V 2.0 Passed Authentications Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Passed Authentications Event | Base Rule | General Authentication Event | Other Audit |
| V 2.0 EVID 5200 Authentication Success | Sub Rule | Authentication Activity | Authentication Success |
| V 2.0 EVID 5201 Authentication Success | Sub Rule | Authentication Activity | Authentication Success |
| V 2.0 EVID 5202 Command Authorization Succeeded | Sub Rule | Authorization Success | Other Audit Success |
| V 2.0 EVID 5203 Session Authorization Succeeded | Sub Rule | Authorization Success | Other Audit Success |
| V 2.0 EVID 5204 Change Password Success | Sub Rule | Password Modified | Account Modified |
| V 2.0 EVID 5205 Dynamic Authorization Success | Sub Rule | Authorization Success | Other Audit Success |
| V 2.0 EVID 5206 PAC Provisioned | Sub Rule | PAC Provisioned | Information |
| V 2.0 EVID 5231 Guest Authentication Passed | Sub Rule | Authentication Activity | Authentication Success |
| V 2.0 EVID 5232 DACL Download Succeeded | Sub Rule | Configuration File Downloaded | Information |
| V 2.0 EVID 5233 TrustSec Data Download Succeeded | Sub Rule | Configuration File Downloaded | Information |
| V 2.0 EVID 5234 Trust Sec Peer Policy Dwnd Succ | Sub Rule | Configuration File Downloaded | Information |
| V 2.0 EVID 5236 Authorize Only Ended Success | Sub Rule | Authorization Success | Other Audit Success |
| V 2.0 EVID 5237 Device Reg Web Auth Passed | Sub Rule | Device Registered | Other Audit Success |
| V 2.0 EVID 5238 Endpoint Auth Problem Fixed | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 5239 NAS Problem Fixed | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 5240 Rejected EP Released For Auth | Sub Rule | General RADIUS Message | Information |
| V 2.0 EVID 5241 RADIUS DTLS Handshake Succeeded | Sub Rule | Successful Activity | Other Audit Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| pri_num | N/A | N/A | The priority value of the message, is a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) |
| time | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
| IP address/hostname | N/A | N/A | IP address of the originating Cisco ISE node, or the hostname. |
| cat_name | <vendorinfo> | Text/String | Logging category name preceded by the CSCOxxx string. |
| msg_id | N/A | N/A | Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
| total_seg | N/A | N/A | Total number of segments in a log message. Long messages are divided into more than one segment. Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings. |
| seg_num | N/A | N/A | Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
| timestamp | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE node, in the following format : YYYY-MM-DD hh:mm:ss: xxx +/-zh:zm. |
| sequence_num | N/A | N/A | Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
| msg_code | <vmid> <tag1> | Number | Message code as defined in the logging categories. |
| msg_sev | <severity> | Text/String | Message severity level of a log message. |
| msg_class | <subject> | Text/String | Message class, which identifies groups of messages with the same context. |
| msg_text | <action> | Text/String | English language descriptive text message. |
| ConfigVersionId | N/A | N/A | N/A |
| Device IP Address | <sip> | IP Address | N/A |
| DestinationIPAddress | <dip> | IP Address | N/A |
| DestinationPort | <dport> | Number | N/A |
| UserName | <login> | Text/String | N/A |
| CmdSet | <command> | Text/String | N/A |
| Protocol | <protname> | Text/String | N/A |
| MatchedCommandSet | N/A | N/A | N/A |
| RequestLatency | N/A | N/A | N/A |
| NetworkDeviceName | N/A | N/A | N/A |
| User-Name | N/A | N/A | N/A |
| NAS-IP-Address | <sip> | IP Address | N/A |
| NAS-Port | N/A | N/A | N/A |
| NAS-Port-Type | N/A | N/A | N/A |
| Service-Type | N/A | N/A | N/A |
| Framed-IP-Address | <dip> | IP Address | N/A |
| Framed-Protocol | N/A | N/A | N/A |
| Called-Station-ID | N/A | N/A | N/A |
| Calling-Station-ID | N/A | N/A | N/A |
| Acct-Session-Id | <session> | Text/String | N/A |
| NAS-Port-Type | N/A | N/A | N/A |
| Connect-Info | N/A | N/A | N/A |
| Event-Timestamp | N/A | N/A | N/A |
| cisco-av-pair=subscriber:reauthenticate-type | N/A | N/A | N/A |
| cisco-av-pair=subscriber:command | <command> | Text/String | N/A |
| cisco-av-pair=audit-session-id | <session> | Text/String | N/A |
| cisco-av-pair=aaa:service | N/A | N/A | N/A |
| cisco-av-pair=aaa:event | N/A | N/A | N/A |
| cisco-av-pair=coa-push | N/A | N/A | N/A |
| OriginalUserName | N/A | N/A | N/A |
| MisconfiguredClientFixReason | <reason> | Text/String | N/A |
| NetworkDeviceProfileName | N/A | N/A | N/A |
| NetworkDeviceProfileId | N/A | N/A | N/A |
| IsThirdPartyDeviceFlow | N/A | N/A | N/A |
| RadiusFlowType | N/A | N/A | N/A |
| SSID | N/A | N/A | N/A |
| Type | N/A | N/A | N/A |
| Action | <status> | Text/String | N/A |
| Privilege-Level | N/A | N/A | N/A |
| Authen-Type | N/A | N/A | N/A |
| Service | <status> | Text/String | N/A |
| User | N/A | N/A | N/A |
| Port | N/A | N/A | N/A |
| Remote-Address | <dnatip> | IP Address | N/A |
| Authen-Method | N/A | N/A | N/A |
| Service-Argument | N/A | N/A | N/A |
| Protocol-Argument | N/A | N/A | N/A |
| NetworkDeviceProfileId | N/A | N/A | N/A |
| AcsSessionID | <session> | Text/String | N/A |
| UserType | N/A | N/A | N/A |
| Firstname | N/A | N/A | N/A |
| Lastname | N/A | N/A | N/A |
| EmailAddress | <sender> | Text/String | N/A |
| MacAddress | <smac> | Text/String | N/A |
| IpAddress | N/A | N/A | N/A |
| AuthenticationIdentityStore | N/A | N/A | N/A |
| AuthenticationMethod | N/A | N/A | N/A |
| SelectedAccessService | N/A | N/A | N/A |
| SelectedCommandSet | N/A | N/A | N/A |
| SelectedShellProfile | N/A | N/A | N/A |
| PortalName | N/A | N/A | N/A |
| IdentityGroup | <group> | Text/String | N/A |
| PsnHostName | N/A | N/A | N/A |
| GuestUserName | N/A | N/A | N/A |
| EPMacAddress | N/A | N/A | N/A |
| NADAddress | N/A | N/A | N/A |
| AuditSessionId | <session> | Text/String | N/A |
| ResponseTime | N/A | N/A | N/A |
| Step | N/A | N/A | N/A |
| Step | N/A | N/A | N/A |
| Step | N/A | N/A | N/A |
| Step | N/A | N/A | N/A |
| NetworkDeviceGroups | <group> | Text/String | N/A |
| NetworkDeviceGroups | N/A | N/A | N/A |
| NetworkDeviceGroups | N/A | N/A | N/A |
| Key1 | N/A | N/A | N/A |
| Key2 | N/A | N/A | N/A |