V 2.0 Guest Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Guest Event	Base Rule	General Information Log Message	Information
V 2.0 EVID: 86001 Guest User Logged In	Sub Rule	User Logon	Authentication Success
V 2.0 EVID: 86002 Guest Account Suspended	Sub Rule	Access Revoked Activity	Access Revoked
V 2.0 EVID: 86003 Guest Account Enabled	Sub Rule	Account Enabled	Access Granted
V 2.0 EVID: 86004 Password Changed By Guest User	Sub Rule	Password Modified	Account Modified
V 2.0 EVID: 86005 Policy Accepted By Guest User	Sub Rule	Policy Created: User/Password	Policy
V 2.0 EVID: 86006 Guest Account Created	Sub Rule	User Account Created	Account Created
V 2.0 EVID: 86007 Guest Account Updated	Sub Rule	User Account Attribute Modified	Account Modified
V 2.0 EVID: 86008 Guest Account Deleted	Sub Rule	User Account Deleted	Account Deleted
V 2.0 EVID: 86009 Guest Account Not Found	Sub Rule	User Not Found	Error
V 2.0 EVID: 86010 Guest User Auth Failure	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 EVID: 86011 Guest User Not Enabled	Sub Rule	User Logon Failure: Account Disabled	Authentication Failure
V 2.0 EVID: 86012 Access Policy Declined By Guest	Sub Rule	Policy Disabled: User/Password	Policy
V 2.0 EVID: 86013 Portal Not Found	Sub Rule	Default Address Not Found	Error
V 2.0 EVID: 86014 User Account Suspended	Sub Rule	Access Revoked Activity	Access Revoked
V 2.0 EVID: 86015 Invalid Password Change	Sub Rule	Password Modified	Account Modified
V 2.0 EVID: 86016 Guest Timout Exceeded	Sub Rule	User Disconnected Due To Time Out	Information
V 2.0 EVID: 86017 SessionID Missing	Sub Rule	Session Could Not Be Established	Warning
V 2.0 EVID: 86018 Guest CoA Failed	Sub Rule	Authorization Failed	Warning
V 2.0 EVID: 86019 Guest User Restricted	Sub Rule	Access Revoked Activity	Access Revoked
V 2.0 EVID: 86020 Guest Unknown Error	Sub Rule	Unknown Error	Error
V 2.0 EVID: 86021 Entering Device Reg Web Auth	Sub Rule	Device Registered	Information
V 2.0 EVID: 86022 Device Reg Web Auth AUP Accept	Sub Rule	Device Registered	Other Audit Success
V 2.0 EVID: 86023 Device Re Web Auth AUP Declined	Sub Rule	Policy Disabled: Domain	Policy
V 2.0 EVID: 86024 Dev Reg WAP EP Creation Passed	Sub Rule	Device Registered	Other Audit Success
V 2.0 EVID: 86025 Dev Reg WAP EP Creation Failed	Sub Rule	Communication Endpoint Creation Failure	Error
V 2.0 EVID: 86026 Dev Reg WAP CoA Termination Fail	Sub Rule	Process Termination Failed	Error
V 2.0 EVID: 86027 Dev Reg WAP Send CoA Termination	Sub Rule	Registration	Information
V 2.0 EVID: 86028 CoA Termination Success	Sub Rule	User Session Terminated	Information
V 2.0 EVID: 86029 CoA Termination Failed	Sub Rule	Process Termination Failed	Error
V 2.0 EVID: 86030 Policy Accepted By Sponsor User	Sub Rule	User Account Created	Account Created
V 2.0 EVID: 86031 Policy Declined By Sponsor User	Sub Rule	Policy Disabled: User/Password	Policy

Mapping with LogRhythm Schema

Rule Name	Rule Type	Common Event	Classification
pri_num	N/A	N/A	Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23)
time	N/A	N/A	Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostname	N/A	N/A	IP address of the originating Cisco ISE node, or the hostname.
cat_name	<vendorinfo>	Text/String	Logging category name preceded by the CSCOxxx string.
msg_id	N/A	N/A	Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_seg	N/A	N/A	Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_num	N/A	N/A	Segment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestamp	N/A	N/A	Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_num	N/A	N/A	Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code	<vmid> <tag1>	Number	Message code as defined in the logging categories.
msg_sev	<severity>	Text/String	Message severity level of a log message.
msg_class	<subject>	Text/String	Message class, which identifies groups of messages with the same context.
msg_text	<action>	Text/String	English language descriptive text message.
ConfigVersionId	N/A	N/A	N/A
UserType	N/A	N/A	N/A
UserName	<account>	Text/String	N/A
Firstname	N/A	N/A	N/A
Lastname	N/A	N/A	N/A
PhoneNumber	N/A	N/A	N/A
MacAddress	<smac>	Text/String	N/A
IpAddress	<sip>	IP Address	N/A
AuthenticationIdentityStore	N/A	N/A	N/A
PortalName	N/A	N/A	N/A
SponsorUser	N/A	N/A	N/A
IdentityGroup	N/A	N/A	N/A
PsnHostName	N/A	N/A	N/A
GuestUser	N/A	N/A	N/A
GuestUserName	N/A	N/A	N/A
GuestFirstname	N/A	N/A	N/A
GuestLastname	N/A	N/A	N/A
GuestEmailAddress	N/A	N/A	N/A
GuestAuthenticationIdentityStore	N/A	N/A	N/A
GuestType	N/A	N/A	N/A
GuestValidDays	N/A	N/A	N/A
GuestLocation	N/A	N/A	N/A
GuestStatus	N/A	N/A	N/A
EPMacAddress	N/A	N/A	N/A
NADAddress	N/A	N/A	N/A
ResponseTime	N/A	N/A	N/A
ETS	N/A	N/A	N/A
Key1	N/A	N/A	N/A
Key2	N/A	N/A	N/A