Recolha registos do Cisco ISE

Suportado em:

Este documento descreve como pode recolher registos do Cisco Identify Services Engine (ISE) através de um encaminhador do Google Security Operations.

Para mais informações, consulte o artigo Ingestão de dados no Google Security Operations.

Uma etiqueta de carregamento identifica o analisador que normaliza os dados de registo não processados para o formato UDM estruturado. As informações neste documento aplicam-se ao analisador com a etiqueta de carregamento CISCO_ISE.

Configure o Cisco ISE

  1. Inicie sessão na consola do Cisco ISE com as credenciais de administrador.
  2. Na consola do Cisco ISE, selecione Administration > System > Logging > Remote logging targets.
  3. Na janela Alvos de registo remoto, clique em Adicionar. É apresentada a janela Novo destino de registo.

  4. Na secção Destino de registo, especifique valores para os seguintes campos:

    Campo Descrição
    Nome Nome do encaminhador do Google Security Operations.
    Descrição Descrição do encaminhador do Google Security Operations.
    Tipo Tipo do destino do registo remoto, como syslog.
    Endereço IP Endereço IP do encaminhador do Google Security Operations.
    Tipo de segmentação Selecione TCP syslog ou UDP syslog.
    Porta Use uma porta elevada, como 10514.
    Código da instalação Pode especificar um dos seguintes valores:

    • LOCAL0 (código = 16)
    • LOCAL1 (code = 17)
    • LOCAL2 (code = 18)
    • LOCAL3 (code = 19)
    • LOCAL4 (code = 20)
    • LOCAL5 (code = 21)
    • LOCAL6 (code = 22; predefinição)
    • LOCAL7 (code = 23)
    Comprimento máximo O valor recomendado é 1024.

  5. Clique em Enviar. A janela Alvos de registos remotos é apresentada com a nova configuração do encaminhador do Google Security Operations.

  6. Na consola do Cisco ISE, selecione Administração > Sistema > Registo > Categorias de registo.

  7. Na janela Categorias de registo, selecione as categorias para as quais quer definir o destino syslog remoto e adicione o destino syslog remoto.

    Seguem-se as categorias de exemplo: auditorias AAA, diagnósticos AAA, contabilidade, auditoria administrativa e operacional, auditoria de aprovisionamento de postura e cliente, diagnósticos de aprovisionamento de postura e cliente, criador de perfis, diagnósticos do sistema e estatísticas do sistema.

Configure o encaminhador e o syslog do Google Security Operations para carregar registos do Cisco Secure ACS

  1. Aceda a Definições do SIEM > Encaminhadores.
  2. Clique em Adicionar novo encaminhador.
  3. No campo Nome do encaminhador, introduza um nome exclusivo para o encaminhador.
  4. Clique em Enviar. O encaminhador é adicionado e é apresentada a janela Adicionar configuração do coletor.
  5. No campo Nome do coletor, introduza um nome.
  6. Selecione Cisco ISE como o Tipo de registo.
  7. Selecione Syslog como o tipo de coletor.
  8. Configure os seguintes parâmetros de entrada obrigatórios:
    • Protocolo: especifique o protocolo.
    • Endereço: especifique o endereço IP ou o nome de anfitrião de destino onde o coletor reside e se dirige aos dados do syslog.
    • Porta: especifique a porta de destino onde o coletor reside e ouve os dados de syslog.
  9. Clique em Enviar.

Para mais informações sobre os encaminhadores do Google Security Operations, consulte a documentação dos encaminhadores do Google Security Operations. Para obter informações sobre os requisitos de cada tipo de encaminhador, consulte o artigo Configuração do encaminhador por tipo. Se tiver problemas ao criar encaminhamentos, contacte o apoio técnico das operações de segurança da Google.

Referência de mapeamento de campos

Este analisador extrai registos do Cisco ISE de mensagens syslog, normaliza os dados para o formato UDM e enriquece o evento com contexto adicional. Processa várias categorias de registos de ISE, incluindo sucessos e falhas de autenticação, auditorias administrativas, estatísticas do sistema e muito mais, mapeando campos relevantes para o esquema UDM e adicionando etiquetas específicas para uma análise detalhada.

Tabela de mapeamento da UDM

Campo de registo Mapeamento do UDM Observação
AAA_Event security_result.detection_fields
AAA_Security_Result.detection_fields aaa_service
ac-user-agent network.http.user_agent
Acct-Authentic security_result.detection_fields
Acct-Delay-Time security_result.detection_fields
Acct-Input-Octets security_result.detection_fields
Acct-Input-Packets security_result.detection_fields
Acct-Output-Octets security_result.detection_fields
Acct-Output-Packets security_result.detection_fields
Acct-Session-Id sec_result.detection_fields
additional.fields
Acct-Session-Time security_result.detection_fields
Acct-Status-Type security_result.detection_fields
Acct-Terminate-Cause security_result.detection_fields
AcctReply-Status security_result.detection_fields
AcctRequest-Flags security_result.detection_fields
ACS_CiscoSecure_Defined_ACL security_result.detection_fields
AcsSessionID sec_result.detection_fields
additional.fields
Action security_result.action_details
action_details security_result.action_details
ActiveSessionCount security_result.detection_fields
ad_identifier about.hostname
ad_join_point principal.administrative_domain
ad_operating_system principal.platform
AD-Account-Name principal.user.userid
target.hostname
AD-Domain principal.group.group_display_name
AD-Domain-Controller target.administrative_domain
AD-Error-Details security_result.description
AD-Forest target.resource.attribute.labels
AD-Groups-Names principal.user.group_identifiers
AD-Host-Candidate-Identities sec_result.detection_fields
AD-IP-Address target.ip
target.asset.ip
AD-Log-Id sec_result.detection_fields
AD-Site target.location.name
AD-Srv-Query security_result.detection_fields
AD-Srv-Record security_result.detection_fields
AD-User-Candidate-Identities principal.user.attribute.labels
AD-User-DNS-Domain network.dns_domain
AD-User-Join-Point target.hostname
target.asset.hostname
AD-User-NetBios-Name principal.user.attribute.labels
AD-User-Qualified-Name principal.user.email_addresses
AD-User-Resolved-DNs principal.user.attribute.labels
AD-User-Resolved-Identities sec_result.detection_fields
principal.user.userid
AD-User-Resolved-Identities
AD-User-SamAccount-Name principal.user.attribute.labels
Admin principal.user.userid
AdminInterface principal.user.attribute.labels
AdminIPAddress principal.ip
AdminName principal.user.userid
affected-dn target.resource.nametarget.resource.attribute.labels
target.resource.resource_type		 target.resource.resource_type => "USER"
Airespace-Wlan-Id additional.fields
allowEasyWiredSession sec_result.detection_fields
additional.fields
AMInstalled security_result.detection_fields
assetDeviceType principal.resource.name
assetIncidentScore security_result.detection_fields
Audit_session_id sec_result.detection_fields
AuditSessionId sec_result.detection_fields
Authen-Reply-Status security_result.detection_fields
AuthenticationIdentityStore sec_result.detection_fields
additional.fields
AuthenticationMethod security_result.detection_fields
AuthenticationResult security_result.action
AuthenticationStatus security_result.action
security_result.action_details
Author-Reply-Status additional.fields
AuthorizationFailureReason security_result.detection_fields
AuthorizationPolicyMatchedRule security_result.rule_name
av-pair-severity security_result.detection_fields
BYODRegistration sec_result.detection_fields
CacheUpdateTime security_result.detection_fields
Called-Station-ID security_result.detection_fields
target.ip
target.mac
Calling-Station-ID security_result.detection_fields
principal.ip
principal.mac
cdpCacheAddressType security_result.detection_fields
cdpCacheVersion security_result.detection_fields
cdpUndefined28 security_result.detection_fields
change-set additional.fields
Chargeable-User-Identity principal.user.attribute.labels
cisco-av-pair additional.fields
security_result.detection_fields
CiscoIOS security_result.detection_fields
Class sec_result.detection_fields
client_type additional.fields
client-iif-id security_result.detection_fields
ClientLatency security_result.detection_fields
additional.fields
CmdSet target.process.command_line
coa-push security_result.detection_fields
CoAClientInstanceDestinationIPAddress target.ip
target.asset.ip
coaReason security_result.detection_fields
coaSourceComponent security_result.detection_fields
coaType security_result.detection_fields
Component security_result.detection_fields
ConfigChangeData security_result.detection_fields
ConfigVersionId sec_result.detection_fields
additional.fields
connect-progress security_result.detection_fields
ConnectionStatus sec_result.detection_fields
ConnectionStatus=Failed security_result.action ="BLOCK"
Constructeurs principal.asset.hardware.manufacturer
counters_kvp event.idm.read_only_udm.target.asset.attribute.labels
CPMSessionID security_result.detection_fields
additional.fields
network.session_id
CreateTime event.idm.read_only_udm.principal.asset.attribute.creation_time
cts_security_group_tag security_result.detection_fields
cts-pac-opaque security_result.detection_fields
datetime metadata.event_timestamp
days_to_expiry security_result.detection_fields
DeltaRadiusRequestCount security_result.detection_fields
DeltaTacacsRequestCount security_result.detection_fields
Description security_result.detection_fields
DestinationIPAddress target.ip
target.asset.ip
DestinationIPAddress target.ip
target.asset.ip
DestinationPort target.port
DetailedInfo sec_result.description
Device_IP_Address principal.ip
principal.asset.ip
device-mac principal.mac
device-platform principal.platform
device-platform-version principal.platform_version
device-public-mac principal.mac
device-type principal.asset.hardware.model
device-uid principal.resource.product_object_id
device-uid-global principal.asset.product_object_id
DeviceIPAddress principal.ip
target.ip
intermediary.ip
DevicePort principal.port
target.port
intermediary.port
DeviceRegistrationStatus sec_result.detection_fields
dhcp-class-identifier security_result.detection_fields
dhcp-parameter-request-list additional.fields
Domaines additional.fields
DoReplicate security_result.detection_fields
DTLSSupport security_result.detection_fields
EAP-Key-Name additional.fields
EapTunnel additional.fields
EmailAddress principal.user.email_addresses
EnableFlag additional.fields
EnableSingleConnect security_result.detection_fields
End-of-LLDPDU security_result.detection_fields
endpoint_id principal.mac
principal.asset.mac
EndpointCertainityMetric sec_result.detection_fields
EndpointIdentityGroup principal.group.group_display_name
EndpointIPAddress principal.asset.ip
EndPointMACAddress principal.mac
principal.asset.mac
EndPointMatchedProfile security_result.about.labels
additional.fields
EndpointNADAddress sec_result.detection_fields
EndpointOUI sec_result.detection_fields
EndpointPolicy principal.asset.platform_software.platform_version
security_result.detection_fields
EndPointPolicyID security_result.detection_fields
EndPointProfilerServer target.hostname
EndpointProperty sec_result.detection_fields
EndPointSource target.resource.attribute.labels
EndpointSourceEvent sec_result.detection_fields
EndpointUserAgent network.http.user_agent
EndPointVersion security_result.detection_fields
epid security_result.detection_fields
Error Message additional.fields
event additional.fields
extended_key_usage_oid additional.fields
external_groups additional.fields
FailureFlag security_result.detection_fields
FailureReason sec_result.detection_fields
additional.fields
FeedService security_result.detection_fields
FirstCollection event.idm.read_only_udm.principal.asset.first_discover_time
foreign_ip intermediary.ip
FQSubjectName security_result.detection_fields
Framed-MTU additional.fields
Framed-Protocol sec_result.detection_fields
FramedIPAddress security_result.detection_fields
group_name principal.group.group_display_name
Header-Flags security_result.detection_fields
HostIdentityGroup additional.fields
IdentityAccessRestricted security_result.detection_fields
IdentityGroup principal.group.group_display_name
IdentityGroupID principal.group.product_object_id
IdentityPolicyMatchedRule sec_result.about.labels
additional.fields
IdentitySelectionMatchedRule sec_result.detection_fields
Idle-Timeout security_result.detection_fields
idletime security_result.detection_fields
IMEI target.asset.product_object_id
inacl_rule security_result.detection_fields
intermediary_hostname intermediary.hostname
ionTimeStamp security_result.detection_fields
ios-version principal.asset.software.version
ip_inacl_rule security_result.detection_fields
ip_source_ip principal.ip
principal.asset.ip
IpAddress principal.ip
principal.asset.ip
IPSEC additional.fields
ise_port principal.port
intermediary.port
ISELocalAddress intermediary.ip
principal.ip
ISEModuleName sec_result.detection_fields
ISEPolicySetName target.resource.name
ISEServiceName sec_result.detection_fields
IsMachineAuthentication security_result.detection_fields
IsMachineIdentity security_result.detection_fields
IsRegistered security_result.detection_fields
Issuer about.labels
IsThirdPartyDeviceFlow sec_result.detection_fields
additional.fields
key_usage additional.fields
LastActivity event.idm.read_only_udm.principal.asset.last_discover_time
LastNmapScanTime sec_result.detection_fields
LicenseType additional.fields
lldpManAddress security_result.detection_fields
lldpPortDescription security_result.detection_fields
lldpPortId security_result.detection_fields
lldpSystemCapabilitiesMap security_result.detection_fields
lldpSystemDescription security_result.detection_fields
lldpTimeToLive security_result.detection_fields
lldpUndefined127 security_result.detection_fields
localport principal.port
Location principal.location.country_or_region
target.location.country_or_region
security_result.detection_fields
log-id metadata.product_log_id
logstash.ingest.host intermediary.hostname
logstash.ingest.timestamp metadata.ingested_timestamp
logstash.irm_environment additional.fields
logstash.irm_region additional.fields
logstash.irm_site additional.fields
logstash.process.host intermediary.hostname
logstash.process.timestamp metadata.collected_timestamp
MAC principal.mac
mac_UserName principal.mac
MacAddress principal.mac
MajorVersion security_result.detection_fields
Manufacturer target.asset.hardware.manufacturer
MatchedPolicy security_result.detection_fields
MatchedPolicyID security_result.rule_id
MDMFailureReason sec_result.detection_fields
MDMServerName metadata.product_name
mDNS security_result.detection_fields
MESSAGE security_result.description
MFCInfoEndpointType principal.asset.asset_type
principal.asset.attribute.labels
MinorVersion security_result.detection_fields
MisconfiguredClientFixReason security_result.detection_fields
Model target.asset.hardware.model
Model_Name principal.asset.attribute.labels
msg_class metadata.description
msg_sev security_result.severity
sec_result.severity_details
msg_text metadata.description
security_result.severity
sec_result.severity_details,security_result.action
msg_text security_result.action
NAD Address principal.ip
NADAddress intermediary.ip
Name principal.group.group_identifiers
nas_ip_address principal.nat_ip
NAS-Identifier principal.labels
NAS-IP-Address principal.nat_ip
principal.ip
NAS-Port principal.port
principal.labels
nas-update security_result.detection_fields
NASIdentifier security_result.detection_fields
principal.labels
NASPort principal.nat_port if valid else to security_result.detection_fields
principal.labels
NASPortId security_result.detection_fields
principal.labels
NASPortType security_result.detection_fields
principal.labels
Network Device Name target.hostname
target.asset.hostname
network_adapter target.resource.name
network_application_protocol_result network.application_protocol
NetworkDeviceGroups sec_result.detection_fields
NetworkDeviceGroups_IPSEC additional.fields
NetworkDeviceProfileId principal.asset.asset_id
NetworkDeviceProfileName principal.asset.attribute.labels
NmapScanCount security_result.detection_fields
ntp_server_1 target.ip
target.asset.ip
ntp_server_2 target.ip
target.asset.ip
ntp_server_3 target.ip
target.asset.ip
ObjectInternalID security_result.detection_fields
ObjectName security_result.about.labels
ObjectType security_result.labout.abels
additional.fields
operating-system-result target.asset.platform_software.platform_version target.platform = WINDOWS
OperatingSystem target.asset.platform_software.platform_version
OperationMessageText sec_result.detection_fields
OperationMessageText about.labels
OUI security_result.detection_fields
pad security_result.detection_fields
PeerAddress target.mac
target.asset.mac
PeerName target.hostname
target.asset.hostname
PhoneNumber principal.user.phone_numbers
platform-version principal.platform_version
PolicyVersion security_result.detection_fields
Port principal.port
target.port
Portal_Name additional.fields
PortalName target.url
PortalUser principal.user.userid
PortalUser_GuestSponsor principal.user.attribute.labels
PortalUser_GuestType principal.user.attribute.labels
PostureApplicable security_result.detection_fields
PostureAssessmentStatus sec_result.detection_fields
additional.fields
PostureExpiry sec_result.detection_fields
PostureStatus sec_result.detection_fields
principal_hostname principal.hostname
principal_ip principal.ip
principal.asset.ip
profile-name security_result.detection_fields
ProfilerServer sec_result.detection_fields
Protocol security_result.detection_fields
r_ip_or_host observer.ip
observer.hostname
intermediary.hostname
intermediary.ip
r_seg_num metadata.product_log_id
RadiusFlowType security_result.about.labels
additional.fields
RadiusPacketType security_result.detection_fields
received_b network.received_bytes
RegisterStatus security_result.rule_name
RegistrationTimeStamp sec_result.detection_fields
RemoteAddress principal.ip
principal.asset.ip
RequestLatency sec_result.detection_fields
additional.fields
RequestResponseTypes security_result.detection_fields
ResponseTime sec_result.detection_fields
SelectedAccessService sec_result.detection_fields
additional.fields
SelectedAuthenticationIdentityStores security_result.detection_fields
SelectedAuthorizationProfiles sec_result.detection_fields
additional.fields
SelectedShellProfile additional.fields
sent_b network.sent_bytes
sequence_num metadata.product_log_id
Sequence-Number security_result.detection_fields
serial_number about.labels
network.tls.server.certificate.serial
server_label principal.asset.attribute.labels
Service-Type sec_result.detection_fields
additional.fields
session-id network.session_id
Session-Timeout network.session_duration
shell_role principal.user.attribute.roles.name
ShutdownReason security_result.detection_fields
SkipProfiling security_result.detection_fields
software_version principal.asset.platform_software.platform_version
Source principal.ip
principal.hostname
source_ip src.ip
source_port src.port
SSID additional.fields
start_time security_result.first_discovered_time
StaticAssignment security_result.detection_fields
StaticGroupAssignment sec_result.detection_fields
Step additional.fields
StepData about.hostname
additional.fields
StepLatency additional.fields
stop_time security_result.last_discovered_time
Subject about.labels
subject_alt_name about.labels
subscriber_command security_result.detection_fields
syslog_host principal.ip
principal.asset.ip
SysStatsCpuCount target.asset.hardware.cpu_number_cores
SysStatsProcessMemoryMB target.asset.hardware.ram
SysStatsUtilizationDiskIO target.asset.attribute.labels
SysStatsUtilizationDiskSpace target.asset.attribute.labels
SysStatsUtilizationLoadAvg target.asset.attribute.labels
SystemDomain principal.asset.network_domain
SystemName principal.hostname
principal.hostname
SystemUser principal.user.userid
SystemUserDomain principal.administrative_domain
target_email target.user.email_addresses
target_group_identifiers target.user.group_identifiers
target_hostname target.hostname
target_ip target.ip
target.asset.ip
target_port target.port
target_user target.user.userid
target.resource.resource_type DISPOSITIVO
task_id additional.fields
TaskId security_result.detection_fields
Template_Name additional.fields
Termination-Action security_result.detection_fields
threshold_value additional.fields
TimeToProfile sec_result.detection_fields
TLSCipher network.tls.cipher
TLSVersion network.tls.version
total_certainty_factor sec_result.detection_fields
TotalAuthenLatency security_result.detection_fields
additional.fields
TotalFailedTime sec_result.detection_fields
Tunnel-Client-Endpoint sec_result.detection_fields
Type additional.fields
undefined-151 additional.fields
UniqueConnectionIdentifier sec_result.detection_fields
UpdateTime sec_result.detection_fields
url-redirect target.url
url-redirect-acl security_result.detection_fields
UseCase sec_result.detection_fields
used_space_value additional.fields
User principal.user.userid
user principal.user.userid
user_display_name principal.user.user_display_name
User-AD-Last-Fetch-Time principal.user.attribute.labels
User-Agent network.http.user_agent
network.http.parsed_user_agent
User-Fetch-Email sec_result.detection_fields
User-Fetch-Last-Name principal.user.last_name
User-Fetch-LocalityName sec_result.detection_fields
User-Fetch-StateOrProvinceName sec_result.detection_fields
User-Name target.user.userid
UserAccountControl principal.user.attribute.labels
UserAgreementStatus security_result.detection_fields
UserName target.user.userid
UserType principal.user.attribute.labels
UseSingleConnect security_result.detection_fields
vlan-id security_result.detection_fields
principal.resource.resource_type Mapeado estaticamente para DEVICE.

Referência delta do mapeamento de UDM

A 1 de dezembro de 2025, a Google SecOps lançou uma nova versão do analisador Cisco ISE, que inclui alterações significativas ao mapeamento de campos de registo do Cisco ISE para campos UDM e alterações ao mapeamento de tipos de eventos.

Delta do mapeamento de campos de registo

A nível global, a data/hora apresentada pelo analisador Cisco ISE é agora o campo de registo não processado Event-Timestamp. Anteriormente, a data/hora apresentada pelo analisador Cisco ISE era do cabeçalho.

A tabela seguinte indica a diferença de mapeamento para os campos de registo para UDM do Cisco ISE expostos antes de 1 de dezembro de 2025 e posteriormente (indicados nas colunas Mapeamento antigo e Mapeamento atual, respetivamente):

Campo de registo Mapeamento antigo Mapeamento atual
Acct-Input-Gigawords additional.fields network.received_bytes
Acct-Input-Packets security_result.detection_fields network.received_packets
Acct-Output-Gigawords additional.fields network.sent_bytes
Acct-Output-Packets security_result.detection_fields network.sent_packets
Acct-Session-Id security_result.detection_fields
additional.fields		 security_result.detection_fields
AcsSessionID security_result.detection_fields
additional.fields		 network.session_id
security_result.detection_fields
AD-Log-Id security_result.detection_fields metadata.product_log_id
AD-User-SamAccount-Name principal.user.attribute.labels principal.user.user_display_name
allowEasyWiredSession security_result.detection_fields
additional.fields		 security_result.detection_fields
AuthenticationIdentityStore security_result.detection_fields
additional.fields		 security_result.detection_fields
Calling-Station-ID security_result.detection_fields
additional.fields
principal.ip		 security_result.detection_fields
ClientLatency security_result.detection_fields
additional.fields		 `security_result.detection_fields
ConfigVersionId security_result.detection_fields
additional.fields		 security_result.detection_fields
CPMSessionID security_result.detection_fields
additional.fields
network.sesson_id		 network.sesson_id
DeviceIPAdresstarget.ip target.ip principal.ip
EndPointMatchedProfile security_result.about.labels
additional.fields		 security_result.about.resource.attribute.labels
HostIdentityGroup additional.fields principal.group.group_display_name
IdentityGroup principal.group.group_display_name principal.user.group_identifiers
IdentityPolicyMatchedRule security_result.about.labels
additional.fields		 security_result.rule_labels
IsThirdPartyDeviceFlow security_result.detection_fields
additional.fields		 security_result.detection_fields
Issuer about.labels network.tls.server.certificate.issuer
Location principal.location.country_or_region
target.location.country_or_region,security_result.detection_fields		 principal.location.country_or_region,
NAS Identifier principal.labels principal.asset.attribute.labels
NAS-IP-Address principal.nat_ip,principal.ip
intermediary.ip		 principal.nat_ip,principal.ip,
NAS-Port principal.labels principal.resource.attribute.labels
NAS-Port-Id security_result.detection_fields
principal.labels		 security_result.detection_fields
NAS-Port-Type security_result.detection_fields
principal.labels		 `security_result.detection_fields
NASIdentifier principal.resource.attribute.labels,security_result.detection_fields principal.resource.attribute.labels
NASIdentifier security_result.detection_fields
principal.labels		 security_result.detection_fields
NetworkDeviceGroups_Location intermediary.location.country_or_region principal.location.country_or_region,
Object Name security_result.about.labels security_result.about.resource.attribute.labels
principal.mac se for um MAC
Object Type security_result.about.labels
additional.fields		 security_result.about.resource.attribute.labels
PostureAssessmentStatus security_result.detection_fields
additional.fields		 security_result.detection_fields
Privilege-Level additional.fields target.user.attribute.permissions.description
ProfilerServer principal.hostname
security_result.detection_fields		 principal.hostname
RadiusFlowType security_result.detection_fields
additional.fields		 security_result.detection_fields
RequestLatency security_result.detection_fields
additional.fields		 security_result.detection_fields
r_msg_id security_result.detection_fields metadata.product_log_id
r_seg_num security_result.detection_fields
additional.fields		 additional.fields
r_total_seg security_result.detection_fields
additional.fields		 additional.fields
SelectedAccessService security_result.detection_fields
additional.fields		 security_result.detection_fields
SelectedAuthorizationProfiles security_result.detection_fields
additional.fields		 security_result.detection_fields
Sequence-Number metadata.product_log_id security_result.detection_fields se AD-Log-Id não for nulo
Server principal.asset.attribute.labels principal.hostname
principal.asset.hostname
Service-Type security_result.detection_fields
additional.fields		 security_result.detection_fields
serial_number about.labels about.resource.attribute.labels
ShutdownReason security_result.detection_fields security_result.description
Subject about.labels about.resource.attribute.labels
subject_alt_name about.labels about.resource.attribute.labels
subject_alt_name about.labels about.resource.attribute.labels
TotalAuthenLatency security_result.detection_fields
additional.fields		 security_result.detection_fields
total_certainty_factor security_result.detection_fields security_result.confidence_score
UniqueSubjectID additional.fields principal.user.userid.product_object_id
Update Time security_result.detection_fields principal.asset.attribute.last_update_time
User-Fetch-Email security_result.detection_fields principal.user.email_addresses
User-Fetch-LocalityName security_result.detection_fields principal.location.name
User-Fetch-StateOrProvinceName security_result.detection_fields principal.location.state
User Name when [r_cat_name] =~ "CISE_Passed_Authentications" principal.user.userid
target.user.userid		 principal.user.userid
wlan-profile-name security_result.detection_fields principal.user.userid

Diferença do mapeamento do tipo de evento

Vários eventos que foram classificados genericamente são agora classificados corretamente com tipos de eventos significativos.

A tabela seguinte apresenta a diferença no processamento dos tipos de eventos do Cisco ISE antes de 1 de dezembro de 2025 e posteriormente (indicados nas colunas Old event_type e Current event-type, respetivamente):

ID do evento a partir do registo e da lógica Old event_type Current event_type
(Com base no evento) [has_resource] == "true" GENERIC_EVENT USER_RESOURCE_ACCESS
[Action] == "Login" NETWORK_CONNECTION USER_LOGIN
[PRAAction] =~ "logoff" NETWORK_CONNECTION USER_LOGOUT
[message] =~ "Administrator-Login" USER_UNCATEGORIZED USER_LOGIN
[message] =~ "Change password failed" USER_LOGIN USER_CHANGE_PASSWORD
[msg_text] =~ "Login Success" USER_UNCATEGORIZED USER_LOGIN

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.