V 2.0 AD Connector Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 AD Connector Event	Base Rule	General Information Log Message	Information
V 2.0 EVID 25000: ISE Server Pwd Update Success	Sub Rule	Performing Password Change	Information
V 2.0 EVID 25001: ISE Server Pwd Update Failure	Sub Rule	Password Change Failed	Error
V 2.0 EVID 25002: ISE Server TGT Refresh Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25003: Machine TGT Refresh Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25004: AD Connector Start	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 EVID 25005: AD Connector Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 EVID 25006: AD Connector Restart	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 EVID 25007: Join Point Connector Start	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 EVID 25008: Join Point Connector Stop	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 EVID 25009: Trusted Domain Discovery Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25010: Trusted Domain Discovery Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25011: Domain Join Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25012: Domain Join Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25013: Domain Leave Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25014: Domain Leave Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25015: DNS SRV Query Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25016: DNS SRV Query Failure	Sub Rule	DNS Query Failed	Error
V 2.0 EVID 25017: DC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25018: DC Discovery Failure	Sub Rule	Domain Controller Unreachable	Error
V 2.0 EVID 25019: KDC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25020: KDC Discovery Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25021: GC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25022: GC Discovery Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25023: LDAP Connect To DC Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25024: LDAP Connect To DC Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25025: LDAP Connect To GC Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25026: LDAP Connect To GC Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25027: RPC Connect To DC Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25028: RPC Connect To DC Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25029: KDC Connect To DC Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25030: KDC Connect To DC Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25031: AD Provider Failed To Start	Sub Rule	Server Failed To Start	Error
V 2.0 EVID 25032: Trusted Domain Discovered	Sub Rule	Domain Trust Information	Information
V 2.0 EVID 25033: DNS A/AAAA Query Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25034: DNS A/AAAA Query Failure	Sub Rule	DNS Query Failed	Error
V 2.0 EVID 25035: Writeable DC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 25036: Writeable DC Discovery Failure	Sub Rule	General Action Failure	Error
V 2.0 EVID 25037: DC Record Cached	Sub Rule	Cache Information	Information
V 2.0 EVID 25038: GC Record Cached	Sub Rule	Cache Information	Information
V 2.0 EVID 25039: LDAP SASL Bind Failure	Sub Rule	SASLAUTHD Error	Error
V 2.0 EVID 25040: RPC SC Establishment Failure	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25041: ISE Server Site Discovered	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25042: ISE Server Not Assigned To AD	Sub Rule	General Active Directory Warning	Warning
V 2.0 EVID 25043: No DC Found In ISE Server Site	Sub Rule	Time Service Couldn't Find Domain Controller	Warning
V 2.0 EVID 25044: Communication To Domain Failure	Sub Rule	Communications Failed	Error
V 2.0 EVID 25045: Configured NameServer Down	Sub Rule	The Server Is Down	Information
V 2.0 EVID 25046: Joined Domain Is Unavailable	Sub Rule	RADIUS Domain Unavailable	Error
V 2.0 EVID 25047: Auth Domain Is Unavailable	Sub Rule	RADIUS Domain Unavailable	Error
V 2.0 EVID 25048: AD Forest Is Unavailable	Sub Rule	General Active Directory Information	Information
V 2.0 EVID 25049: Machine Account Not Found	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25050: Machine Account Deleted From AD	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25051: Machine Account Deletion Failed	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25052: Periodic Trusts Discovery Start	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25053: Detected Offline Forest	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25054: Trust Removed By Discovery	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25055: DC Added To Blacklist	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25056: DC Removed From Blacklist	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25057: No Privileges For ISE Mac Acc.	Sub Rule	Insufficient Privileges	Error
V 2.0 EVID 25058: ISE Is Not Joined To AD DC	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25100: Connecting To External REST ID	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25101: Successful Connect To Ext REST	Sub Rule	Connection Established	Network Traffic
V 2.0 EVID 25102: Connection To Ext REST DB Fail	Sub Rule	General Database Error	Error
V 2.0 EVID 25103: Plain Text Pwd Auth In Ext REST	Sub Rule	General Authentication Information	Information
V 2.0 EVID 25104: Plain Text Pwd Auth Success	Sub Rule	Authentication Activity	Authentication Success
V 2.0 EVID 25105: Plain Text Pwd Auth Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 25106: REST Indicated Pwd Auth Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 25107: REST ID Store Server Respond	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25108: No User Groups Included To REST	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25109: ISE Starts Set User Groups	Sub Rule	Cache Information	Information
V 2.0 EVID 25110: User Grp Insert To Session Cache	Sub Rule	Cache Information	Information
V 2.0 EVID 25111: Failed To Set User Groups	Sub Rule	Cache Information	Information
V 2.0 EVID 25112: REST DB Indicated Pwd Auth Fail	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 25113: Skipping AD Authentication	Sub Rule	General Active Directory Warning	Warning
V 2.0 EVID 25114: Low Bad Password For AD Instance	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25115: Fail To Fetch User Attr From AD	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25116: No Bad Pwd Count Attribute In AD	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25117: AD Is Part Of ID Sequence	Sub Rule	General Active Directory Warning	Warning

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
pri_num	N/A	N/A	Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23)
time	N/A	N/A	Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostname	N/A	N/A	IP address of the originating Cisco ISE node, or the hostname.
cat_name	<vendorinfo>	Text/String	Logging category name preceded by the CSCOxxx string.
msg_id	N/A	N/A	Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_seg	N/A	N/A	Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_num	N/A	N/A	Segment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestamp	N/A	N/A	Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_num	N/A	N/A	Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code	<vmid> <tag1>	Number	Message code as defined in the logging categories.
msg_sev	<severity>	Text/String	Message severity level of a log message.
msg_class	<subject>	Text/String	Message class, which identifies groups of messages with the same context.
msg_text	<action>	Text/String	English language descriptive text message.
ConfigVersionId	N/A	N/A	N/A
AD-Domain	<domainorigin>	Text/String	N/A
AD-Domain-Controller	N/A	N/A	N/A
AD-Hostname	N/A	N/A	N/A
AD-IP-Address	<sip>	IP Address	N/A
AD-Error-Details	N/A	N/A	N/A
AD-Forest	N/A	N/A	N/A
AD-IP-Address-Black-Listed	N/A	N/A	N/A
AD-Log-Id	N/A	N/A	N/A
AD-Trusted-Domain	N/A	N/A	N/A
AD-Site	N/A	N/A	N/A
AD-Srv-Query	N/A	N/A	N/A
AD-Srv-Record	N/A	N/A	N/A
AD-Srv-Record	N/A	N/A	N/A
AD-Srv-Record	N/A	N/A	N/A
AD-Srv-Record	N/A	N/A	N/A
Key1	N/A	N/A	N/A
Key2	N/A	N/A	N/A