Esta página foi traduzida pela API Cloud Translation.

Coletar registros do Cisco ISE

Compatível com:

Google SecOps SIEM

Neste documento, descrevemos como coletar registros do Cisco Identity Services Engine (ISE) usando um encaminhador do Google Security Operations.

Para mais informações, consulte Ingestão de dados no Google Security Operations.

Um rótulo de ingestão identifica o analisador que normaliza dados de registro brutos para o formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de ingestão CISCO_ISE.

Configurar o Cisco ISE

Faça login no console do Cisco ISE usando as credenciais de administrador.
No console do Cisco ISE, selecione Administração > Sistema > Registro em log > Destinos de registro em log remoto.
Na janela Destinos de geração de registros remotos, clique em Adicionar. A janela Novo destino de geração de registros será exibida.

Na seção Destino de geração de registros, especifique valores para os seguintes campos:

Campo	Descrição
Nome	Nome do encaminhador do Google Security Operations.
Descrição	Descrição do encaminhador do Google Security Operations.
Tipo	Tipo de destino de registro remoto, como syslog.
Endereço IP	Endereço IP do encaminhador do Google Security Operations.
Tipo de destino	Selecione "Syslog TCP" ou "Syslog UDP".
Porta	Use uma porta alta, como 10514.
Código da unidade	É possível especificar um dos seguintes valores: LOCAL0 (código = 16) LOCAL1 (código = 17) LOCAL2 (código = 18) LOCAL3 (código = 19) LOCAL4 (código = 20) LOCAL5 (código = 21) LOCAL6 (código = 22; padrão) LOCAL7 (código = 23)
Comprimento máximo	O valor recomendado é 1024.

Clique em Enviar. A janela Destinos de registros remotos aparece com a nova configuração de encaminhador do Google Security Operations.
No console do Cisco ISE, selecione Administração > Sistema > Geração de registros > Categorias de geração de registros.
Na janela Categorias de geração de registros, selecione as categorias para as quais você quer definir o destino syslog remoto e adicione o destino syslog remoto.

As categorias de amostra são: auditorias de AAA, diagnósticos de AAA, contabilidade, auditoria administrativa e operacional, auditoria de postura e provisionamento de clientes, diagnósticos de postura e provisionamento de clientes, criador de perfil, diagnósticos do sistema e estatísticas do sistema.

Configurar o encaminhador do Google Security Operations e o syslog para ingerir registros do Cisco Secure ACS

Acesse Configurações do SIEM > Encaminhadores.
Clique em Adicionar novo encaminhador.
No campo Nome do encaminhador, insira um nome exclusivo para ele.
Clique em Enviar. O encaminhador é adicionado, e a janela Adicionar configuração do coletor aparece.
No campo Nome do coletor, digite um nome.
Selecione Cisco ISE como o Tipo de registro.
Selecione Syslog como o Tipo de coletor.
Configure os seguintes parâmetros de entrada obrigatórios:
- Protocolo: especifique o protocolo.
- Endereço: especifique o endereço IP ou o nome do host de destino em que o coletor está localizado e os endereços dos dados do syslog.
- Porta: especifique a porta de destino em que o coletor reside e detecta dados do syslog.
Clique em Enviar.

Para mais informações sobre encaminhadores do Google Security Operations, consulte a documentação sobre encaminhadores do Google Security Operations. Para informações sobre os requisitos de cada tipo de encaminhador, consulte Configuração do encaminhador por tipo. Se você tiver problemas ao criar encaminhadores, entre em contato com o suporte do Google Security Operations.

Referência de mapeamento de campos

Esse analisador extrai registros do Cisco ISE de mensagens syslog, normaliza os dados no formato UDM e enriquece o evento com mais contexto. Ele processa várias categorias de registros do ISE, incluindo sucessos e falhas de autenticação, auditorias administrativas, estatísticas do sistema e muito mais, mapeando campos relevantes para o esquema do UDM e adicionando rótulos específicos para uma análise detalhada.

Tabela de mapeamento do UDM

Campo de registro	Mapeamento do UDM	Observação
`AAA_Event`	`security_result.detection_fields`
`AAA_Security_Result.detection_fields`	`aaa_service`
`ac-user-agent`	`network.http.user_agent`
`Acct-Authentic`	`security_result.detection_fields`
`Acct-Delay-Time`	`security_result.detection_fields`
`Acct-Input-Octets`	`security_result.detection_fields`
`Acct-Input-Packets`	`security_result.detection_fields`
`Acct-Output-Octets`	`security_result.detection_fields`
`Acct-Output-Packets`	`security_result.detection_fields`
`Acct-Session-Id`	`sec_result.detection_fields` `additional.fields`
`Acct-Session-Time`	`security_result.detection_fields`
`Acct-Status-Type`	`security_result.detection_fields`
`Acct-Terminate-Cause`	`security_result.detection_fields`
`AcctReply-Status`	`security_result.detection_fields`
`AcctRequest-Flags`	`security_result.detection_fields`
`ACS_CiscoSecure_Defined_ACL`	`security_result.detection_fields`
`AcsSessionID`	`sec_result.detection_fields` `additional.fields`
`Action`	`security_result.action_details`
`action_details`	`security_result.action_details`
`ActiveSessionCount`	`security_result.detection_fields`
`ad_identifier`	`about.hostname`
`ad_join_point`	`principal.administrative_domain`
`ad_operating_system`	`principal.platform`
`AD-Account-Name`	`principal.user.userid` `target.hostname`
`AD-Domain`	`principal.group.group_display_name`
`AD-Domain-Controller`	`target.administrative_domain`
`AD-Error-Details`	`security_result.description`
`AD-Forest`	`target.resource.attribute.labels`
`AD-Groups-Names`	`principal.user.group_identifiers`
`AD-Host-Candidate-Identities`	`sec_result.detection_fields`
`AD-IP-Address`	`target.ip` `target.asset.ip`
`AD-Log-Id`	`sec_result.detection_fields`
`AD-Site`	`target.location.name`
`AD-Srv-Query`	`security_result.detection_fields`
`AD-Srv-Record`	`security_result.detection_fields`
`AD-User-Candidate-Identities`	`principal.user.attribute.labels`
`AD-User-DNS-Domain`	`network.dns_domain`
`AD-User-Join-Point`	`target.hostname` `target.asset.hostname`
`AD-User-NetBios-Name`	`principal.user.attribute.labels`
`AD-User-Qualified-Name`	`principal.user.email_addresses`
`AD-User-Resolved-DNs`	`principal.user.attribute.labels`
`AD-User-Resolved-Identities`	`sec_result.detection_fields` `principal.user.userid`
`AD-User-Resolved-Identities`
`AD-User-SamAccount-Name`	`principal.user.attribute.labels`
`Admin`	`principal.user.userid`
`AdminInterface`	`principal.user.attribute.labels`
`AdminIPAddress`	`principal.ip`
`AdminName`	`principal.user.userid`
`affected-dn`	`target.resource.nametarget.resource.attribute.labels` `target.resource.resource_type`	`target.resource.resource_type` => `"USER"`
`Airespace-Wlan-Id`	`additional.fields`
`allowEasyWiredSession`	`sec_result.detection_fields` `additional.fields`
`AMInstalled`	`security_result.detection_fields`
`assetDeviceType`	`principal.resource.name`
`assetIncidentScore`	`security_result.detection_fields`
`Audit_session_id`	`sec_result.detection_fields`
`AuditSessionId`	`sec_result.detection_fields`
`Authen-Reply-Status`	`security_result.detection_fields`
`AuthenticationIdentityStore`	`sec_result.detection_fields` `additional.fields`
`AuthenticationMethod`	`security_result.detection_fields`
`AuthenticationResult`	`security_result.action`
`AuthenticationStatus`	`security_result.action` `security_result.action_details`
`Author-Reply-Status`	`additional.fields`
`AuthorizationFailureReason`	`security_result.detection_fields`
`AuthorizationPolicyMatchedRule`	`security_result.rule_name`
`av-pair-severity`	`security_result.detection_fields`
`BYODRegistration`	`sec_result.detection_fields`
`CacheUpdateTime`	`security_result.detection_fields`
`Called-Station-ID`	`security_result.detection_fields` `target.ip` `target.mac`
`Calling-Station-ID`	`security_result.detection_fields` `principal.ip` `principal.mac`
`cdpCacheAddressType`	`security_result.detection_fields`
`cdpCacheVersion`	`security_result.detection_fields`
`cdpUndefined28`	`security_result.detection_fields`
`change-set`	`additional.fields`
`Chargeable-User-Identity`	`principal.user.attribute.labels`
`cisco-av-pair`	`additional.fields` `security_result.detection_fields`
`CiscoIOS`	`security_result.detection_fields`
`Class`	`sec_result.detection_fields`
`client_type`	`additional.fields`
`client-iif-id`	`security_result.detection_fields`
`ClientLatency`	`security_result.detection_fields` `additional.fields`
`CmdSet`	`target.process.command_line`
`coa-push`	`security_result.detection_fields`
`CoAClientInstanceDestinationIPAddress`	`target.ip` `target.asset.ip`
`coaReason`	`security_result.detection_fields`
`coaSourceComponent`	`security_result.detection_fields`
`coaType`	`security_result.detection_fields`
`Component`	`security_result.detection_fields`
`ConfigChangeData`	`security_result.detection_fields`
`ConfigVersionId`	`sec_result.detection_fields` `additional.fields`
`connect-progress`	`security_result.detection_fields`
`ConnectionStatus`	`sec_result.detection_fields`
`ConnectionStatus=Failed`	`security_result.action ="BLOCK"`
`Constructeurs`	`principal.asset.hardware.manufacturer`
`counters_kvp`	`event.idm.read_only_udm.target.asset.attribute.labels`
`CPMSessionID`	`security_result.detection_fields` `additional.fields` `network.session_id`
`CreateTime`	`event.idm.read_only_udm.principal.asset.attribute.creation_time`
`cts_security_group_tag`	`security_result.detection_fields`
`cts-pac-opaque`	`security_result.detection_fields`
`datetime`	`metadata.event_timestamp`
`days_to_expiry`	`security_result.detection_fields`
`DeltaRadiusRequestCount`	`security_result.detection_fields`
`DeltaTacacsRequestCount`	`security_result.detection_fields`
`Description`	`security_result.detection_fields`
`DestinationIPAddress`	`target.ip` `target.asset.ip`
`DestinationIPAddress`	`target.ip` `target.asset.ip`
`DestinationPort`	`target.port`
`DetailedInfo`	`sec_result.description`
`Device_IP_Address`	`principal.ip` `principal.asset.ip`
`device-mac`	`principal.mac`
`device-platform`	`principal.platform`
`device-platform-version`	`principal.platform_version`
`device-public-mac`	`principal.mac`
`device-type`	`principal.asset.hardware.model`
`device-uid`	`principal.resource.product_object_id`
`device-uid-global`	`principal.asset.product_object_id`
`DeviceIPAddress`	`principal.ip` `target.ip` `intermediary.ip`
`DevicePort`	`principal.port` `target.port` `intermediary.port`
`DeviceRegistrationStatus`	`sec_result.detection_fields`
`dhcp-class-identifier`	`security_result.detection_fields`
`dhcp-parameter-request-list`	`additional.fields`
`Domaines`	`additional.fields`
`DoReplicate`	`security_result.detection_fields`
`DTLSSupport`	`security_result.detection_fields`
`EAP-Key-Name`	`additional.fields`
`EapTunnel`	`additional.fields`
`EmailAddress`	`principal.user.email_addresses`
`EnableFlag`	`additional.fields`
`EnableSingleConnect`	`security_result.detection_fields`
`End-of-LLDPDU`	`security_result.detection_fields`
`endpoint_id`	`principal.mac` `principal.asset.mac`
`EndpointCertainityMetric`	`sec_result.detection_fields`
`EndpointIdentityGroup`	`principal.group.group_display_name`
`EndpointIPAddress`	`principal.asset.ip`
`EndPointMACAddress`	`principal.mac` `principal.asset.mac`
`EndPointMatchedProfile`	`security_result.about.labels` `additional.fields`
`EndpointNADAddress`	`sec_result.detection_fields`
`EndpointOUI`	`sec_result.detection_fields`
`EndpointPolicy`	`principal.asset.platform_software.platform_version` `security_result.detection_fields`
`EndPointPolicyID`	`security_result.detection_fields`
`EndPointProfilerServer`	`target.hostname`
`EndpointProperty`	`sec_result.detection_fields`
`EndPointSource`	`target.resource.attribute.labels`
`EndpointSourceEvent`	`sec_result.detection_fields`
`EndpointUserAgent`	`network.http.user_agent`
`EndPointVersion`	`security_result.detection_fields`
`epid`	`security_result.detection_fields`
`Error Message`	`additional.fields`
`event`	`additional.fields`
`extended_key_usage_oid`	`additional.fields`
`external_groups`	`additional.fields`
`FailureFlag`	`security_result.detection_fields`
`FailureReason`	`sec_result.detection_fields` `additional.fields`
`FeedService`	`security_result.detection_fields`
`FirstCollection`	`event.idm.read_only_udm.principal.asset.first_discover_time`
`foreign_ip`	`intermediary.ip`
`FQSubjectName`	`security_result.detection_fields`
`Framed-MTU`	`additional.fields`
`Framed-Protocol`	`sec_result.detection_fields`
`FramedIPAddress`	`security_result.detection_fields`
`group_name`	`principal.group.group_display_name`
`Header-Flags`	`security_result.detection_fields`
`HostIdentityGroup`	`additional.fields`
`IdentityAccessRestricted`	`security_result.detection_fields`
`IdentityGroup`	`principal.group.group_display_name`
`IdentityGroupID`	`principal.group.product_object_id`
`IdentityPolicyMatchedRule`	`sec_result.about.labels` `additional.fields`
`IdentitySelectionMatchedRule`	`sec_result.detection_fields`
`Idle-Timeout`	`security_result.detection_fields`
`idletime`	`security_result.detection_fields`
`IMEI`	`target.asset.product_object_id`
`inacl_rule`	`security_result.detection_fields`
`intermediary_hostname`	`intermediary.hostname`
`ionTimeStamp`	`security_result.detection_fields`
`ios-version`	`principal.asset.software.version`
`ip_inacl_rule`	`security_result.detection_fields`
`ip_source_ip`	`principal.ip` `principal.asset.ip`
`IpAddress`	`principal.ip` `principal.asset.ip`
`IPSEC`	`additional.fields`
`ise_port`	`principal.port` `intermediary.port`
`ISELocalAddress`	`intermediary.ip` `principal.ip`
`ISEModuleName`	`sec_result.detection_fields`
`ISEPolicySetName`	`target.resource.name`
`ISEServiceName`	`sec_result.detection_fields`
`IsMachineAuthentication`	`security_result.detection_fields`
`IsMachineIdentity`	`security_result.detection_fields`
`IsRegistered`	`security_result.detection_fields`
`Issuer`	`about.labels`
`IsThirdPartyDeviceFlow`	`sec_result.detection_fields` `additional.fields`
`key_usage`	`additional.fields`
`LastActivity`	`event.idm.read_only_udm.principal.asset.last_discover_time`
`LastNmapScanTime`	`sec_result.detection_fields`
`LicenseType`	`additional.fields`
`lldpManAddress`	`security_result.detection_fields`
`lldpPortDescription`	`security_result.detection_fields`
`lldpPortId`	`security_result.detection_fields`
`lldpSystemCapabilitiesMap`	`security_result.detection_fields`
`lldpSystemDescription`	`security_result.detection_fields`
`lldpTimeToLive`	`security_result.detection_fields`
`lldpUndefined127`	`security_result.detection_fields`
`localport`	`principal.port`
`Location`	`principal.location.country_or_region` `target.location.country_or_region` `security_result.detection_fields`
`log-id`	`metadata.product_log_id`
`logstash.ingest.host`	`intermediary.hostname`
`logstash.ingest.timestamp`	`metadata.ingested_timestamp`
`logstash.irm_environment`	`additional.fields`
`logstash.irm_region`	`additional.fields`
`logstash.irm_site`	`additional.fields`
`logstash.process.host`	`intermediary.hostname`
`logstash.process.timestamp`	`metadata.collected_timestamp`
`MAC`	`principal.mac`
`mac_UserName`	`principal.mac`
`MacAddress`	`principal.mac`
`MajorVersion`	`security_result.detection_fields`
`Manufacturer`	`target.asset.hardware.manufacturer`
`MatchedPolicy`	`security_result.detection_fields`
`MatchedPolicyID`	`security_result.rule_id`
`MDMFailureReason`	`sec_result.detection_fields`
`MDMServerName`	`metadata.product_name`
`mDNS`	`security_result.detection_fields`
`MESSAGE`	`security_result.description`
`MFCInfoEndpointType`	`principal.asset.asset_type` `principal.asset.attribute.labels`
`MinorVersion`	`security_result.detection_fields`
`MisconfiguredClientFixReason`	`security_result.detection_fields`
`Model`	`target.asset.hardware.model`
`Model_Name`	`principal.asset.attribute.labels`
`msg_class`	`metadata.description`
`msg_sev`	`security_result.severity` `sec_result.severity_details`
`msg_text`	`metadata.description` `security_result.severity` `sec_result.severity_details,security_result.action`
`msg_text`	`security_result.action`
`NAD Address`	`principal.ip`
`NADAddress`	`intermediary.ip`
`Name`	`principal.group.group_identifiers`
`nas_ip_address`	`principal.nat_ip`
`NAS-Identifier`	`principal.labels`
`NAS-IP-Address`	`principal.nat_ip` `principal.ip`
`NAS-Port`	`principal.port` `principal.labels`
`nas-update`	`security_result.detection_fields`
`NASIdentifier`	`security_result.detection_fields` `principal.labels`
`NASPort`	`principal.nat_port if valid else to security_result.detection_fields` `principal.labels`
`NASPortId`	`security_result.detection_fields` `principal.labels`
`NASPortType`	`security_result.detection_fields` `principal.labels`
`Network Device Name`	`target.hostname` `target.asset.hostname`
`network_adapter`	`target.resource.name`
`network_application_protocol_result`	`network.application_protocol`
`NetworkDeviceGroups`	`sec_result.detection_fields`
`NetworkDeviceGroups_IPSEC`	`additional.fields`
`NetworkDeviceProfileId`	`principal.asset.asset_id`
`NetworkDeviceProfileName`	`principal.asset.attribute.labels`
`NmapScanCount`	`security_result.detection_fields`
`ntp_server_1`	`target.ip` `target.asset.ip`
`ntp_server_2`	`target.ip` `target.asset.ip`
`ntp_server_3`	`target.ip` `target.asset.ip`
`ObjectInternalID`	`security_result.detection_fields`
`ObjectName`	`security_result.about.labels`
`ObjectType`	`security_result.labout.abels` `additional.fields`
`operating-system-result`	`target.asset.platform_software.platform_version`	`target.platform` = `WINDOWS`
`OperatingSystem`	`target.asset.platform_software.platform_version`
`OperationMessageText`	`sec_result.detection_fields`
`OperationMessageText`	`about.labels`
`OUI`	`security_result.detection_fields`
`pad`	`security_result.detection_fields`
`PeerAddress`	`target.mac` `target.asset.mac`
`PeerName`	`target.hostname` `target.asset.hostname`
`PhoneNumber`	`principal.user.phone_numbers`
`platform-version`	`principal.platform_version`
`PolicyVersion`	`security_result.detection_fields`
`Port`	`principal.port` `target.port`
`Portal_Name`	`additional.fields`
`PortalName`	`target.url`
`PortalUser`	`principal.user.userid`
`PortalUser_GuestSponsor`	`principal.user.attribute.labels`
`PortalUser_GuestType`	`principal.user.attribute.labels`
`PostureApplicable`	`security_result.detection_fields`
`PostureAssessmentStatus`	`sec_result.detection_fields` `additional.fields`
`PostureExpiry`	`sec_result.detection_fields`
`PostureStatus`	`sec_result.detection_fields`
`principal_hostname`	`principal.hostname`
`principal_ip`	`principal.ip` `principal.asset.ip`
`profile-name`	`security_result.detection_fields`
`ProfilerServer`	`sec_result.detection_fields`
`Protocol`	`security_result.detection_fields`
`r_ip_or_host`	`observer.ip` `observer.hostname` `intermediary.hostname` `intermediary.ip`
`r_seg_num`	`metadata.product_log_id`
`RadiusFlowType`	`security_result.about.labels` `additional.fields`
`RadiusPacketType`	`security_result.detection_fields`
`received_b`	`network.received_bytes`
`RegisterStatus`	`security_result.rule_name`
`RegistrationTimeStamp`	`sec_result.detection_fields`
`RemoteAddress`	`principal.ip` `principal.asset.ip`
`RequestLatency`	`sec_result.detection_fields` `additional.fields`
`RequestResponseTypes`	`security_result.detection_fields`
`ResponseTime`	`sec_result.detection_fields`
`SelectedAccessService`	`sec_result.detection_fields` `additional.fields`
`SelectedAuthenticationIdentityStores`	`security_result.detection_fields`
`SelectedAuthorizationProfiles`	`sec_result.detection_fields` `additional.fields`
`SelectedShellProfile`	`additional.fields`
`sent_b`	`network.sent_bytes`
`sequence_num`	`metadata.product_log_id`
`Sequence-Number`	`security_result.detection_fields`
`serial_number`	`about.labels` `network.tls.server.certificate.serial`
`server_label`	`principal.asset.attribute.labels`
`Service-Type`	`sec_result.detection_fields` `additional.fields`
`session-id`	`network.session_id`
`Session-Timeout`	`network.session_duration`
`shell_role`	`principal.user.attribute.roles.name`
`ShutdownReason`	`security_result.detection_fields`
`SkipProfiling`	`security_result.detection_fields`
`software_version`	`principal.asset.platform_software.platform_version`
`Source`	`principal.ip` `principal.hostname`
`source_ip`	`src.ip`
`source_port`	`src.port`
`SSID`	`additional.fields`
`start_time`	`security_result.first_discovered_time`
`StaticAssignment`	`security_result.detection_fields`
`StaticGroupAssignment`	`sec_result.detection_fields`
`Step`	`additional.fields`
`StepData`	`about.hostname` `additional.fields`
`StepLatency`	`additional.fields`
`stop_time`	`security_result.last_discovered_time`
`Subject`	`about.labels`
`subject_alt_name`	`about.labels`
`subscriber_command`	`security_result.detection_fields`
`syslog_host`	`principal.ip` `principal.asset.ip`
`SysStatsCpuCount`	`target.asset.hardware.cpu_number_cores`
`SysStatsProcessMemoryMB`	`target.asset.hardware.ram`
`SysStatsUtilizationDiskIO`	`target.asset.attribute.labels`
`SysStatsUtilizationDiskSpace`	`target.asset.attribute.labels`
`SysStatsUtilizationLoadAvg`	`target.asset.attribute.labels`
`SystemDomain`	`principal.asset.network_domain`
`SystemName`	`principal.hostname` `principal.hostname`
`SystemUser`	`principal.user.userid`
`SystemUserDomain`	`principal.administrative_domain`
`target_email`	`target.user.email_addresses`
`target_group_identifiers`	`target.user.group_identifiers`
`target_hostname`	`target.hostname`
`target_ip`	`target.ip` `target.asset.ip`
`target_port`	`target.port`
`target_user`	`target.user.userid`
`target.resource.resource_type`		DISPOSITIVO
`task_id`	`additional.fields`
`TaskId`	`security_result.detection_fields`
`Template_Name`	`additional.fields`
`Termination-Action`	`security_result.detection_fields`
`threshold_value`	`additional.fields`
`TimeToProfile`	`sec_result.detection_fields`
`TLSCipher`	`network.tls.cipher`
`TLSVersion`	`network.tls.version`
`total_certainty_factor`	`sec_result.detection_fields`
`TotalAuthenLatency`	`security_result.detection_fields` `additional.fields`
`TotalFailedTime`	`sec_result.detection_fields`
`Tunnel-Client-Endpoint`	`sec_result.detection_fields`
`Type`	`additional.fields`
`undefined-151`	`additional.fields`
`UniqueConnectionIdentifier`	`sec_result.detection_fields`
`UpdateTime`	`sec_result.detection_fields`
`url-redirect`	`target.url`
`url-redirect-acl`	`security_result.detection_fields`
`UseCase`	`sec_result.detection_fields`
`used_space_value`	`additional.fields`
`User`	`principal.user.userid`
`user`	`principal.user.userid`
`user_display_name`	`principal.user.user_display_name`
`User-AD-Last-Fetch-Time`	`principal.user.attribute.labels`
`User-Agent`	`network.http.user_agent` `network.http.parsed_user_agent`
`User-Fetch-Email`	`sec_result.detection_fields`
`User-Fetch-Last-Name`	`principal.user.last_name`
`User-Fetch-LocalityName`	`sec_result.detection_fields`
`User-Fetch-StateOrProvinceName`	`sec_result.detection_fields`
`User-Name`	`target.user.userid`
`UserAccountControl`	`principal.user.attribute.labels`
`UserAgreementStatus`	`security_result.detection_fields`
`UserName`	`target.user.userid`
`UserType`	`principal.user.attribute.labels`
`UseSingleConnect`	`security_result.detection_fields`
`vlan-id`	`security_result.detection_fields`
	`principal.resource.resource_type`	Mapeado estaticamente para `DEVICE`.

Referência delta do mapeamento da UDM

Em 1º de dezembro de 2025, o Google SecOps lançou uma nova versão do analisador do Cisco ISE, que inclui mudanças significativas no mapeamento dos campos de registro do Cisco ISE para os campos do UDM e no mapeamento dos tipos de eventos.

Delta de mapeamento de campo de registro

Globalmente, o carimbo de data/hora que o analisador do Cisco ISE mostra agora é o campo de registro bruto Event-Timestamp. Antes, o carimbo de data/hora mostrado pelo analisador do Cisco ISE era do cabeçalho.

A tabela a seguir lista o delta de mapeamento para campos de registro do Cisco ISE para UDM expostos antes de 1º de dezembro de 2025 e posteriormente (listados nas colunas Mapeamento antigo e Mapeamento atual, respectivamente):

Campo de registro	Mapeamento antigo	Mapeamento atual
`Acct-Input-Gigawords`	`additional.fields`	`network.received_bytes`
`Acct-Input-Packets`	`security_result.detection_fields`	`network.received_packets`
`Acct-Output-Gigawords`	`additional.fields`	`network.sent_bytes`
`Acct-Output-Packets`	`security_result.detection_fields`	`network.sent_packets`
`Acct-Session-Id`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`AcsSessionID`	`security_result.detection_fields` `additional.fields`	`network.session_id` `security_result.detection_fields`
`AD-Log-Id`	`security_result.detection_fields`	`metadata.product_log_id`
`AD-User-SamAccount-Name`	`principal.user.attribute.labels`	`principal.user.user_display_name`
`allowEasyWiredSession`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`AuthenticationIdentityStore`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Calling-Station-ID`	`security_result.detection_fields` `additional.fields` `principal.ip`	`security_result.detection_fields`
`ClientLatency`	`security_result.detection_fields` `additional.fields`	``security_result.detection_fields`
`ConfigVersionId`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`CPMSessionID`	`security_result.detection_fields` `additional.fields` `network.sesson_id`	`network.sesson_id`
`DeviceIPAdresstarget.ip`	`target.ip`	`principal.ip`
`EndPointMatchedProfile`	`security_result.about.labels` `additional.fields`	`security_result.about.resource.attribute.labels`
`HostIdentityGroup`	`additional.fields`	`principal.group.group_display_name`
`IdentityGroup`	`principal.group.group_display_name`	`principal.user.group_identifiers`
`IdentityPolicyMatchedRule`	`security_result.about.labels` `additional.fields`	`security_result.rule_labels`
`IsThirdPartyDeviceFlow`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Issuer`	`about.labels`	`network.tls.server.certificate.issuer`
`Location`	`principal.location.country_or_region` `target.location.country_or_region,security_result.detection_fields`	`principal.location.country_or_region,`
`NAS Identifier`	`principal.labels`	`principal.asset.attribute.labels`
`NAS-IP-Address`	`principal.nat_ip,principal.ip` `intermediary.ip`	`principal.nat_ip,principal.ip,`
`NAS-Port`	`principal.labels`	`principal.resource.attribute.labels`
`NAS-Port-Id`	`security_result.detection_fields` `principal.labels`	`security_result.detection_fields`
`NAS-Port-Type`	`security_result.detection_fields` `principal.labels`	``security_result.detection_fields`
`NASIdentifier`	`principal.resource.attribute.labels,security_result.detection_fields`	`principal.resource.attribute.labels`
`NASIdentifier`	`security_result.detection_fields` `principal.labels`	`security_result.detection_fields`
`NetworkDeviceGroups_Location`	`intermediary.location.country_or_region`	`principal.location.country_or_region,`
`Object Name`	`security_result.about.labels`	`security_result.about.resource.attribute.labels` `principal.mac` se for um MAC
`Object Type`	`security_result.about.labels` `additional.fields`	`security_result.about.resource.attribute.labels`
`PostureAssessmentStatus`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Privilege-Level`	`additional.fields`	`target.user.attribute.permissions.description`
`ProfilerServer`	`principal.hostname` `security_result.detection_fields`	`principal.hostname`
`RadiusFlowType`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`RequestLatency`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`r_msg_id`	`security_result.detection_fields`	`metadata.product_log_id`
`r_seg_num`	`security_result.detection_fields` `additional.fields`	`additional.fields`
`r_total_seg`	`security_result.detection_fields` `additional.fields`	`additional.fields`
`SelectedAccessService`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`SelectedAuthorizationProfiles`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`Sequence-Number`	`metadata.product_log_id`	`security_result.detection_fields` se `AD-Log-Id` não for nulo
`Server`	`principal.asset.attribute.labels`	`principal.hostname` `principal.asset.hostname`
`Service-Type`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`serial_number`	`about.labels`	`about.resource.attribute.labels`
`ShutdownReason`	`security_result.detection_fields`	`security_result.description`
`Subject`	`about.labels`	`about.resource.attribute.labels`
`subject_alt_name`	`about.labels`	`about.resource.attribute.labels`
`subject_alt_name`	`about.labels`	`about.resource.attribute.labels`
`TotalAuthenLatency`	`security_result.detection_fields` `additional.fields`	`security_result.detection_fields`
`total_certainty_factor`	`security_result.detection_fields`	`security_result.confidence_score`
`UniqueSubjectID`	`additional.fields`	`principal.user.userid.product_object_id`
`Update Time`	`security_result.detection_fields`	`principal.asset.attribute.last_update_time`
`User-Fetch-Email`	`security_result.detection_fields`	`principal.user.email_addresses`
`User-Fetch-LocalityName`	`security_result.detection_fields`	`principal.location.name`
`User-Fetch-StateOrProvinceName`	`security_result.detection_fields`	`principal.location.state`
`User Name when [r_cat_name] =~ "CISE_Passed_Authentications"`	`principal.user.userid` `target.user.userid`	`principal.user.userid`
`wlan-profile-name`	`security_result.detection_fields`	`principal.user.userid`

Delta de mapeamento de tipo de evento

Vários eventos que foram classificados de forma genérica agora são classificados corretamente com tipos de eventos significativos.

A tabela a seguir lista o delta para o processamento de tipos de eventos do Cisco ISE antes e depois de 1º de dezembro de 2025 (listados nas colunas Old event_type e Current event-type, respectivamente):

ID do evento do registro e da lógica	Old event_type	event_type atual
(Com base no evento) `[has_resource] == "true"`	`GENERIC_EVENT`	`USER_RESOURCE_ACCESS`
`[Action] == "Login"`	`NETWORK_CONNECTION`	`USER_LOGIN`
`[PRAAction] =~ "logoff"`	`NETWORK_CONNECTION`	`USER_LOGOUT`
`[message] =~ "Administrator-Login"`	`USER_UNCATEGORIZED`	`USER_LOGIN`
`[message] =~ "Change password failed"`	`USER_LOGIN`	`USER_CHANGE_PASSWORD`
`[msg_text] =~ "Login Success"`	`USER_UNCATEGORIZED`	`USER_LOGIN`

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais do Google SecOps.