V 2.0 Admin Authentication And Authorization Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Admin Authentication And Authorization Event	Base Rule	General Authentication Event	Other Audit
V 2.0 EVID 10000: Handle Incoming Admin Auth Req	Sub Rule	Administrator Authentication Request	Information
V 2.0 EVID 10001: Incorrect Configuration Version	Sub Rule	Incorrect Configuration Version	Error
V 2.0 EVID 10002: Failure To Load Appropriate Svc	Sub Rule	General Failed Activity	Failed Activity
V 2.0 EVID 10003: Admin Auth Rcvd Blank Admin Name	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 10004: Admin Auth Rcvd Blank Admin Pwd	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 10005: Admin Authenticated Successfull	Sub Rule	Authentication Activity	Authentication Success
V 2.0 EVID 10006: Admin Authentication Failed	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 10007: Admin Auth Failed DB Error	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 10008: Received Valid Admin Auth Req	Sub Rule	Administrator Authentication Request	Information
V 2.0 EVID 10009: Received Admin Auth Request	Sub Rule	Administrator Authentication Request	Information
V 2.0 EVID 10010: Admin Password Change Reminder	Sub Rule	Password Change Requested	Information
V 2.0 EVID 10011: Pwd Expired Admin Pwd Change Req	Sub Rule	Password Change Required	Information
V 2.0 EVID 10012: A/C Inactivity Admin Pwd Change	Sub Rule	Password Change Required	Information
V 2.0 EVID 10013: Admin A/C Set As Never Disabled	Sub Rule	General Admin Information	Information
V 2.0 EVID 10014: Admin Account Set To Change Pwd	Sub Rule	Password Change Required	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
pri_num	N/A	N/A	Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23)
time	N/A	N/A	Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostname	N/A	N/A	IP address of the originating Cisco ISE node, or the hostname.
cat_name	<vendorinfo>	Text/String	Logging category name preceded by the CSCOxxx string.
msg_id	N/A	N/A	Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_seg	N/A	N/A	Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_num	N/A	N/A	Segment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestamp	N/A	N/A	Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_num	N/A	N/A	Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code	<vmid> <tag1>	Number	Message code as defined in the logging categories.
msg_sev	<severity>	Text/String	Message severity level of a log message.
msg_class	<subject>	Text/String	Message class, which identifies groups of messages with the same context.
msg_text	<action>	Text/String	English language descriptive text message.
Key1	N/A	N/A	N/A
Key2	N/A	N/A	N/A