V 2.0 Posture And Client Provisioning Audit Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Posture And Client Provisioning Audit Event	Base Rule	Audit Message	Other Audit
V 2.0 EVID 87000 Endpoint Posture Report Received	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87001 EP Reassessment Report Receive	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87002 Endpoint Session Termination	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87004 EP USB-Check Report Received	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87500 Client Provisioning Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 87501 Client Provisioning Fail Event	Sub Rule	Provisioning Failed	Warning
V 2.0 EVID 87600 Supplicant Provisioning Success	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 87601 Supplicant Provisioning Fail	Sub Rule	Provisioning Failed	Warning
V 2.0 EVID 87602 Supplicant Provision Inprogress	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87603 Supplicant Provisioning Disable	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87604 CA Server Down	Sub Rule	The Server Is Down	Information
V 2.0 EVID 87605 CA Server Up	Sub Rule	Server Is Up	Information
V 2.0 EVID 87606 Certificate Request Forwarding	Sub Rule	Certificate Verification Failure	Error
V 2.0 EVID 87607 OCSP Transactions High Volume	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87608 EST Service Down	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87609 EST Service Up	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87750 EP Protection Svc Perform Op.	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87751 EP Protection Svc Operation Res	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87752 Provisioning Portal -Req Submit	Sub Rule	Certificate Request	Activity
V 2.0 EVID 87753 Provisioning Portal-Status Update	Sub Rule	Certificate Update Request	Activity
V 2.0 EVID 87754 Provisioning Portal -User Login	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87901 EP Scripts Provisioned New Job	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87921 EndPoint Scripts Execution Res	Sub Rule	General Endpoint Message	Information
V 2.0 EVID 87005 PSN Posture Compliant State	Sub Rule	General Information Log Message	Information
V 2.0 EVID 87006 Posture Queries For MNT Session	Sub Rule	General Information Log Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
pri_num	N/A	N/A	Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23)
time	N/A	N/A	Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostname	N/A	N/A	IP address of the originating Cisco ISE node, or the hostname.
cat_name	<vendorinfo>	Text/String	Logging category name preceded by the CSCOxxx string.
msg_id	N/A	N/A	Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_seg	N/A	N/A	Total number of segments in a log message. Long messages are divided into more than one segment. Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_num	N/A	N/A	Segment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestamp	N/A	N/A	Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format : YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_num	N/A	N/A	Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code	<vmid> <tag1>	Number	Message code as defined in the logging categories.
msg_sev	<severity>	Text/String	Message severity level of a log message.
msg_class	<subject>	Text/String	Message class, which identifies groups of messages with the same context.
msg_text	<action>	Text/String	English language descriptive text message.
ConfigVersionId	N/A	N/A	N/A
NetworkDeviceGroups	N/A	N/A	N/A
RequestTime	N/A	N/A	N/A
ResponseTime	N/A	N/A	N/A
FailureReason	<reason>	Text/String	N/A
MacAddress	<dmac>	Text/String	N/A
OperatingSystem	N/A	N/A	N/A
PostureAgentVersion	N/A	N/A	N/A
PosturePolicyMatched	N/A	N/A	N/A
UserName	<account>	Text/String	N/A
SessionId	<session>	Text/String	N/A
IpAddress	<dip>	IP Address	N/A
SupplicantProfile	N/A	N/A	N/A
AntiVirusInstalled	N/A	N/A	N/A
AntiSpywareInstalled	N/A	N/A	N/A
FeedUrl	<url>	Text/String	N/A
NumOfUpdates	N/A	N/A	N/A
Key1	N/A	N/A	N/A
Key2	N/A	N/A	N/A