Raccogliere i log di Cisco ISE

Supportato in:

Questo documento descrive come raccogliere i log di Cisco Identity Services Engine (ISE) utilizzando un forwarder di Google Security Operations.

Per saperne di più, consulta Importazione dei dati in Google Security Operations.

Un'etichetta di importazione identifica il parser che normalizza i dati di log non elaborati in formato UDM strutturato. Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione CISCO_ISE.

Configura Cisco ISE

  1. Accedi alla console Cisco ISE utilizzando le credenziali di amministratore.
  2. Nella console Cisco ISE, seleziona Administration > System > Logging > Remote logging targets (Destinazioni di logging remoto).
  3. Nella finestra Destinazioni di logging remoto, fai clic su Aggiungi. Viene visualizzata la finestra Nuova destinazione di logging.

  4. Nella sezione Destinazione logging, specifica i valori per i seguenti campi:

    Campo Descrizione
    Nome Nome del programma di inoltro di Google Security Operations.
    Descrizione Descrizione del programma di inoltro di Google Security Operations.
    Tipo Tipo di destinazione del log remoto, ad esempio syslog.
    Indirizzo IP Indirizzo IP del forwarder di Google Security Operations.
    Tipo target Seleziona Syslog TCP o Syslog UDP.
    Porta Utilizza una porta alta, ad esempio 10514.
    Codice struttura Puoi specificare uno dei seguenti valori:

    • LOCAL0 (code = 16)
    • LOCAL1 (code = 17)
    • LOCAL2 (code = 18)
    • LOCAL3 (code = 19)
    • LOCAL4 (code = 20)
    • LOCAL5 (codice = 21)
    • LOCAL6 (codice = 22; predefinito)
    • LOCAL7 (code = 23)
    Lunghezza massima Il valore consigliato è 1024.

  5. Fai clic su Invia. Viene visualizzata la finestra Destinazioni log remoti con la nuova configurazione del programma di inoltro di Google Security Operations.

  6. Nella console Cisco ISE, seleziona Administration > System > Logging > Logging categories.

  7. Nella finestra Categorie di logging, seleziona le categorie per le quali vuoi impostare la destinazione syslog remota e aggiungi la destinazione syslog remota.

    Di seguito sono riportate le categorie di esempio: controlli AAA, diagnostica AAA, contabilità, controllo amministrativo e operativo, controllo del provisioning di postura e client, diagnostica del provisioning di postura e client, profiler, diagnostica di sistema e statistiche di sistema.

Configura il forwarder e syslog di Google Security Operations per importare i log di Cisco Secure ACS

  1. Vai a Impostazioni SIEM > Forwarder.
  2. Fai clic su Aggiungi nuovo inoltro.
  3. Nel campo Nome forwarder, inserisci un nome univoco per il forwarder.
  4. Fai clic su Invia. Il forwarder viene aggiunto e viene visualizzata la finestra Aggiungi configurazione del raccoglitore.
  5. Nel campo Nome del raccoglitore, digita un nome.
  6. Seleziona Cisco ISE come Tipo di log.
  7. Seleziona Syslog come Tipo di raccoglitore.
  8. Configura i seguenti parametri di input obbligatori:
    • Protocollo: specifica il protocollo.
    • Indirizzo: specifica l'indirizzo IP o il nome host di destinazione in cui si trova il raccoglitore e gli indirizzi dei dati syslog.
    • Porta: specifica la porta di destinazione in cui si trova il raccoglitore e in cui ascolta i dati syslog.
  9. Fai clic su Invia.

Per ulteriori informazioni sui forwarder di Google Security Operations, consulta la documentazione sui forwarder di Google Security Operations. Per informazioni sui requisiti per ciascun tipo di inoltro, vedi Configurazione dell'inoltro per tipo. Se riscontri problemi durante la creazione degli inoltri, contatta l'assistenza di Google Security Operations.

Riferimento alla mappatura dei campi

Questo parser estrae i log Cisco ISE dai messaggi syslog, normalizza i dati in formato UDM e arricchisce l'evento con un contesto aggiuntivo. Gestisce varie categorie di log ISE, tra cui autenticazioni riuscite e non riuscite, audit amministrativi, statistiche di sistema e altro ancora, mappando i campi pertinenti allo schema UDM e aggiungendo etichette specifiche per un'analisi dettagliata.

Tabella di mappatura UDM

Campo log Mappatura UDM Remark
AAA_Event security_result.detection_fields
AAA_Security_Result.detection_fields aaa_service
ac-user-agent network.http.user_agent
Acct-Authentic security_result.detection_fields
Acct-Delay-Time security_result.detection_fields
Acct-Input-Octets security_result.detection_fields
Acct-Input-Packets security_result.detection_fields
Acct-Output-Octets security_result.detection_fields
Acct-Output-Packets security_result.detection_fields
Acct-Session-Id sec_result.detection_fields
additional.fields
Acct-Session-Time security_result.detection_fields
Acct-Status-Type security_result.detection_fields
Acct-Terminate-Cause security_result.detection_fields
AcctReply-Status security_result.detection_fields
AcctRequest-Flags security_result.detection_fields
ACS_CiscoSecure_Defined_ACL security_result.detection_fields
AcsSessionID sec_result.detection_fields
additional.fields
Action security_result.action_details
action_details security_result.action_details
ActiveSessionCount security_result.detection_fields
ad_identifier about.hostname
ad_join_point principal.administrative_domain
ad_operating_system principal.platform
AD-Account-Name principal.user.userid
target.hostname
AD-Domain principal.group.group_display_name
AD-Domain-Controller target.administrative_domain
AD-Error-Details security_result.description
AD-Forest target.resource.attribute.labels
AD-Groups-Names principal.user.group_identifiers
AD-Host-Candidate-Identities sec_result.detection_fields
AD-IP-Address target.ip
target.asset.ip
AD-Log-Id sec_result.detection_fields
AD-Site target.location.name
AD-Srv-Query security_result.detection_fields
AD-Srv-Record security_result.detection_fields
AD-User-Candidate-Identities principal.user.attribute.labels
AD-User-DNS-Domain network.dns_domain
AD-User-Join-Point target.hostname
target.asset.hostname
AD-User-NetBios-Name principal.user.attribute.labels
AD-User-Qualified-Name principal.user.email_addresses
AD-User-Resolved-DNs principal.user.attribute.labels
AD-User-Resolved-Identities sec_result.detection_fields
principal.user.userid
AD-User-Resolved-Identities
AD-User-SamAccount-Name principal.user.attribute.labels
Admin principal.user.userid
AdminInterface principal.user.attribute.labels
AdminIPAddress principal.ip
AdminName principal.user.userid
affected-dn target.resource.nametarget.resource.attribute.labels
target.resource.resource_type		 target.resource.resource_type => "USER"
Airespace-Wlan-Id additional.fields
allowEasyWiredSession sec_result.detection_fields
additional.fields
AMInstalled security_result.detection_fields
assetDeviceType principal.resource.name
assetIncidentScore security_result.detection_fields
Audit_session_id sec_result.detection_fields
AuditSessionId sec_result.detection_fields
Authen-Reply-Status security_result.detection_fields
AuthenticationIdentityStore sec_result.detection_fields
additional.fields
AuthenticationMethod security_result.detection_fields
AuthenticationResult security_result.action
AuthenticationStatus security_result.action
security_result.action_details
Author-Reply-Status additional.fields
AuthorizationFailureReason security_result.detection_fields
AuthorizationPolicyMatchedRule security_result.rule_name
av-pair-severity security_result.detection_fields
BYODRegistration sec_result.detection_fields
CacheUpdateTime security_result.detection_fields
Called-Station-ID security_result.detection_fields
target.ip
target.mac
Calling-Station-ID security_result.detection_fields
principal.ip
principal.mac
cdpCacheAddressType security_result.detection_fields
cdpCacheVersion security_result.detection_fields
cdpUndefined28 security_result.detection_fields
change-set additional.fields
Chargeable-User-Identity principal.user.attribute.labels
cisco-av-pair additional.fields
security_result.detection_fields
CiscoIOS security_result.detection_fields
Class sec_result.detection_fields
client_type additional.fields
client-iif-id security_result.detection_fields
ClientLatency security_result.detection_fields
additional.fields
CmdSet target.process.command_line
coa-push security_result.detection_fields
CoAClientInstanceDestinationIPAddress target.ip
target.asset.ip
coaReason security_result.detection_fields
coaSourceComponent security_result.detection_fields
coaType security_result.detection_fields
Component security_result.detection_fields
ConfigChangeData security_result.detection_fields
ConfigVersionId sec_result.detection_fields
additional.fields
connect-progress security_result.detection_fields
ConnectionStatus sec_result.detection_fields
ConnectionStatus=Failed security_result.action ="BLOCK"
Constructeurs principal.asset.hardware.manufacturer
counters_kvp event.idm.read_only_udm.target.asset.attribute.labels
CPMSessionID security_result.detection_fields
additional.fields
network.session_id
CreateTime event.idm.read_only_udm.principal.asset.attribute.creation_time
cts_security_group_tag security_result.detection_fields
cts-pac-opaque security_result.detection_fields
datetime metadata.event_timestamp
days_to_expiry security_result.detection_fields
DeltaRadiusRequestCount security_result.detection_fields
DeltaTacacsRequestCount security_result.detection_fields
Description security_result.detection_fields
DestinationIPAddress target.ip
target.asset.ip
DestinationIPAddress target.ip
target.asset.ip
DestinationPort target.port
DetailedInfo sec_result.description
Device_IP_Address principal.ip
principal.asset.ip
device-mac principal.mac
device-platform principal.platform
device-platform-version principal.platform_version
device-public-mac principal.mac
device-type principal.asset.hardware.model
device-uid principal.resource.product_object_id
device-uid-global principal.asset.product_object_id
DeviceIPAddress principal.ip
target.ip
intermediary.ip
DevicePort principal.port
target.port
intermediary.port
DeviceRegistrationStatus sec_result.detection_fields
dhcp-class-identifier security_result.detection_fields
dhcp-parameter-request-list additional.fields
Domaines additional.fields
DoReplicate security_result.detection_fields
DTLSSupport security_result.detection_fields
EAP-Key-Name additional.fields
EapTunnel additional.fields
EmailAddress principal.user.email_addresses
EnableFlag additional.fields
EnableSingleConnect security_result.detection_fields
End-of-LLDPDU security_result.detection_fields
endpoint_id principal.mac
principal.asset.mac
EndpointCertainityMetric sec_result.detection_fields
EndpointIdentityGroup principal.group.group_display_name
EndpointIPAddress principal.asset.ip
EndPointMACAddress principal.mac
principal.asset.mac
EndPointMatchedProfile security_result.about.labels
additional.fields
EndpointNADAddress sec_result.detection_fields
EndpointOUI sec_result.detection_fields
EndpointPolicy principal.asset.platform_software.platform_version
security_result.detection_fields
EndPointPolicyID security_result.detection_fields
EndPointProfilerServer target.hostname
EndpointProperty sec_result.detection_fields
EndPointSource target.resource.attribute.labels
EndpointSourceEvent sec_result.detection_fields
EndpointUserAgent network.http.user_agent
EndPointVersion security_result.detection_fields
epid security_result.detection_fields
Error Message additional.fields
event additional.fields
extended_key_usage_oid additional.fields
external_groups additional.fields
FailureFlag security_result.detection_fields
FailureReason sec_result.detection_fields
additional.fields
FeedService security_result.detection_fields
FirstCollection event.idm.read_only_udm.principal.asset.first_discover_time
foreign_ip intermediary.ip
FQSubjectName security_result.detection_fields
Framed-MTU additional.fields
Framed-Protocol sec_result.detection_fields
FramedIPAddress security_result.detection_fields
group_name principal.group.group_display_name
Header-Flags security_result.detection_fields
HostIdentityGroup additional.fields
IdentityAccessRestricted security_result.detection_fields
IdentityGroup principal.group.group_display_name
IdentityGroupID principal.group.product_object_id
IdentityPolicyMatchedRule sec_result.about.labels
additional.fields
IdentitySelectionMatchedRule sec_result.detection_fields
Idle-Timeout security_result.detection_fields
idletime security_result.detection_fields
IMEI target.asset.product_object_id
inacl_rule security_result.detection_fields
intermediary_hostname intermediary.hostname
ionTimeStamp security_result.detection_fields
ios-version principal.asset.software.version
ip_inacl_rule security_result.detection_fields
ip_source_ip principal.ip
principal.asset.ip
IpAddress principal.ip
principal.asset.ip
IPSEC additional.fields
ise_port principal.port
intermediary.port
ISELocalAddress intermediary.ip
principal.ip
ISEModuleName sec_result.detection_fields
ISEPolicySetName target.resource.name
ISEServiceName sec_result.detection_fields
IsMachineAuthentication security_result.detection_fields
IsMachineIdentity security_result.detection_fields
IsRegistered security_result.detection_fields
Issuer about.labels
IsThirdPartyDeviceFlow sec_result.detection_fields
additional.fields
key_usage additional.fields
LastActivity event.idm.read_only_udm.principal.asset.last_discover_time
LastNmapScanTime sec_result.detection_fields
LicenseType additional.fields
lldpManAddress security_result.detection_fields
lldpPortDescription security_result.detection_fields
lldpPortId security_result.detection_fields
lldpSystemCapabilitiesMap security_result.detection_fields
lldpSystemDescription security_result.detection_fields
lldpTimeToLive security_result.detection_fields
lldpUndefined127 security_result.detection_fields
localport principal.port
Location principal.location.country_or_region
target.location.country_or_region
security_result.detection_fields
log-id metadata.product_log_id
logstash.ingest.host intermediary.hostname
logstash.ingest.timestamp metadata.ingested_timestamp
logstash.irm_environment additional.fields
logstash.irm_region additional.fields
logstash.irm_site additional.fields
logstash.process.host intermediary.hostname
logstash.process.timestamp metadata.collected_timestamp
MAC principal.mac
mac_UserName principal.mac
MacAddress principal.mac
MajorVersion security_result.detection_fields
Manufacturer target.asset.hardware.manufacturer
MatchedPolicy security_result.detection_fields
MatchedPolicyID security_result.rule_id
MDMFailureReason sec_result.detection_fields
MDMServerName metadata.product_name
mDNS security_result.detection_fields
MESSAGE security_result.description
MFCInfoEndpointType principal.asset.asset_type
principal.asset.attribute.labels
MinorVersion security_result.detection_fields
MisconfiguredClientFixReason security_result.detection_fields
Model target.asset.hardware.model
Model_Name principal.asset.attribute.labels
msg_class metadata.description
msg_sev security_result.severity
sec_result.severity_details
msg_text metadata.description
security_result.severity
sec_result.severity_details,security_result.action
msg_text security_result.action
NAD Address principal.ip
NADAddress intermediary.ip
Name principal.group.group_identifiers
nas_ip_address principal.nat_ip
NAS-Identifier principal.labels
NAS-IP-Address principal.nat_ip
principal.ip
NAS-Port principal.port
principal.labels
nas-update security_result.detection_fields
NASIdentifier security_result.detection_fields
principal.labels
NASPort principal.nat_port if valid else to security_result.detection_fields
principal.labels
NASPortId security_result.detection_fields
principal.labels
NASPortType security_result.detection_fields
principal.labels
Network Device Name target.hostname
target.asset.hostname
network_adapter target.resource.name
network_application_protocol_result network.application_protocol
NetworkDeviceGroups sec_result.detection_fields
NetworkDeviceGroups_IPSEC additional.fields
NetworkDeviceProfileId principal.asset.asset_id
NetworkDeviceProfileName principal.asset.attribute.labels
NmapScanCount security_result.detection_fields
ntp_server_1 target.ip
target.asset.ip
ntp_server_2 target.ip
target.asset.ip
ntp_server_3 target.ip
target.asset.ip
ObjectInternalID security_result.detection_fields
ObjectName security_result.about.labels
ObjectType security_result.labout.abels
additional.fields
operating-system-result target.asset.platform_software.platform_version target.platform = WINDOWS
OperatingSystem target.asset.platform_software.platform_version
OperationMessageText sec_result.detection_fields
OperationMessageText about.labels
OUI security_result.detection_fields
pad security_result.detection_fields
PeerAddress target.mac
target.asset.mac
PeerName target.hostname
target.asset.hostname
PhoneNumber principal.user.phone_numbers
platform-version principal.platform_version
PolicyVersion security_result.detection_fields
Port principal.port
target.port
Portal_Name additional.fields
PortalName target.url
PortalUser principal.user.userid
PortalUser_GuestSponsor principal.user.attribute.labels
PortalUser_GuestType principal.user.attribute.labels
PostureApplicable security_result.detection_fields
PostureAssessmentStatus sec_result.detection_fields
additional.fields
PostureExpiry sec_result.detection_fields
PostureStatus sec_result.detection_fields
principal_hostname principal.hostname
principal_ip principal.ip
principal.asset.ip
profile-name security_result.detection_fields
ProfilerServer sec_result.detection_fields
Protocol security_result.detection_fields
r_ip_or_host observer.ip
observer.hostname
intermediary.hostname
intermediary.ip
r_seg_num metadata.product_log_id
RadiusFlowType security_result.about.labels
additional.fields
RadiusPacketType security_result.detection_fields
received_b network.received_bytes
RegisterStatus security_result.rule_name
RegistrationTimeStamp sec_result.detection_fields
RemoteAddress principal.ip
principal.asset.ip
RequestLatency sec_result.detection_fields
additional.fields
RequestResponseTypes security_result.detection_fields
ResponseTime sec_result.detection_fields
SelectedAccessService sec_result.detection_fields
additional.fields
SelectedAuthenticationIdentityStores security_result.detection_fields
SelectedAuthorizationProfiles sec_result.detection_fields
additional.fields
SelectedShellProfile additional.fields
sent_b network.sent_bytes
sequence_num metadata.product_log_id
Sequence-Number security_result.detection_fields
serial_number about.labels
network.tls.server.certificate.serial
server_label principal.asset.attribute.labels
Service-Type sec_result.detection_fields
additional.fields
session-id network.session_id
Session-Timeout network.session_duration
shell_role principal.user.attribute.roles.name
ShutdownReason security_result.detection_fields
SkipProfiling security_result.detection_fields
software_version principal.asset.platform_software.platform_version
Source principal.ip
principal.hostname
source_ip src.ip
source_port src.port
SSID additional.fields
start_time security_result.first_discovered_time
StaticAssignment security_result.detection_fields
StaticGroupAssignment sec_result.detection_fields
Step additional.fields
StepData about.hostname
additional.fields
StepLatency additional.fields
stop_time security_result.last_discovered_time
Subject about.labels
subject_alt_name about.labels
subscriber_command security_result.detection_fields
syslog_host principal.ip
principal.asset.ip
SysStatsCpuCount target.asset.hardware.cpu_number_cores
SysStatsProcessMemoryMB target.asset.hardware.ram
SysStatsUtilizationDiskIO target.asset.attribute.labels
SysStatsUtilizationDiskSpace target.asset.attribute.labels
SysStatsUtilizationLoadAvg target.asset.attribute.labels
SystemDomain principal.asset.network_domain
SystemName principal.hostname
principal.hostname
SystemUser principal.user.userid
SystemUserDomain principal.administrative_domain
target_email target.user.email_addresses
target_group_identifiers target.user.group_identifiers
target_hostname target.hostname
target_ip target.ip
target.asset.ip
target_port target.port
target_user target.user.userid
target.resource.resource_type DISPOSITIVO
task_id additional.fields
TaskId security_result.detection_fields
Template_Name additional.fields
Termination-Action security_result.detection_fields
threshold_value additional.fields
TimeToProfile sec_result.detection_fields
TLSCipher network.tls.cipher
TLSVersion network.tls.version
total_certainty_factor sec_result.detection_fields
TotalAuthenLatency security_result.detection_fields
additional.fields
TotalFailedTime sec_result.detection_fields
Tunnel-Client-Endpoint sec_result.detection_fields
Type additional.fields
undefined-151 additional.fields
UniqueConnectionIdentifier sec_result.detection_fields
UpdateTime sec_result.detection_fields
url-redirect target.url
url-redirect-acl security_result.detection_fields
UseCase sec_result.detection_fields
used_space_value additional.fields
User principal.user.userid
user principal.user.userid
user_display_name principal.user.user_display_name
User-AD-Last-Fetch-Time principal.user.attribute.labels
User-Agent network.http.user_agent
network.http.parsed_user_agent
User-Fetch-Email sec_result.detection_fields
User-Fetch-Last-Name principal.user.last_name
User-Fetch-LocalityName sec_result.detection_fields
User-Fetch-StateOrProvinceName sec_result.detection_fields
User-Name target.user.userid
UserAccountControl principal.user.attribute.labels
UserAgreementStatus security_result.detection_fields
UserName target.user.userid
UserType principal.user.attribute.labels
UseSingleConnect security_result.detection_fields
vlan-id security_result.detection_fields
principal.resource.resource_type Mappato in modo statico a DEVICE.

Riferimento del delta di mappatura UDM

Il 1° dicembre 2025, Google SecOps ha rilasciato una nuova versione del parser Cisco ISE, che include modifiche significative al mapping dei campi di log Cisco ISE ai campi UDM e modifiche al mapping dei tipi di eventi.

Delta della mappatura dei campi di log

A livello globale, il timestamp visualizzato ora dal parser Cisco ISE è il campo log grezzo Event-Timestamp. In precedenza, il timestamp visualizzato dal parser Cisco ISE proveniva dall'intestazione.

La tabella seguente elenca il delta di mappatura per i campi di log-to-UDM di Cisco ISE esposti prima del 1° dicembre 2025 e successivamente (elencati rispettivamente nelle colonne Mappatura precedente e Mappatura attuale):

Campo log Mappatura precedente Mappatura attuale
Acct-Input-Gigawords additional.fields network.received_bytes
Acct-Input-Packets security_result.detection_fields network.received_packets
Acct-Output-Gigawords additional.fields network.sent_bytes
Acct-Output-Packets security_result.detection_fields network.sent_packets
Acct-Session-Id security_result.detection_fields
additional.fields		 security_result.detection_fields
AcsSessionID security_result.detection_fields
additional.fields		 network.session_id
security_result.detection_fields
AD-Log-Id security_result.detection_fields metadata.product_log_id
AD-User-SamAccount-Name principal.user.attribute.labels principal.user.user_display_name
allowEasyWiredSession security_result.detection_fields
additional.fields		 security_result.detection_fields
AuthenticationIdentityStore security_result.detection_fields
additional.fields		 security_result.detection_fields
Calling-Station-ID security_result.detection_fields
additional.fields
principal.ip		 security_result.detection_fields
ClientLatency security_result.detection_fields
additional.fields		 `security_result.detection_fields
ConfigVersionId security_result.detection_fields
additional.fields		 security_result.detection_fields
CPMSessionID security_result.detection_fields
additional.fields
network.sesson_id		 network.sesson_id
DeviceIPAdresstarget.ip target.ip principal.ip
EndPointMatchedProfile security_result.about.labels
additional.fields		 security_result.about.resource.attribute.labels
HostIdentityGroup additional.fields principal.group.group_display_name
IdentityGroup principal.group.group_display_name principal.user.group_identifiers
IdentityPolicyMatchedRule security_result.about.labels
additional.fields		 security_result.rule_labels
IsThirdPartyDeviceFlow security_result.detection_fields
additional.fields		 security_result.detection_fields
Issuer about.labels network.tls.server.certificate.issuer
Location principal.location.country_or_region
target.location.country_or_region,security_result.detection_fields		 principal.location.country_or_region,
NAS Identifier principal.labels principal.asset.attribute.labels
NAS-IP-Address principal.nat_ip,principal.ip
intermediary.ip		 principal.nat_ip,principal.ip,
NAS-Port principal.labels principal.resource.attribute.labels
NAS-Port-Id security_result.detection_fields
principal.labels		 security_result.detection_fields
NAS-Port-Type security_result.detection_fields
principal.labels		 `security_result.detection_fields
NASIdentifier principal.resource.attribute.labels,security_result.detection_fields principal.resource.attribute.labels
NASIdentifier security_result.detection_fields
principal.labels		 security_result.detection_fields
NetworkDeviceGroups_Location intermediary.location.country_or_region principal.location.country_or_region,
Object Name security_result.about.labels security_result.about.resource.attribute.labels
principal.mac se si tratta di un MAC
Object Type security_result.about.labels
additional.fields		 security_result.about.resource.attribute.labels
PostureAssessmentStatus security_result.detection_fields
additional.fields		 security_result.detection_fields
Privilege-Level additional.fields target.user.attribute.permissions.description
ProfilerServer principal.hostname
security_result.detection_fields		 principal.hostname
RadiusFlowType security_result.detection_fields
additional.fields		 security_result.detection_fields
RequestLatency security_result.detection_fields
additional.fields		 security_result.detection_fields
r_msg_id security_result.detection_fields metadata.product_log_id
r_seg_num security_result.detection_fields
additional.fields		 additional.fields
r_total_seg security_result.detection_fields
additional.fields		 additional.fields
SelectedAccessService security_result.detection_fields
additional.fields		 security_result.detection_fields
SelectedAuthorizationProfiles security_result.detection_fields
additional.fields		 security_result.detection_fields
Sequence-Number metadata.product_log_id security_result.detection_fields se AD-Log-Id non è null
Server principal.asset.attribute.labels principal.hostname
principal.asset.hostname
Service-Type security_result.detection_fields
additional.fields		 security_result.detection_fields
serial_number about.labels about.resource.attribute.labels
ShutdownReason security_result.detection_fields security_result.description
Subject about.labels about.resource.attribute.labels
subject_alt_name about.labels about.resource.attribute.labels
subject_alt_name about.labels about.resource.attribute.labels
TotalAuthenLatency security_result.detection_fields
additional.fields		 security_result.detection_fields
total_certainty_factor security_result.detection_fields security_result.confidence_score
UniqueSubjectID additional.fields principal.user.userid.product_object_id
Update Time security_result.detection_fields principal.asset.attribute.last_update_time
User-Fetch-Email security_result.detection_fields principal.user.email_addresses
User-Fetch-LocalityName security_result.detection_fields principal.location.name
User-Fetch-StateOrProvinceName security_result.detection_fields principal.location.state
User Name when [r_cat_name] =~ "CISE_Passed_Authentications" principal.user.userid
target.user.userid		 principal.user.userid
wlan-profile-name security_result.detection_fields principal.user.userid

Delta della mappatura dei tipi di eventi

Più eventi classificati in modo generico ora sono classificati correttamente con tipi di eventi significativi.

La seguente tabella elenca la differenza per la gestione dei tipi di eventi Cisco ISE prima del 1° dicembre 2025 e successivamente (elencati rispettivamente nelle colonne Old event_type e Current event-type):

ID evento da log e logica Old event_type Current event_type
(In base all'evento) [has_resource] == "true" GENERIC_EVENT USER_RESOURCE_ACCESS
[Action] == "Login" NETWORK_CONNECTION USER_LOGIN
[PRAAction] =~ "logoff" NETWORK_CONNECTION USER_LOGOUT
[message] =~ "Administrator-Login" USER_UNCATEGORIZED USER_LOGIN
[message] =~ "Change password failed" USER_LOGIN USER_CHANGE_PASSWORD
[msg_text] =~ "Login Success" USER_UNCATEGORIZED USER_LOGIN

Hai bisogno di ulteriore assistenza? Ricevi risposte dai membri della community e dai professionisti di Google SecOps.