CISE Failed Attempts Format 2 (Cisco ISE)
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| Header : Severity | <severity> | N/A |
| timestamp | N/A | N/A |
| IP address/hostname | N/A | N/A |
| cat_name | N/A | N/A |
| msg_id | N/A | N/A |
| total_seg | N/A | N/A |
| seg_num | N/A | N/A |
| User-Name | <login> <domain> | N/A |
| NAS-IP-Address | <snatip> | N/A |
| NAS-Port | <snatport> | N/A |
| Calling-Station-ID | <smac> | N/A |
| NAS-Identifier | <policy> | N/A |
| NAS-Port-Type | <objecttype> | N/A |
| CPMSessionID | <session> | N/A |
| ISEPolicySetName | <group> | N/A |
| EndPointMACAddress | <dmac> | N/A |
| AD-User-Candidate-Identities | <login> <domain> | N/A |
| N/A | <login> <domain> | N/A |
| Response | <result> <object> <objectname> | N/A |
| FailureReason | <tag1> <vmid> <reason> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1008020 | CISE Failed Attempts Format 2 | Base Rule | Connection Attempt | Network Traffic |
| Failed Logon | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
| AccessReject Bad Password | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
| SSL/TLS Handshake Failed | Sub Rule | Handshake Failed | Warning | |
| SSL/TLS Handshake Failed | Sub Rule | Handshake Failed | Warning | |
| Host Stopped Responding After PEAP | Sub Rule | Connection Lost | Network Traffic | |
| Host Stopped Responding | Sub Rule | Connection Lost | Network Traffic | |
| Host Stopped Responding | Sub Rule | Connection Lost | Network Traffic | |
| Host Stopped Responding | Sub Rule | Connection Lost | Network Traffic | |
| Connection Rejected | Sub Rule | Connection Rejected | Information | |
| Subject Not Found | Sub Rule | User Record Not Found In Cache | Information | |
| Authentication Failure Wrong Password | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
| New Session Started | Sub Rule | Session Started | Other Audit Success |
LogRhythm Default v2.0
N/A