收集 Cisco ISE 記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何使用 Google Security Operations 轉送器收集 Cisco Identity Services Engine (ISE) 記錄。
詳情請參閱「將資料擷取至 Google Security Operations」。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文件中的資訊適用於具有 CISCO_ISE 攝取標籤的剖析器。
設定 Cisco ISE
- 使用管理員憑證登入 Cisco ISE 控制台。
- 在 Cisco ISE 控制台中,依序選取「Administration」>「System」>「Logging」>「Remote logging targets」。
- 在「遠端記錄目標」視窗中,按一下「新增」。系統會顯示「New logging target」(新增記錄目標) 視窗。
在「記錄目標」部分,為下列欄位指定值:
欄位 說明 名稱 Google Security Operations 轉送器的名稱。 說明 Google Security Operations 轉送器說明。 類型 遠端記錄目標的類型,例如 Syslog。 IP 位址 Google Security Operations 轉寄端的 IP 位址。 目標類型 選取 TCP 系統記錄檔或 UDP 系統記錄檔。 通訊埠 使用高通訊埠,例如 10514。 設施代碼 您可以指定下列其中一個值: - LOCAL0 (代碼 = 16)
- LOCAL1 (代碼 = 17)
- LOCAL2 (代碼 = 18)
- LOCAL3 (代碼 = 19)
- LOCAL4 (代碼 = 20)
- LOCAL5 (代碼 = 21)
- LOCAL6 (代碼 = 22;預設)
- LOCAL7 (代碼 = 23)
長度上限 建議值為 1024。 按一下「提交」。「遠端記錄目標」視窗會隨即顯示,其中包含新的 Google Security Operations 轉送器設定。
在 Cisco ISE 控制台中,依序選取「Administration」>「System」>「Logging」>「Logging categories」。
在「記錄類別」視窗中,選取要設定遠端系統記錄目標的類別,然後新增遠端系統記錄目標。
範例類別包括:AAA 稽核、AAA 診斷、會計、管理和作業稽核、狀態和用戶端佈建稽核、狀態和用戶端佈建診斷、剖析器、系統診斷和系統統計資料。
設定 Google Security Operations 轉送器和系統記錄,以便擷取 Cisco Secure ACS 記錄
- 依序前往「SIEM 設定」>「轉送器」。
- 按一下「新增轉寄者」。
- 在「轉送器名稱」欄位中,輸入轉送器的專屬名稱。
- 按一下「提交」。轉送器新增完成後,系統會顯示「新增收集器設定」視窗。
- 在「收集器名稱」欄位中輸入名稱。
- 選取「Cisco ISE」做為「記錄類型」。
- 選取「Syslog」做為「收集器類型」。
- 設定下列必要輸入參數:
- 「通訊協定」:指定通訊協定。
- 地址:指定收集器所在的目標 IP 位址或主機名稱,以及 Syslog 資料的地址。
- 通訊埠:指定收集器所在位置的目標通訊埠,並監聽系統記錄資料。
- 按一下「提交」。
如要進一步瞭解 Google Security Operations 轉送器,請參閱 Google Security Operations 轉送器說明文件。 如要瞭解各轉送器類型的相關規定,請參閱「依類型設定轉送器」。 如果在建立轉寄者時遇到問題,請與 Google Security Operations 支援團隊聯絡。
欄位對應參考資料
這個剖析器會從系統記錄訊息中擷取 Cisco ISE 記錄,將資料正規化為 UDM 格式,並為事件增添背景資訊。這項外掛程式會處理各種 ISE 記錄類別,包括驗證成功和失敗、管理稽核、系統統計資料等,並將相關欄位對應至 UDM 結構定義,以及新增特定標籤以進行詳細分析。
UDM 對應表
| 記錄欄位 | UDM 對應 | 備註 |
|---|---|---|
AAA_Event |
security_result.detection_fields |
|
AAA_Security_Result.detection_fields |
aaa_service |
|
ac-user-agent |
network.http.user_agent |
|
Acct-Authentic |
security_result.detection_fields |
|
Acct-Delay-Time |
security_result.detection_fields |
|
Acct-Input-Octets |
security_result.detection_fields |
|
Acct-Input-Packets |
security_result.detection_fields |
|
Acct-Output-Octets |
security_result.detection_fields |
|
Acct-Output-Packets |
security_result.detection_fields |
|
Acct-Session-Id |
sec_result.detection_fieldsadditional.fields |
|
Acct-Session-Time |
security_result.detection_fields |
|
Acct-Status-Type |
security_result.detection_fields |
|
Acct-Terminate-Cause |
security_result.detection_fields |
|
AcctReply-Status |
security_result.detection_fields |
|
AcctRequest-Flags |
security_result.detection_fields |
|
ACS_CiscoSecure_Defined_ACL |
security_result.detection_fields |
|
AcsSessionID |
sec_result.detection_fieldsadditional.fields |
|
Action |
security_result.action_details |
|
action_details |
security_result.action_details |
|
ActiveSessionCount |
security_result.detection_fields |
|
ad_identifier |
about.hostname |
|
ad_join_point |
principal.administrative_domain |
|
ad_operating_system |
principal.platform |
|
AD-Account-Name |
principal.user.useridtarget.hostname |
|
AD-Domain |
principal.group.group_display_name |
|
AD-Domain-Controller |
target.administrative_domain |
|
AD-Error-Details |
security_result.description |
|
AD-Forest |
target.resource.attribute.labels |
|
AD-Groups-Names |
principal.user.group_identifiers |
|
AD-Host-Candidate-Identities |
sec_result.detection_fields |
|
AD-IP-Address |
target.iptarget.asset.ip |
|
AD-Log-Id |
sec_result.detection_fields |
|
AD-Site |
target.location.name |
|
AD-Srv-Query |
security_result.detection_fields |
|
AD-Srv-Record |
security_result.detection_fields |
|
AD-User-Candidate-Identities |
principal.user.attribute.labels |
|
AD-User-DNS-Domain |
network.dns_domain |
|
AD-User-Join-Point |
target.hostnametarget.asset.hostname |
|
AD-User-NetBios-Name |
principal.user.attribute.labels |
|
AD-User-Qualified-Name |
principal.user.email_addresses |
|
AD-User-Resolved-DNs |
principal.user.attribute.labels |
|
AD-User-Resolved-Identities |
sec_result.detection_fieldsprincipal.user.userid |
|
AD-User-Resolved-Identities |
||
AD-User-SamAccount-Name |
principal.user.attribute.labels |
|
Admin |
principal.user.userid |
|
AdminInterface |
principal.user.attribute.labels |
|
AdminIPAddress |
principal.ip |
|
AdminName |
principal.user.userid |
|
affected-dn |
target.resource.nametarget.resource.attribute.labelstarget.resource.resource_type |
target.resource.resource_type => "USER" |
Airespace-Wlan-Id |
additional.fields |
|
allowEasyWiredSession |
sec_result.detection_fieldsadditional.fields |
|
AMInstalled |
security_result.detection_fields |
|
assetDeviceType |
principal.resource.name |
|
assetIncidentScore |
security_result.detection_fields |
|
Audit_session_id |
sec_result.detection_fields |
|
AuditSessionId |
sec_result.detection_fields |
|
Authen-Reply-Status |
security_result.detection_fields |
|
AuthenticationIdentityStore |
sec_result.detection_fieldsadditional.fields |
|
AuthenticationMethod |
security_result.detection_fields |
|
AuthenticationResult |
security_result.action |
|
AuthenticationStatus |
security_result.actionsecurity_result.action_details |
|
Author-Reply-Status |
additional.fields |
|
AuthorizationFailureReason |
security_result.detection_fields |
|
AuthorizationPolicyMatchedRule |
security_result.rule_name |
|
av-pair-severity |
security_result.detection_fields |
|
BYODRegistration |
sec_result.detection_fields |
|
CacheUpdateTime |
security_result.detection_fields |
|
Called-Station-ID |
security_result.detection_fieldstarget.iptarget.mac |
|
Calling-Station-ID |
security_result.detection_fieldsprincipal.ipprincipal.mac |
|
cdpCacheAddressType |
security_result.detection_fields |
|
cdpCacheVersion |
security_result.detection_fields |
|
cdpUndefined28 |
security_result.detection_fields |
|
change-set |
additional.fields |
|
Chargeable-User-Identity |
principal.user.attribute.labels |
|
cisco-av-pair |
additional.fieldssecurity_result.detection_fields |
|
CiscoIOS |
security_result.detection_fields |
|
Class |
sec_result.detection_fields |
|
client_type |
additional.fields |
|
client-iif-id |
security_result.detection_fields |
|
ClientLatency |
security_result.detection_fieldsadditional.fields |
|
CmdSet |
target.process.command_line |
|
coa-push |
security_result.detection_fields |
|
CoAClientInstanceDestinationIPAddress |
target.iptarget.asset.ip |
|
coaReason |
security_result.detection_fields |
|
coaSourceComponent |
security_result.detection_fields |
|
coaType |
security_result.detection_fields |
|
Component |
security_result.detection_fields |
|
ConfigChangeData |
security_result.detection_fields |
|
ConfigVersionId |
sec_result.detection_fieldsadditional.fields |
|
connect-progress |
security_result.detection_fields |
|
ConnectionStatus |
sec_result.detection_fields |
|
ConnectionStatus=Failed |
security_result.action ="BLOCK" |
|
Constructeurs |
principal.asset.hardware.manufacturer |
|
counters_kvp |
event.idm.read_only_udm.target.asset.attribute.labels |
|
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.session_id |
|
CreateTime |
event.idm.read_only_udm.principal.asset.attribute.creation_time |
|
cts_security_group_tag |
security_result.detection_fields |
|
cts-pac-opaque |
security_result.detection_fields |
|
datetime |
metadata.event_timestamp |
|
days_to_expiry |
security_result.detection_fields |
|
DeltaRadiusRequestCount |
security_result.detection_fields |
|
DeltaTacacsRequestCount |
security_result.detection_fields |
|
Description |
security_result.detection_fields |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationIPAddress |
target.iptarget.asset.ip |
|
DestinationPort |
target.port |
|
DetailedInfo |
sec_result.description |
|
Device_IP_Address |
principal.ipprincipal.asset.ip |
|
device-mac |
principal.mac |
|
device-platform |
principal.platform |
|
device-platform-version |
principal.platform_version |
|
device-public-mac |
principal.mac |
|
device-type |
principal.asset.hardware.model |
|
device-uid |
principal.resource.product_object_id |
|
device-uid-global |
principal.asset.product_object_id |
|
DeviceIPAddress |
principal.iptarget.ipintermediary.ip |
|
DevicePort |
principal.porttarget.portintermediary.port |
|
DeviceRegistrationStatus |
sec_result.detection_fields |
|
dhcp-class-identifier |
security_result.detection_fields |
|
dhcp-parameter-request-list |
additional.fields |
|
Domaines |
additional.fields |
|
DoReplicate |
security_result.detection_fields |
|
DTLSSupport |
security_result.detection_fields |
|
EAP-Key-Name |
additional.fields |
|
EapTunnel |
additional.fields |
|
EmailAddress |
principal.user.email_addresses |
|
EnableFlag |
additional.fields |
|
EnableSingleConnect |
security_result.detection_fields |
|
End-of-LLDPDU |
security_result.detection_fields |
|
endpoint_id |
principal.macprincipal.asset.mac |
|
EndpointCertainityMetric |
sec_result.detection_fields |
|
EndpointIdentityGroup |
principal.group.group_display_name |
|
EndpointIPAddress |
principal.asset.ip |
|
EndPointMACAddress |
principal.macprincipal.asset.mac |
|
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
|
EndpointNADAddress |
sec_result.detection_fields |
|
EndpointOUI |
sec_result.detection_fields |
|
EndpointPolicy |
principal.asset.platform_software.platform_versionsecurity_result.detection_fields |
|
EndPointPolicyID |
security_result.detection_fields |
|
EndPointProfilerServer |
target.hostname |
|
EndpointProperty |
sec_result.detection_fields |
|
EndPointSource |
target.resource.attribute.labels |
|
EndpointSourceEvent |
sec_result.detection_fields |
|
EndpointUserAgent |
network.http.user_agent |
|
EndPointVersion |
security_result.detection_fields |
|
epid |
security_result.detection_fields |
|
Error Message |
additional.fields |
|
event |
additional.fields |
|
extended_key_usage_oid |
additional.fields |
|
external_groups |
additional.fields |
|
FailureFlag |
security_result.detection_fields |
|
FailureReason |
sec_result.detection_fieldsadditional.fields |
|
FeedService |
security_result.detection_fields |
|
FirstCollection |
event.idm.read_only_udm.principal.asset.first_discover_time |
|
foreign_ip |
intermediary.ip |
|
FQSubjectName |
security_result.detection_fields |
|
Framed-MTU |
additional.fields |
|
Framed-Protocol |
sec_result.detection_fields |
|
FramedIPAddress |
security_result.detection_fields |
|
group_name |
principal.group.group_display_name |
|
Header-Flags |
security_result.detection_fields |
|
HostIdentityGroup |
additional.fields |
|
IdentityAccessRestricted |
security_result.detection_fields |
|
IdentityGroup |
principal.group.group_display_name |
|
IdentityGroupID |
principal.group.product_object_id |
|
IdentityPolicyMatchedRule |
sec_result.about.labelsadditional.fields |
|
IdentitySelectionMatchedRule |
sec_result.detection_fields |
|
Idle-Timeout |
security_result.detection_fields |
|
idletime |
security_result.detection_fields |
|
IMEI |
target.asset.product_object_id |
|
inacl_rule |
security_result.detection_fields |
|
intermediary_hostname |
intermediary.hostname |
|
ionTimeStamp |
security_result.detection_fields |
|
ios-version |
principal.asset.software.version |
|
ip_inacl_rule |
security_result.detection_fields |
|
ip_source_ip |
principal.ipprincipal.asset.ip |
|
IpAddress |
principal.ipprincipal.asset.ip |
|
IPSEC |
additional.fields |
|
ise_port |
principal.portintermediary.port |
|
ISELocalAddress |
intermediary.ipprincipal.ip |
|
ISEModuleName |
sec_result.detection_fields |
|
ISEPolicySetName |
target.resource.name |
|
ISEServiceName |
sec_result.detection_fields |
|
IsMachineAuthentication |
security_result.detection_fields |
|
IsMachineIdentity |
security_result.detection_fields |
|
IsRegistered |
security_result.detection_fields |
|
Issuer |
about.labels |
|
IsThirdPartyDeviceFlow |
sec_result.detection_fieldsadditional.fields |
|
key_usage |
additional.fields |
|
LastActivity |
event.idm.read_only_udm.principal.asset.last_discover_time |
|
LastNmapScanTime |
sec_result.detection_fields |
|
LicenseType |
additional.fields |
|
lldpManAddress |
security_result.detection_fields |
|
lldpPortDescription |
security_result.detection_fields |
|
lldpPortId |
security_result.detection_fields |
|
lldpSystemCapabilitiesMap |
security_result.detection_fields |
|
lldpSystemDescription |
security_result.detection_fields |
|
lldpTimeToLive |
security_result.detection_fields |
|
lldpUndefined127 |
security_result.detection_fields |
|
localport |
principal.port |
|
Location |
principal.location.country_or_regiontarget.location.country_or_regionsecurity_result.detection_fields |
|
log-id |
metadata.product_log_id |
|
logstash.ingest.host |
intermediary.hostname |
|
logstash.ingest.timestamp |
metadata.ingested_timestamp |
|
logstash.irm_environment |
additional.fields |
|
logstash.irm_region |
additional.fields |
|
logstash.irm_site |
additional.fields |
|
logstash.process.host |
intermediary.hostname |
|
logstash.process.timestamp |
metadata.collected_timestamp |
|
MAC |
principal.mac |
|
mac_UserName |
principal.mac |
|
MacAddress |
principal.mac |
|
MajorVersion |
security_result.detection_fields |
|
Manufacturer |
target.asset.hardware.manufacturer |
|
MatchedPolicy |
security_result.detection_fields |
|
MatchedPolicyID |
security_result.rule_id |
|
MDMFailureReason |
sec_result.detection_fields |
|
MDMServerName |
metadata.product_name |
|
mDNS |
security_result.detection_fields |
|
MESSAGE |
security_result.description |
|
MFCInfoEndpointType |
principal.asset.asset_typeprincipal.asset.attribute.labels |
|
MinorVersion |
security_result.detection_fields |
|
MisconfiguredClientFixReason |
security_result.detection_fields |
|
Model |
target.asset.hardware.model |
|
Model_Name |
principal.asset.attribute.labels |
|
msg_class |
metadata.description |
|
msg_sev |
security_result.severitysec_result.severity_details |
|
msg_text |
metadata.descriptionsecurity_result.severitysec_result.severity_details,security_result.action |
|
msg_text |
security_result.action |
|
NAD Address |
principal.ip |
|
NADAddress |
intermediary.ip |
|
Name |
principal.group.group_identifiers |
|
nas_ip_address |
principal.nat_ip |
|
NAS-Identifier |
principal.labels |
|
NAS-IP-Address |
principal.nat_ipprincipal.ip |
|
NAS-Port |
principal.portprincipal.labels |
|
nas-update |
security_result.detection_fields |
|
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
|
NASPort |
principal.nat_port if valid else to security_result.detection_fieldsprincipal.labels |
|
NASPortId |
security_result.detection_fieldsprincipal.labels |
|
NASPortType |
security_result.detection_fieldsprincipal.labels |
|
Network Device Name |
target.hostnametarget.asset.hostname |
|
network_adapter |
target.resource.name |
|
network_application_protocol_result |
network.application_protocol |
|
NetworkDeviceGroups |
sec_result.detection_fields |
|
NetworkDeviceGroups_IPSEC |
additional.fields |
|
NetworkDeviceProfileId |
principal.asset.asset_id |
|
NetworkDeviceProfileName |
principal.asset.attribute.labels |
|
NmapScanCount |
security_result.detection_fields |
|
ntp_server_1 |
target.iptarget.asset.ip |
|
ntp_server_2 |
target.iptarget.asset.ip |
|
ntp_server_3 |
target.iptarget.asset.ip |
|
ObjectInternalID |
security_result.detection_fields |
|
ObjectName |
security_result.about.labels |
|
ObjectType |
security_result.labout.abelsadditional.fields |
|
operating-system-result |
target.asset.platform_software.platform_version |
target.platform = WINDOWS |
OperatingSystem |
target.asset.platform_software.platform_version |
|
OperationMessageText |
sec_result.detection_fields |
|
OperationMessageText |
about.labels |
|
OUI |
security_result.detection_fields |
|
pad |
security_result.detection_fields |
|
PeerAddress |
target.mactarget.asset.mac |
|
PeerName |
target.hostnametarget.asset.hostname |
|
PhoneNumber |
principal.user.phone_numbers |
|
platform-version |
principal.platform_version |
|
PolicyVersion |
security_result.detection_fields |
|
Port |
principal.porttarget.port |
|
Portal_Name |
additional.fields |
|
PortalName |
target.url |
|
PortalUser |
principal.user.userid |
|
PortalUser_GuestSponsor |
principal.user.attribute.labels |
|
PortalUser_GuestType |
principal.user.attribute.labels |
|
PostureApplicable |
security_result.detection_fields |
|
PostureAssessmentStatus |
sec_result.detection_fieldsadditional.fields |
|
PostureExpiry |
sec_result.detection_fields |
|
PostureStatus |
sec_result.detection_fields |
|
principal_hostname |
principal.hostname |
|
principal_ip |
principal.ipprincipal.asset.ip |
|
profile-name |
security_result.detection_fields |
|
ProfilerServer |
sec_result.detection_fields |
|
Protocol |
security_result.detection_fields |
|
r_ip_or_host |
observer.ipobserver.hostnameintermediary.hostnameintermediary.ip |
|
r_seg_num |
metadata.product_log_id |
|
RadiusFlowType |
security_result.about.labelsadditional.fields |
|
RadiusPacketType |
security_result.detection_fields |
|
received_b |
network.received_bytes |
|
RegisterStatus |
security_result.rule_name |
|
RegistrationTimeStamp |
sec_result.detection_fields |
|
RemoteAddress |
principal.ipprincipal.asset.ip |
|
RequestLatency |
sec_result.detection_fieldsadditional.fields |
|
RequestResponseTypes |
security_result.detection_fields |
|
ResponseTime |
sec_result.detection_fields |
|
SelectedAccessService |
sec_result.detection_fieldsadditional.fields |
|
SelectedAuthenticationIdentityStores |
security_result.detection_fields |
|
SelectedAuthorizationProfiles |
sec_result.detection_fieldsadditional.fields |
|
SelectedShellProfile |
additional.fields |
|
sent_b |
network.sent_bytes |
|
sequence_num |
metadata.product_log_id |
|
Sequence-Number |
security_result.detection_fields |
|
serial_number |
about.labelsnetwork.tls.server.certificate.serial |
|
server_label |
principal.asset.attribute.labels |
|
Service-Type |
sec_result.detection_fieldsadditional.fields |
|
session-id |
network.session_id |
|
Session-Timeout |
network.session_duration |
|
shell_role |
principal.user.attribute.roles.name |
|
ShutdownReason |
security_result.detection_fields |
|
SkipProfiling |
security_result.detection_fields |
|
software_version |
principal.asset.platform_software.platform_version |
|
Source |
principal.ipprincipal.hostname |
|
source_ip |
src.ip |
|
source_port |
src.port |
|
SSID |
additional.fields |
|
start_time |
security_result.first_discovered_time |
|
StaticAssignment |
security_result.detection_fields |
|
StaticGroupAssignment |
sec_result.detection_fields |
|
Step |
additional.fields |
|
StepData |
about.hostnameadditional.fields |
|
StepLatency |
additional.fields |
|
stop_time |
security_result.last_discovered_time |
|
Subject |
about.labels |
|
subject_alt_name |
about.labels |
|
subscriber_command |
security_result.detection_fields |
|
syslog_host |
principal.ipprincipal.asset.ip |
|
SysStatsCpuCount |
target.asset.hardware.cpu_number_cores |
|
SysStatsProcessMemoryMB |
target.asset.hardware.ram |
|
SysStatsUtilizationDiskIO |
target.asset.attribute.labels |
|
SysStatsUtilizationDiskSpace |
target.asset.attribute.labels |
|
SysStatsUtilizationLoadAvg |
target.asset.attribute.labels |
|
SystemDomain |
principal.asset.network_domain |
|
SystemName |
principal.hostnameprincipal.hostname |
|
SystemUser |
principal.user.userid |
|
SystemUserDomain |
principal.administrative_domain |
|
target_email |
target.user.email_addresses |
|
target_group_identifiers |
target.user.group_identifiers |
|
target_hostname |
target.hostname |
|
target_ip |
target.iptarget.asset.ip |
|
target_port |
target.port |
|
target_user |
target.user.userid |
|
target.resource.resource_type |
DEVICE | |
task_id |
additional.fields |
|
TaskId |
security_result.detection_fields |
|
Template_Name |
additional.fields |
|
Termination-Action |
security_result.detection_fields |
|
threshold_value |
additional.fields |
|
TimeToProfile |
sec_result.detection_fields |
|
TLSCipher |
network.tls.cipher |
|
TLSVersion |
network.tls.version |
|
total_certainty_factor |
sec_result.detection_fields |
|
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
|
TotalFailedTime |
sec_result.detection_fields |
|
Tunnel-Client-Endpoint |
sec_result.detection_fields |
|
Type |
additional.fields |
|
undefined-151 |
additional.fields |
|
UniqueConnectionIdentifier |
sec_result.detection_fields |
|
UpdateTime |
sec_result.detection_fields |
|
url-redirect |
target.url |
|
url-redirect-acl |
security_result.detection_fields |
|
UseCase |
sec_result.detection_fields |
|
used_space_value |
additional.fields |
|
User |
principal.user.userid |
|
user |
principal.user.userid |
|
user_display_name |
principal.user.user_display_name |
|
User-AD-Last-Fetch-Time |
principal.user.attribute.labels |
|
User-Agent |
network.http.user_agentnetwork.http.parsed_user_agent |
|
User-Fetch-Email |
sec_result.detection_fields |
|
User-Fetch-Last-Name |
principal.user.last_name |
|
User-Fetch-LocalityName |
sec_result.detection_fields |
|
User-Fetch-StateOrProvinceName |
sec_result.detection_fields |
|
User-Name |
target.user.userid |
|
UserAccountControl |
principal.user.attribute.labels |
|
UserAgreementStatus |
security_result.detection_fields |
|
UserName |
target.user.userid |
|
UserType |
principal.user.attribute.labels |
|
UseSingleConnect |
security_result.detection_fields |
|
vlan-id |
security_result.detection_fields |
|
principal.resource.resource_type |
靜態對應至 DEVICE。 |
UDM 對應差異參考資料
Google SecOps 已於 2025 年 12 月 1 日發布新版 Cisco ISE 剖析器,其中包含 Cisco ISE 記錄欄位對應至 UDM 欄位的重要變更,以及事件類型對應的變更。
記錄欄位對應差異
在全球各地,Cisco ISE 剖析器現在顯示的時間戳記是原始記錄欄位 Event-Timestamp。先前,Cisco ISE 剖析器顯示的時間戳記來自標頭。
下表列出 2025 年 12 月 1 日前後,Cisco ISE 記錄到 UDM 欄位對應的差異 (分別列於「舊版對應」和「目前對應」欄中):
| 記錄欄位 | 舊對應 | 目前對應 |
|---|---|---|
Acct-Input-Gigawords |
additional.fields |
network.received_bytes |
Acct-Input-Packets |
security_result.detection_fields |
network.received_packets |
Acct-Output-Gigawords |
additional.fields |
network.sent_bytes |
Acct-Output-Packets |
security_result.detection_fields |
network.sent_packets |
Acct-Session-Id |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AcsSessionID |
security_result.detection_fieldsadditional.fields |
network.session_idsecurity_result.detection_fields |
AD-Log-Id |
security_result.detection_fields |
metadata.product_log_id |
AD-User-SamAccount-Name |
principal.user.attribute.labels |
principal.user.user_display_name |
allowEasyWiredSession |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
AuthenticationIdentityStore |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Calling-Station-ID |
security_result.detection_fieldsadditional.fieldsprincipal.ip |
security_result.detection_fields |
ClientLatency |
security_result.detection_fieldsadditional.fields |
`security_result.detection_fields |
ConfigVersionId |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
CPMSessionID |
security_result.detection_fieldsadditional.fieldsnetwork.sesson_id |
network.sesson_id |
DeviceIPAdresstarget.ip |
target.ip |
principal.ip |
EndPointMatchedProfile |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
HostIdentityGroup |
additional.fields |
principal.group.group_display_name |
IdentityGroup |
principal.group.group_display_name |
principal.user.group_identifiers |
IdentityPolicyMatchedRule |
security_result.about.labelsadditional.fields |
security_result.rule_labels |
IsThirdPartyDeviceFlow |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Issuer |
about.labels |
network.tls.server.certificate.issuer |
Location |
principal.location.country_or_regiontarget.location.country_or_region,security_result.detection_fields |
principal.location.country_or_region, |
NAS Identifier |
principal.labels |
principal.asset.attribute.labels |
NAS-IP-Address |
principal.nat_ip,principal.ipintermediary.ip |
principal.nat_ip,principal.ip, |
NAS-Port |
principal.labels |
principal.resource.attribute.labels |
NAS-Port-Id |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NAS-Port-Type |
security_result.detection_fieldsprincipal.labels |
`security_result.detection_fields |
NASIdentifier |
principal.resource.attribute.labels,security_result.detection_fields |
principal.resource.attribute.labels |
NASIdentifier |
security_result.detection_fieldsprincipal.labels |
security_result.detection_fields |
NetworkDeviceGroups_Location |
intermediary.location.country_or_region |
principal.location.country_or_region, |
Object Name |
security_result.about.labels |
security_result.about.resource.attribute.labelsprincipal.mac 如果是 MAC |
Object Type |
security_result.about.labelsadditional.fields |
security_result.about.resource.attribute.labels |
PostureAssessmentStatus |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Privilege-Level |
additional.fields |
target.user.attribute.permissions.description |
ProfilerServer |
principal.hostnamesecurity_result.detection_fields |
principal.hostname |
RadiusFlowType |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
RequestLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
r_msg_id |
security_result.detection_fields |
metadata.product_log_id |
r_seg_num |
security_result.detection_fieldsadditional.fields |
additional.fields |
r_total_seg |
security_result.detection_fieldsadditional.fields |
additional.fields |
SelectedAccessService |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
SelectedAuthorizationProfiles |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
Sequence-Number |
metadata.product_log_id |
security_result.detection_fields (如果 AD-Log-Id 不是空值) |
Server |
principal.asset.attribute.labels |
principal.hostnameprincipal.asset.hostname |
Service-Type |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
serial_number |
about.labels |
about.resource.attribute.labels |
ShutdownReason |
security_result.detection_fields |
security_result.description |
Subject |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
subject_alt_name |
about.labels |
about.resource.attribute.labels |
TotalAuthenLatency |
security_result.detection_fieldsadditional.fields |
security_result.detection_fields |
total_certainty_factor |
security_result.detection_fields |
security_result.confidence_score |
UniqueSubjectID |
additional.fields |
principal.user.userid.product_object_id |
Update Time |
security_result.detection_fields |
principal.asset.attribute.last_update_time |
User-Fetch-Email |
security_result.detection_fields |
principal.user.email_addresses |
User-Fetch-LocalityName |
security_result.detection_fields |
principal.location.name |
User-Fetch-StateOrProvinceName |
security_result.detection_fields |
principal.location.state |
User Name when [r_cat_name] =~ "CISE_Passed_Authentications" |
principal.user.useridtarget.user.userid |
principal.user.userid |
wlan-profile-name |
security_result.detection_fields |
principal.user.userid |
事件類型對應差異
系統現在會以有意義的事件類型,正確分類先前以一般方式分類的多個事件。
下表列出 2025 年 12 月 1 日前後處理 Cisco ISE 事件類型時的差異 (分別列於「舊 event_type」和「目前 event_type」欄中):
| 記錄和邏輯中的事件 ID | 舊 event_type | 目前 event_type |
|---|---|---|
(根據活動) [has_resource] == "true" |
GENERIC_EVENT |
USER_RESOURCE_ACCESS |
[Action] == "Login" |
NETWORK_CONNECTION |
USER_LOGIN |
[PRAAction] =~ "logoff" |
NETWORK_CONNECTION |
USER_LOGOUT |
[message] =~ "Administrator-Login" |
USER_UNCATEGORIZED |
USER_LOGIN |
[message] =~ "Change password failed" |
USER_LOGIN |
USER_CHANGE_PASSWORD |
[msg_text] =~ "Login Success" |
USER_UNCATEGORIZED |
USER_LOGIN |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。