Passed Authentications

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
pri_num	N/A	N/A
time	N/A	N/A
IP address/hostname	N/A	N/A
cat_name	N/A	<vendorinfo>
msg_id	N/A	N/A
total_seg	N/A	N/A
seg_num	N/A	N/A
timestamp	N/A	N/A
timestamp	N/A	N/A
sequence_num	N/A	N/A
msg_code	N/A	<vmid> <tag1>
msg_sev	N/A	<severity>
msg_class	<process>	<subject>
msg_text	<status> <tag1>	<action>
ConfigVersionId	<version>	<version>
Device IP Address	<dip>	<sip>
DestinationIPAddress	N/A	<dip>
DestinationPort	<dport>	<dport>
UserName	<login>	<login>
CmdSet	<command>	<command>
Protocol	<protname>	<protname>
MatchedCommandSet	N/A	N/A
RequestLatency	N/A	N/A
NetworkDeviceName	<dname>	<sname>
User-Name	N/A	N/A
NAS-IP-Address	N/A	<sip><snatip>
NAS-Port	N/A	<snatport>
NAS-Port-Type	N/A	N/A
Service-Type	N/A	N/A
Framed-IP-Address	<snatip>	<dip>
Framed-Protocol	N/A	N/A
Framed-MTU	<packets>	N/A
Called-Station-ID	<dmac>	<dmac>
Calling-Station-ID	<smac>	<smac>
Acct-Session-Id	N/A	<session>
NAS-Port-Type	N/A	N/A
Tunnel-Client-Endpoint	<sip>	N/A
Connect-Info	N/A	N/A
Event-Timestamp	N/A	N/A
cisco-av-pair=subscriber:reauthenticate-type	N/A	N/A
cisco-av-pair=subscriber:command	N/A	<command>
cisco-av-pair=audit-session-id	N/A	<session>
cisco-av-pair=aaa:service	N/A	N/A
cisco-av-pair=aaa:event	N/A	N/A
cisco-av-pair=coa-push	N/A	N/A
Tunnel-Group-Name	<objectname>	N/A
OriginalUserName	N/A	N/A
MisconfiguredClientFixReason	N/A	<reason>
NetworkDeviceProfileName	N/A	N/A
NetworkDeviceProfileId	N/A	N/A
IsThirdPartyDeviceFlow	N/A	N/A
RadiusFlowType	N/A	N/A
SSID	N/A	N/A
Type	<objecttype>	N/A
Action	<action>	<status>
Privilege-Level	N/A	N/A
Authen-Type	N/A	N/A
Service	N/A	<status>
User	N/A	N/A
Port	N/A	N/A
Remote-Address	<sip>	<dnatip>
Authen-Method	N/A	N/A
Service-Argument	N/A	N/A
Protocol-Argument	N/A	N/A
NetworkDeviceProfileId	N/A	N/A
AcsSessionID	<session>	<session>
CPMSessionID	<session>	N/A
UserType	N/A	N/A
Firstname	N/A	N/A
Lastname	N/A	N/A
EmailAddress	N/A	<sender>
MacAddress	N/A	<smac>
IpAddress	N/A	N/A
AuthenticationIdentityStore	N/A	N/A
AuthenticationMethod	N/A	N/A
SelectedAccessService	N/A	N/A
SelectedCommandSet	N/A	N/A
SelectedShellProfile	N/A	N/A
SelectedAuthorizationProfiles	<object>	N/A
PortalName	N/A	N/A
IdentityGroup	N/A	<group>
PsnHostName	N/A	N/A
GuestUserName	N/A	N/A
EPMacAddress	N/A	N/A
NADAddress	N/A	N/A
ISEPolicySetName	<policy>	N/A
AuditSessionId	N/A	<session>
ResponseTime	N/A	N/A
Step	N/A	N/A
Step	N/A	N/A
Step	N/A	N/A
Step	N/A	N/A
NetworkDeviceGroups	N/A	<group>
NetworkDeviceGroups	N/A	N/A
NetworkDeviceGroups	N/A	N/A
Key1	N/A	N/A
Key2	N/A	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1010147	Passed Authentications	Base Rule	Authentication Activity	Authentication Success
	Authentication Succeeded	Sub Rule	Authentication Activity	Authentication Success
	Authorize-Only Succeeded	Sub Rule	Authentication Activity	Authentication Success
	Command Authorization Succeeded	Sub Rule	Authentication Activity	Authentication Success
	DACL Download Succeeded	Sub Rule	Object Downloaded	Access Success
	Dynamic Authorization Succeeded	Sub Rule	Authorization Success	Other Audit Success
	Session Authorization Succeeded	Sub Rule	Authorization Success	Other Audit Success

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1012737	V 2.0 Passed Authentications Event	Base Rule	General Authentication Event	Other Audit
	V 2.0 EVID 5200 Authentication Success	Sub Rule	Authentication Activity	Authentication Success
	V 2.0 EVID 5201 Authentication Success	Sub Rule	Authentication Activity	Authentication Success
	V 2.0 EVID 5202 Command Authorization Succeeded	Sub Rule	Authorization Success	Other Audit Success
	V 2.0 EVID 5203 Session Authorization Succeeded	Sub Rule	Authorization Success	Other Audit Success
	V 2.0 EVID 5204 Change Password Success	Sub Rule	Password Modified	Account Modified
	V 2.0 EVID 5205 Dynamic Authorization Success	Sub Rule	Authorization Success	Other Audit Success
	V 2.0 EVID 5206 PAC Provisioned	Sub Rule	PAC Provisioned	Information
	V 2.0 EVID 5231 Guest Authentication Passed	Sub Rule	Authentication Activity	Authentication Success
	V 2.0 EVID 5232 DACL Download Succeeded	Sub Rule	Configuration File Downloaded	Information
	V 2.0 EVID 5233 TrustSec Data Download Succeeded	Sub Rule	Configuration File Downloaded	Information
	V 2.0 EVID 5234 Trust Sec Peer Policy Dwnd Succ	Sub Rule	Configuration File Downloaded	Information
	V 2.0 EVID 5236 Authorize Only Ended Success	Sub Rule	Authorization Success	Other Audit Success
	V 2.0 EVID 5237 Device Reg Web Auth Passed	Sub Rule	Device Registered	Other Audit Success
	V 2.0 EVID 5238 Endpoint Auth Problem Fixed	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 5239 NAS Problem Fixed	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 5240 Rejected EP Released For Auth	Sub Rule	General RADIUS Message	Information
	V 2.0 EVID 5241 RADIUS DTLS Handshake Succeeded	Sub Rule	Successful Activity	Other Audit Success