection_fields |
|
UpdateTime |
sec_result.detection_fields |
|
url-redirect |
target.url |
|
url-redirect-acl |
security_result.detection_fields |
|
UseCase |
sec_result.detection_fields |
|
used_space_value |
additional.fields |
|
User |
principal.user.userid |
|
user |
principal.user.userid |
|
user_display_name |
principal.user.user_display_name |
|
User-AD-Last-Fetch-Time |
principal.user.attribute.labels |
|
User-Agent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
User-Fetch-Email |
sec_result.detection_fields |
|
User-Fetch-Last-Name |
principal.user.last_name |
|
User-Fetch-LocalityName |
sec_result.detection_fields |
|
User-Fetch-StateOrProvinceName |
sec_result.detection_fields |
|
User-Name |
target.user.userid |
|
UserAccountControl |
principal.user.attribute.labels |
|
UserAgreementStatus |
security_result.detection_fields |
|
UserName |
target.user.userid |
|
UserType |
principal.user.attribute.labels |
|
UseSingleConnect |
security_result.detection_fields |
|
vlan-id |
security_result.detection_fields |
|
principal.resource.resource_type |
Dipetakan secara statis ke DEVICE. |
Referensi delta pemetaan UDM
Pada 1 Desember 2025, Google SecOps merilis parser Cisco ISE versi baru, yang mencakup perubahan signifikan pada pemetaan kolom log Cisco ISE ke kolom UDM dan perubahan pada pemetaan jenis peristiwa.
Delta pemetaan kolom log
Secara global, stempel waktu yang ditampilkan parser Cisco ISE sekarang adalah kolom log mentah Event-Timestamp. Sebelumnya, stempel waktu yang ditampilkan parser Cisco ISE berasal dari header.
Tabel berikut mencantumkan delta pemetaan untuk kolom log Cisco ISE ke UDM yang diekspos sebelum 1 Desember 2025 dan setelahnya (masing-masing tercantum dalam kolom Pemetaan lama dan Pemetaan saat ini):
| Kolom log | Pemetaan lama | Pemetaan saat ini |
|---|---|---|
Acct-Input-Gigawords |
additional.fields |
network.received_bytes |
Acct-Input-Packets |
security_result.detection_fields |
network.received_packets |
Acct-Output-Gigawords |
additional.fields |
network.sent_bytes |
Acct-Output-Packets |
security_result.detection_fields |
network.sent_packets |
Acct-Session-Id |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AcsSessionID |
security_result.detection_fieldsadditional.fields |
network.session_idsecurity_result.detection_fields |
AD-Log-Id |
security_result.detection_fields |
metadata.product_log_id |
AD-User-SamAccount-Name |
principal.user.attribute.labels |
principal.user.user_display_name |
allowEasyWiredSession |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AuthenticationIdentityStore |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Calling-Station-ID |
security_result.detection_fieldsadditional.fieldsprincipal.ip |
security_result.detection_fields |
ClientLatency |
security_result.detection_fieldsadditional.fields |
`security_result.detection_fields |
ConfigVersionId |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.sesson_id |
network.sesson_id |
DeviceIPAdresstarget.ip |
target.ip |
principal.ip |
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
HostIdentityGroup |
additional.fields |
principal.group.group_display_name |
IdentityGroup |
principal.group.group_display_name |
principal.user.group_identifiers |
IdentityPolicyMatchedRule |
security_result.about.labelsadditional.fields |
security_result.rule_labels |
IsThirdPartyDeviceFlow |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Issuer |
about.labels |
network.tls.server.certificate.issuer |
Location |
principal.location.country_or_regiontarget.location.country_or_region,security_result.detection_fields |
principal.location.country_or_region, |
NAS Identifier |
principal.labels |
principal.asset.attribute.labels |
NAS-IP-Address |
principal.nat_ip,principal.ipintermediary.ip |
principal.nat_ip,principal.ip, |
NAS-Port |
principal.labels |
principal.resource.attribute.labels |
NAS-Port-Id |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NAS-Port-Type |
security_result.detection_fieldsprincipal.labels |
`security_result.detection_fields |
NASIdentifier |
principal.resource.attribute.labels,security_result.detection_fields |
principal.resource.attribute.labels |
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NetworkDeviceGroups_Location |
intermediary.location.country_or_region |
principal.location.country_or_region, |
Object Name |
security_result.about.labels |
security_result.about.resource.attribute.labelsprincipal.mac jika itu adalah MAC |
Object Type |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
PostureAssessmentStatus |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Privilege-Level |
additional.fields |
target.user.attribute.permissions.description |
ProfilerServer |
principal.hostnamesecurity_result.detection_fields |
principal.hostname |
RadiusFlowType |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
RequestLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
r_msg_id |
security_result.detection_fields |
metadata.product_log_id |
r_seg_num |
security_result.detection_fieldsadditional.fields |
additional.fields |
r_total_seg |
security_result.detection_fieldsadditional.fields |
additional.fields |
SelectedAccessService |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
SelectedAuthorizationProfiles |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Sequence-Number |
metadata.product_log_id |
security_result.detection_fields jika AD-Log-Id bukan null |
Server |
principal.asset.attribute.labels |
principal.hostnameprincipal.asset.hostname |
Service-Type |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
serial_number |
about.labels |
about.resource.attribute.labels |
ShutdownReason |
security_result.detection_fields |
security_result.description |
Subject |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
total_certainty_factor |
security_result.detection_fields |
security_result.confidence_score |
UniqueSubjectID |
additional.fields |
principal.user.userid.product_object_id |
Update Time |
security_result.detection_fields |
principal.asset.attribute.last_update_time |
User-Fetch-Email |
security_result.detection_fields |
principal.user.email_addresses |
User-Fetch-LocalityName |
security_result.detection_fields |
principal.location.name |
User-Fetch-StateOrProvinceName |
security_result.detection_fields |
principal.location.state |
User Name when [r_cat_name] =~ "CISE_Passed_Authentications" |
principal.user.useridtarget.user.userid |
principal.user.userid |
wlan-profile-name |
security_result.detection_fields |
principal.user.userid |
Delta pemetaan jenis peristiwa
Beberapa peristiwa yang diklasifikasikan secara umum kini diklasifikasikan dengan benar menggunakan jenis peristiwa yang bermakna.
Tabel berikut mencantumkan perbedaan penanganan jenis peristiwa Cisco ISE sebelum 1 Desember 2025 dan setelahnya (masing-masing tercantum dalam kolom Old event_type dan Current event_type):
| ID peristiwa dari log dan logika | event_type lama | event_type saat ini |
|---|---|---|
(Berdasarkan acara) [has_resource] == "true" |
GENERIC_EVENT |
USER_RESOURCE_ACCESS |
[Action] == "Login" |
NETWORK_CONNECTION |
USER_LOGIN |
[PRAAction] =~ "logoff" |
NETWORK_CONNECTION |
USER_LOGOUT |
[message] =~ "Administrator-Login" |
USER_UNCATEGORIZED |
USER_LOGIN |
[message] =~ "Change password failed" |
USER_LOGIN |
USER_CHANGE_PASSWORD |
[msg_text] =~ "Login Success" |
USER_UNCATEGORIZED |
USER_LOGIN |
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.