elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Open rmelt opened 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
rmelt
commented
10 months ago Can I get an update on this issue. @elastic/security-external-integrations (Team:Security-External Integrations)
efd6
commented
10 months ago @rmelt Do you have example events that we can look at to work from? The events that we have all have the Calling-Station-ID as a MAC address.
rmelt
commented
10 months ago When a user authenticates from the wireless controller the calling-station-ID will be a MAC address. but when the authentication is from a VPN, the calling-station-ID will be the client's external IP. The IP that needs to have geoip data added is 174.217.17.154.
"_index": ".ds-logs-cisco_ise.log-network-2023.12.14-000006",
"_id": "7_TxgYwBPL5EQdGAjkQ9",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "DU-KIBANA-P1",
"id": "a7987536-6a34-46e1-b9a5-49379699a04d",
"type": "filebeat",
"ephemeral_id": "a1344f29-b9af-44ba-8a31-96375fae84e9",
"version": "8.11.0"
},
"cisco_ise": {
"log": {
"allow": {
"easy": {
"wired": {
"session": "false"
}
}
},
"request": {
"latency": 39
},
"log_details": {
"ExternalGroups": [
"S-1-1-24-2139161802-2342954143-1248463453-2750",
"S-1-1-24-2139161802-2342954143-1248463453-513"
],
"AD-User-Candidate-Identities": "traitmelbu@df.knotmata.com",
"IsMachineIdentity": "false",
"HostIdentityGroup": "Endpoint Identity Groups:Profiled:Workstation",
"IdentityAccessRestricted": "false",
"AD-User-SamAccount-Name": "traitmelbu",
"AD-User-Qualified-Name": "traitmelbu@southernute-nsn.gov",
"Called-Station-ID": "154.221.145.35",
"CVPN3000/ASA/PIX7x-Client-Type": "2",
"EndPointMatchedProfile": "Windows10-Workstation",
"AD-User-Resolved-Identities": "traitmelbu@df.knotmata.com",
"CVPN3000/ASA/PIX7x-Tunnel-Group-Name": "DoubleAuthenticaiton-Cert-Password",
"AD-User-Resolved-DNs": "CN=Atcitty\\\\\\",
"AD-User-NetBios-Name": "df",
"AD-User-DNS-Domain": "df.knotmata.com",
"SSID": "154.221.145.35",
"AD-Groups-Names": [
"df.knotmata.com/df Department Users and Computers/J&R/beta Admin/Groups beta Admin/J&R VPN Users",
"df.knotmata.com/Users/Domain Users"
],
"UserAccountControl": "512",
"IsMachineAuthentication": "false",
"AD-User-Join-Point": "df.knotmata.COM",
"Tunnel-Client-Endpoint": "(tag=0) 174.217.17.154"
},
"auth": {
"policy": {
"matched": {
"rule": "VPN- beta USERS"
}
}
},
"calling_station": {
"id": "174.217.17.154"
},
"network": {
"device": {
"profile_name": "Cisco",
"profile_id": "b0699505-3150-4215-a80e-6753d45bf56c",
"profile": "Cisco",
"name": "df_VPN",
"groups": [
"Location#All Locations#theta-df",
"Device Type#All Device Types#Firewall",
"IPSEC#Is IPSEC Device#No"
]
}
},
"acs": {
"session": {
"id": "DU-ISEPSN-P3/481603622/7297681"
}
},
"total": {
"authen": {
"latency": 39
}
},
"identity": {
"selection": {
"matched": {
"rule": "802.1x-PEAP_Access"
}
},
"group": "Endpoint Identity Groups:Profiled:Workstation",
"policy": {
"matched": {
"rule": "802.1x-PEAP_Access"
}
}
},
"segment": {
"number": 0,
"total": 1
},
"client": {
"latency": 0
},
"step_data": [
"4= DEVICE.Device Type",
"5= DEVICE.Location",
"6= Radius.Called-Station-ID",
"8= Network Access.EapAuthentication (2 times)",
"9= Network Access.Device IP Address",
"10=AD_df",
"11=AD_df",
"12=traitmelbu@southernute-nsn.gov",
"13=df.knotmata.com",
"14=knotmata.com",
"16=traitmelbu@df.knotmata.com",
"17=AD_df",
"0=AD_df",
"1=df.knotmata.com",
"2=AD_df",
"26= AD_df.ExternalGroups"
],
"selected": {
"authorization": {
"profiles": "VPN_df_Users"
},
"access": {
"service": "theta_AD_802.1x"
},
"authentication": {
"identity_stores": "AD_df"
}
},
"authentication": {
"method": "PAP_ASCII",
"identity_store": "AD_df",
"status": "AuthenticationPassed"
},
"cpm": {
"session": {
"id": "0a0a013705b9400065818477"
}
},
"nas": {
"port": {
"number": 96026624,
"type": "Virtual"
},
"ip": "10.30.14.44"
},
"dtls_support": "Unknown",
"posture": {
"assessment": {
"status": "NotApplicable"
}
},
"message": {
"code": "5200",
"description": "Passed-Authentication: Authentication succeeded",
"id": "0009964326"
},
"config_version": {
"id": 192
},
"is_third_party_device_flow": false,
"cisco_av_pair": {
"AuthenticationIdentityStore": "AD_df",
"ip:source-ip": "174.217.17.154",
"mdm-tlv": [
"device-platform=win",
"device-platform-version=10.0.19045 ",
"device-type=Panasonic Corporation FZG2-1",
"ac-user-agent=AnyConnect Windows 4.10.05085",
],
"FQSubjectName": "42a5cde0-a71e-11e8-bbf5-0242e16b9c1b#traitmelbu@df.knotmata.com",
"audit-session-id": "0a0a013705b9400065818477",
"coa-push": true,
"UniqueSubjectID": "8606b2d5086b6c8d24998b2887799182b07ef973"
},
"response": {
"LicenseTypes": "1",
"Class": [
"df_VPN_Users",
"CACS:0a0a013705b9400065818477:DU-ISEPSN-P3/481603622/7297681"
],
"cisco-av-pair": [
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3",
"profile-name=Windows10-Workstation"
]
},
"ipsec": "IPSEC#Is IPSEC Device#No",
"ise": {
"policy": {
"set_name": "theta-VPN"
}
},
"location": "Location#All Locations#theta-df",
"step": [
"11001",
"11017",
"15049",
"15008",
"15048",
"15048",
"15048",
"15041",
"15048",
"15048",
"15013",
"24430",
"24325",
"24313",
"24319",
"24323",
"24343",
"24402",
"22037",
"24715",
"15036",
"24209",
"24211",
"24432",
"24355",
"24416",
"15048",
"15016",
"11022",
"22081",
"22080",
"11002"
],
"category": {
"name": "CISE_Passed_Authentications"
},
"device": {
"type": "Device Type#All Device Types#Firewall"
}
}
},
"log": {
"level": "notice",
"source": {
"address": "10.40.20.31:36376"
},
"syslog": {
"severity": {
"name": "notice"
},
"priority": 181
}
},
"elastic_agent": {
"id": "a7987536-6a34-46e1-b9a5-49379699a04d",
"version": "8.11.0",
"snapshot": false
},
"destination": {
"port": 1645,
"ip": "10.40.20.31"
},
"message": "2023-12-19 04:59:00.140 -07:00 0232211597 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=192, Device IP Address=10.30.14.44, DestinationIPAddress=10.40.20.31, DestinationPort=1645, UserName=traitmelbu@southernute-nsn.gov, Protocol=Radius, NetworkDeviceName=df_VPN, User-Name=traitmelbu@southernute-nsn.gov, NAS-IP-Address=10.30.14.44, NAS-Port=96026624, Called-Station-ID=154.221.145.35, Calling-Station-ID=174.217.17.154, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 174.217.17.154, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=98-97-b2-58-40-5a, cisco-av-pair=mdm-tlv=device-platform-version=10.0.19045 , cisco-av-pair=mdm-tlv=device-type=Panasonic Corporation FZG2-1, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.10.05085, cisco-av-pair=mdm-tlv=device-uid=894B3BD1EDDB0DC01A37B8439D6DE1DF02209CB2EAB08CEA47C8364E9ED11ACA, cisco-av-pair=audit-session-id=0a0a013705b9400065818477, cisco-av-pair=ip:source-ip=174.217.17.154, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=DoubleAuthenticaiton-Cert-Password, OriginalUserName=traitmelbu@southernute-nsn.gov, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, SSID=154.221.145.35, CVPN3000/ASA/PIX7x-Client-Type=2, AcsSessionID=DU-ISEPSN-P3/481603622/7297681, AuthenticationIdentityStore=AD_df, AuthenticationMethod=PAP_ASCII, SelectedAccessService=theta_AD_802.1x, SelectedAuthorizationProfiles=VPN_df_Users, IsMachineAuthentication=false, RequestLatency=39, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15041, Step=15048, Step=15048, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24402, Step=22037, Step=24715, Step=15036, Step=24209, Step=24211, Step=24432, Step=24355, Step=24416, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=AD_df, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#theta-df, NetworkDeviceGroups=Device Type#All Device Types#Firewall, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=802.1x-PEAP_Access, AuthorizationPolicyMatchedRule=VPN- beta USERS, cisco-av-pair=AuthenticationIdentityStore=AD_df, cisco-av-pair=FQSubjectName=42a5cde0-a71e-11e8-bbf5-0242e16b9c1b#traitmelbu@df.knotmata.com, cisco-av-pair=UniqueSubjectID=8606b2d5086b6c8d24998b2887799182b07ef973, CPMSessionID=0a0a013705b9400065818477, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows10-Workstation, ISEPolicySetName=theta-VPN, IdentitySelectionMatchedRule=802.1x-PEAP_Access, AD-User-Resolved-Identities=traitmelbu@df.knotmata.com, AD-User-Candidate-Identities=traitmelbu@df.knotmata.com, AD-User-Join-Point=df.knotmata.COM, StepData=4= DEVICE.Device Type, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=8= Network Access.EapAuthentication (2 times), StepData=9= Network Access.Device IP Address, StepData=10=AD_df, StepData=11=AD_df, StepData=12=traitmelbu@southernute-nsn.gov, StepData=13=df.knotmata.com, StepData=14=knotmata.com, StepData=16=traitmelbu@df.knotmata.com, StepData=17=AD_df, StepData=0=AD_df, StepData=1=df.knotmata.com, StepData=2=AD_df, StepData=26= AD_df.ExternalGroups, TotalAuthenLatency=39, ClientLatency=0, AD-User-Resolved-DNs=CN=Atcitty\\\\\\, Jolita\\,OU=SUPD ToughPad Users\\,OU=Users SUPD\\,OU=SUPD\\,OU=J&R\\,OU=df Department Users and Computers\\,DC=df\\,DC=knotmata\\,DC=com, AD-User-DNS-Domain=df.knotmata.com, AD-Groups-Names=df.knotmata.com/df Department Users and Computers/J&R/beta Admin/Groups beta Admin/J&R VPN Users, AD-Groups-Names=df.knotmata.com/Users/Domain Users, AD-User-NetBios-Name=df, IsMachineIdentity=false, UserAccountControl=512, AD-User-SamAccount-Name=traitmelbu, AD-User-Qualified-Name=traitmelbu@southernute-nsn.gov, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-2750, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-513, IdentityAccessRestricted=false, Network Device Profile=Cisco, Location=Location#All Locations#theta-df, Device Type=Device Type#All Device Types#Firewall, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=df_VPN_Users; Class=CACS:0a0a013705b9400065818477:DU-ISEPSN-P3/481603622/7297681; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3; cisco-av-pair=profile-name=Windows10-Workstation; LicenseTypes=1; },",
"tags": [
"preserve_original_event",
"forwarded",
"cisco_ise-log"
],
"network": {
"protocol": "radius"
},
"input": {
"type": "udp"
},
"@timestamp": "2023-12-19T04:59:00.140-07:00",
"ecs": {
"version": "8.11.0"
},
"related": {
"hosts": [
"DU-ISEPSN-P3"
],
"ip": [
"10.30.14.44",
"10.40.20.31"
],
"user": [
"traitmelbu@southernute-nsn.gov"
]
},
"data_stream": {
"namespace": "network",
"type": "logs",
"dataset": "cisco_ise.log"
},
"host": {
"hostname": "DU-ISEPSN-P3"
},
"client": {
"ip": "10.30.14.44"
},
"event": {
"agent_id_status": "verified",
"sequence": 232211597,
"ingested": "2023-12-19T11:59:00Z",
"original": "<181>Dec 19 04:59:00 DU-ISEPSN-P3 CISE_Passed_Authentications 0009964326 1 0 2023-12-19 04:59:00.140 -07:00 0232211597 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=192, Device IP Address=10.30.14.44, DestinationIPAddress=10.40.20.31, DestinationPort=1645, UserName=traitmelbu@southernute-nsn.gov, Protocol=Radius, NetworkDeviceName=df_VPN, User-Name=traitmelbu@southernute-nsn.gov, NAS-IP-Address=10.30.14.44, NAS-Port=96026624, Called-Station-ID=154.221.145.35, Calling-Station-ID=174.217.17.154, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 174.217.17.154, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=98-97-b2-58-40-5a, cisco-av-pair=mdm-tlv=device-platform-version=10.0.19045 , cisco-av-pair=mdm-tlv=device-type=Panasonic Corporation FZG2-1, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.10.05085, cisco-av-pair=mdm-tlv=device-uid=894B3BD1EDDB0DC01A37B8439D6DE1DF02209CB2EAB08CEA47C8364E9ED11ACA, cisco-av-pair=audit-session-id=0a0a013705b9400065818477, cisco-av-pair=ip:source-ip=174.217.17.154, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=DoubleAuthenticaiton-Cert-Password, OriginalUserName=traitmelbu@southernute-nsn.gov, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, SSID=154.221.145.35, CVPN3000/ASA/PIX7x-Client-Type=2, AcsSessionID=DU-ISEPSN-P3/481603622/7297681, AuthenticationIdentityStore=AD_df, AuthenticationMethod=PAP_ASCII, SelectedAccessService=theta_AD_802.1x, SelectedAuthorizationProfiles=VPN_df_Users, IsMachineAuthentication=false, RequestLatency=39, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15041, Step=15048, Step=15048, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24402, Step=22037, Step=24715, Step=15036, Step=24209, Step=24211, Step=24432, Step=24355, Step=24416, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=AD_df, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#theta-df, NetworkDeviceGroups=Device Type#All Device Types#Firewall, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=802.1x-PEAP_Access, AuthorizationPolicyMatchedRule=VPN- beta USERS, cisco-av-pair=AuthenticationIdentityStore=AD_df, cisco-av-pair=FQSubjectName=42a5cde0-a71e-11e8-bbf5-0242e16b9c1b#traitmelbu@df.knotmata.com, cisco-av-pair=UniqueSubjectID=8606b2d5086b6c8d24998b2887799182b07ef973, CPMSessionID=0a0a013705b9400065818477, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows10-Workstation, ISEPolicySetName=theta-VPN, IdentitySelectionMatchedRule=802.1x-PEAP_Access, AD-User-Resolved-Identities=traitmelbu@df.knotmata.com, AD-User-Candidate-Identities=traitmelbu@df.knotmata.com, AD-User-Join-Point=df.knotmata.COM, StepData=4= DEVICE.Device Type, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=8= Network Access.EapAuthentication (2 times), StepData=9= Network Access.Device IP Address, StepData=10=AD_df, StepData=11=AD_df, StepData=12=traitmelbu@southernute-nsn.gov, StepData=13=df.knotmata.com, StepData=14=knotmata.com, StepData=16=traitmelbu@df.knotmata.com, StepData=17=AD_df, StepData=0=AD_df, StepData=1=df.knotmata.com, StepData=2=AD_df, StepData=26= AD_df.ExternalGroups, TotalAuthenLatency=39, ClientLatency=0, AD-User-Resolved-DNs=CN=Atcitty\\\\\\, Jolita\\,OU=SUPD ToughPad Users\\,OU=Users SUPD\\,OU=SUPD\\,OU=J&R\\,OU=df Department Users and Computers\\,DC=df\\,DC=knotmata\\,DC=com, AD-User-DNS-Domain=df.knotmata.com, AD-Groups-Names=df.knotmata.com/df Department Users and Computers/J&R/beta Admin/Groups beta Admin/J&R VPN Users, AD-Groups-Names=df.knotmata.com/Users/Domain Users, AD-User-NetBios-Name=df, IsMachineIdentity=false, UserAccountControl=512, AD-User-SamAccount-Name=traitmelbu, AD-User-Qualified-Name=traitmelbu@southernute-nsn.gov, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-2750, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-513, IdentityAccessRestricted=false, Network Device Profile=Cisco, Location=Location#All Locations#theta-df, Device Type=Device Type#All Device Types#Firewall, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=df_VPN_Users; Class=CACS:0a0a013705b9400065818477:DU-ISEPSN-P3/481603622/7297681; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3; cisco-av-pair=profile-name=Windows10-Workstation; LicenseTypes=1; },",
"code": "5200",
"kind": "event",
"timezone": "-07:00",
"action": "passed-authentication",
"category": [
"authentication"
],
"type": [
"info"
],
"dataset": "cisco_ise.log"
},
"user": {
"name": [
"traitmelbu@southernute-nsn.gov"
]
}
},
"fields": {
"elastic_agent.version": [
"8.11.0"
],
"event.category": [
"authentication"
],
"cisco_ise.log.dtls_support": [
"Unknown"
],
"cisco_ise.log.authentication.method": [
"PAP_ASCII"
],
"cisco_ise.log.step_data": [
"4= DEVICE.Device Type",
"5= DEVICE.Location",
"6= Radius.Called-Station-ID",
"8= Network Access.EapAuthentication (2 times)",
"9= Network Access.Device IP Address",
"10=AD_df",
"11=AD_df",
"12=traitmelbu@southernute-nsn.gov",
"13=df.knotmata.com",
"14=knotmata.com",
"16=traitmelbu@df.knotmata.com",
"17=AD_df",
"0=AD_df",
"1=df.knotmata.com",
"2=AD_df",
"26= AD_df.ExternalGroups"
],
"cisco_ise.log.category.name": [
"CISE_Passed_Authentications"
],
"host.hostname": [
"DU-ISEPSN-P3"
],
"cisco_ise.log.auth.policy.matched.rule": [
"VPN- beta USERS"
],
"cisco_ise.log.message.description": [
"Passed-Authentication: Authentication succeeded"
],
"cisco_ise.log.cisco_av_pair.coa-push": [
true
],
"log.level": [
"notice"
],
"log.syslog.severity.name": [
"notice"
],
"agent.name": [
"DU-KIBANA-P1"
],
"cisco_ise.log.segment.total": [
1
],
"event.agent_id_status": [
"verified"
],
"cisco_ise.log.cisco_av_pair.audit-session-id": [
"0a0a013705b9400065818477"
],
"cisco_ise.log.log_details": [
{
"AD-User-Candidate-Identities": "traitmelbu@df.knotmata.com",
"IsMachineIdentity": "false",
"HostIdentityGroup": "Endpoint Identity Groups:Profiled:Workstation",
"IdentityAccessRestricted": "false",
"AD-User-SamAccount-Name": "traitmelbu",
"AD-User-Qualified-Name": "traitmelbu@southernute-nsn.gov",
"Called-Station-ID": "154.221.145.35",
"CVPN3000/ASA/PIX7x-Client-Type": "2",
"EndPointMatchedProfile": "Windows10-Workstation",
"AD-User-Resolved-Identities": "traitmelbu@df.knotmata.com",
"CVPN3000/ASA/PIX7x-Tunnel-Group-Name": "DoubleAuthenticaiton-Cert-Password",
"AD-User-NetBios-Name": "df",
"AD-User-DNS-Domain": "df.knotmata.com",
"SSID": "154.221.145.35",
"AD-Groups-Names": [
"df.knotmata.com/df Department Users and Computers/J&R/beta Admin/Groups beta Admin/J&R VPN Users",
"df.knotmata.com/Users/Domain Users"
],
"UserAccountControl": "512",
"IsMachineAuthentication": "false",
"AD-User-Join-Point": "df.knotmata.COM",
"Tunnel-Client-Endpoint": "(tag=0) 174.217.17.154"
}
],
"event.kind": [
"event"
],
"cisco_ise.log.cisco_av_pair.ip:source-ip": [
"174.217.17.154"
],
"event.original": [
"<181>Dec 19 04:59:00 DU-ISEPSN-P3 CISE_Passed_Authentications 0009964326 1 0 2023-12-19 04:59:00.140 -07:00 0232211597 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=192, Device IP Address=10.30.14.44, DestinationIPAddress=10.40.20.31, DestinationPort=1645, UserName=traitmelbu@southernute-nsn.gov, Protocol=Radius, NetworkDeviceName=df_VPN, User-Name=traitmelbu@southernute-nsn.gov, NAS-IP-Address=10.30.14.44, NAS-Port=96026624, Called-Station-ID=154.221.145.35, Calling-Station-ID=174.217.17.154, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 174.217.17.154, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=98-97-b2-58-40-5a, cisco-av-pair=mdm-tlv=device-platform-version=10.0.19045 , cisco-av-pair=mdm-tlv=device-type=Panasonic Corporation FZG2-1, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.10.05085, cisco-av-pair=mdm-tlv=device-uid=894B3BD1EDDB0DC01A37B8439D6DE1DF02209CB2EAB08CEA47C8364E9ED11ACA, cisco-av-pair=audit-session-id=0a0a013705b9400065818477, cisco-av-pair=ip:source-ip=174.217.17.154, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=DoubleAuthenticaiton-Cert-Password, OriginalUserName=traitmelbu@southernute-nsn.gov, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, SSID=154.221.145.35, CVPN3000/ASA/PIX7x-Client-Type=2, AcsSessionID=DU-ISEPSN-P3/481603622/7297681, AuthenticationIdentityStore=AD_df, AuthenticationMethod=PAP_ASCII, SelectedAccessService=theta_AD_802.1x, SelectedAuthorizationProfiles=VPN_df_Users, IsMachineAuthentication=false, RequestLatency=39, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15041, Step=15048, Step=15048, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24402, Step=22037, Step=24715, Step=15036, Step=24209, Step=24211, Step=24432, Step=24355, Step=24416, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=AD_df, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#theta-df, NetworkDeviceGroups=Device Type#All Device Types#Firewall, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=802.1x-PEAP_Access, AuthorizationPolicyMatchedRule=VPN- beta USERS, cisco-av-pair=AuthenticationIdentityStore=AD_df, cisco-av-pair=FQSubjectName=42a5cde0-a71e-11e8-bbf5-0242e16b9c1b#traitmelbu@df.knotmata.com, cisco-av-pair=UniqueSubjectID=8606b2d5086b6c8d24998b2887799182b07ef973, CPMSessionID=0a0a013705b9400065818477, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows10-Workstation, ISEPolicySetName=theta-VPN, IdentitySelectionMatchedRule=802.1x-PEAP_Access, AD-User-Resolved-Identities=traitmelbu@df.knotmata.com, AD-User-Candidate-Identities=traitmelbu@df.knotmata.com, AD-User-Join-Point=df.knotmata.COM, StepData=4= DEVICE.Device Type, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=8= Network Access.EapAuthentication (2 times), StepData=9= Network Access.Device IP Address, StepData=10=AD_df, StepData=11=AD_df, StepData=12=traitmelbu@southernute-nsn.gov, StepData=13=df.knotmata.com, StepData=14=knotmata.com, StepData=16=traitmelbu@df.knotmata.com, StepData=17=AD_df, StepData=0=AD_df, StepData=1=df.knotmata.com, StepData=2=AD_df, StepData=26= AD_df.ExternalGroups, TotalAuthenLatency=39, ClientLatency=0, AD-User-Resolved-DNs=CN=Atcitty\\\\\\, Jolita\\,OU=SUPD ToughPad Users\\,OU=Users SUPD\\,OU=SUPD\\,OU=J&R\\,OU=df Department Users and Computers\\,DC=df\\,DC=knotmata\\,DC=com, AD-User-DNS-Domain=df.knotmata.com, AD-Groups-Names=df.knotmata.com/df Department Users and Computers/J&R/beta Admin/Groups beta Admin/J&R VPN Users, AD-Groups-Names=df.knotmata.com/Users/Domain Users, AD-User-NetBios-Name=df, IsMachineIdentity=false, UserAccountControl=512, AD-User-SamAccount-Name=traitmelbu, AD-User-Qualified-Name=traitmelbu@southernute-nsn.gov, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-2750, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-513, IdentityAccessRestricted=false, Network Device Profile=Cisco, Location=Location#All Locations#theta-df, Device Type=Device Type#All Device Types#Firewall, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=df_VPN_Users; Class=CACS:0a0a013705b9400065818477:DU-ISEPSN-P3/481603622/7297681; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3; cisco-av-pair=profile-name=Windows10-Workstation; LicenseTypes=1; },"
],
"cisco_ise.log.cisco_av_pair.UniqueSubjectID": [
"8606b2d5086b6c8d24998b2887799182b07ef973"
],
"cisco_ise.log.cisco_av_pair.mdm-tlv": [
"device-platform=win",
"device-mac=98-97-b2-58-40-5a",
"device-platform-version=10.0.19045 ",
"device-type=Panasonic Corporation FZG2-1",
"ac-user-agent=AnyConnect Windows 4.10.05085",
"device-uid=894B3BD1EDDB0DC01A37B8439D6DE1DF02209CB2EAB08CEA47C8364E9ED11ACA"
],
"input.type": [
"udp"
],
"client.ip": [
"10.30.14.44"
],
"cisco_ise.log.client.latency": [
0
],
"data_stream.type": [
"logs"
],
"cisco_ise.log.network.device.groups": [
"Location#All Locations#theta-df",
"Device Type#All Device Types#Firewall",
"IPSEC#Is IPSEC Device#No"
],
"related.user": [
"traitmelbu@southernute-nsn.gov"
],
"tags": [
"preserve_original_event",
"forwarded",
"cisco_ise-log"
],
"cisco_ise.log.location": [
"Location#All Locations#theta-df"
],
"cisco_ise.log.network.device.profile_name": [
"Cisco"
],
"event.code": [
"5200"
],
"agent.id": [
"a7987536-6a34-46e1-b9a5-49379699a04d"
],
"cisco_ise.log.identity.policy.matched.rule": [
"802.1x-PEAP_Access"
],
"cisco_ise.log.response": [
{
"LicenseTypes": "1",
"Class": [
"df_VPN_Users",
"CACS:0a0a013705b9400065818477:DU-ISEPSN-P3/481603622/7297681"
],
"cisco-av-pair": [
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3",
"profile-name=Windows10-Workstation"
]
}
],
"ecs.version": [
"8.11.0"
],
"cisco_ise.log.selected.authorization.profiles": [
"VPN_df_Users"
],
"log.source.address": [
"10.40.20.31:36376"
],
"agent.version": [
"8.11.0"
],
"cisco_ise.log.segment.number": [
0
],
"related.hosts": [
"DU-ISEPSN-P3"
],
"cisco_ise.log.nas.port.type": [
"Virtual"
],
"cisco_ise.log.step": [
"11001",
"11017",
"15049",
"15008",
"15048",
"15048",
"15048",
"15041",
"15048",
"15048",
"15013",
"24430",
"24325",
"24313",
"24319",
"24323",
"24343",
"24402",
"22037",
"24715",
"15036",
"24209",
"24211",
"24432",
"24355",
"24416",
"15048",
"15016",
"11022",
"22081",
"22080",
"11002"
],
"cisco_ise.log.network.device.profile": [
"Cisco"
],
"cisco_ise.log.acs.session.id": [
"DU-ISEPSN-P3/481603622/7297681"
],
"cisco_ise.log.posture.assessment.status": [
"NotApplicable"
],
"destination.port": [
1645
],
"cisco_ise.log.total.authen.latency": [
39
],
"cisco_ise.log.nas.ip": [
"10.30.14.44"
],
"user.name": [
"traitmelbu@southernute-nsn.gov"
],
"cisco_ise.log.cisco_av_pair.FQSubjectName": [
"42a5cde0-a71e-11e8-bbf5-0242e16b9c1b#traitmelbu@df.knotmata.com"
],
"cisco_ise.log.authentication.identity_store": [
"AD_df"
],
"cisco_ise.log.config_version.id": [
192
],
"cisco_ise.log.selected.authentication.identity_stores": [
"AD_df"
],
"cisco_ise.log.allow.easy.wired.session": [
"false"
],
"event.sequence": [
232211597
],
"agent.type": [
"filebeat"
],
"event.module": [
"cisco_ise"
],
"network.protocol": [
"radius"
],
"related.ip": [
"10.30.14.44",
"10.40.20.31"
],
"cisco_ise.log.selected.access.service": [
"theta_AD_802.1x"
],
"elastic_agent.snapshot": [
false
],
"log.syslog.priority": [
181
],
"cisco_ise.log.is_third_party_device_flow": [
false
],
"event.timezone": [
"-07:00"
],
"cisco_ise.log.ipsec": [
"IPSEC#Is IPSEC Device#No"
],
"cisco_ise.log.device.type": [
"Device Type#All Device Types#Firewall"
],
"cisco_ise.log.cisco_av_pair.AuthenticationIdentityStore": [
"AD_df"
],
"elastic_agent.id": [
"a7987536-6a34-46e1-b9a5-49379699a04d"
],
"data_stream.namespace": [
"network"
],
"cisco_ise.log.ise.policy.set_name": [
"theta-VPN"
],
"message": [
"2023-12-19 04:59:00.140 -07:00 0232211597 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=192, Device IP Address=10.30.14.44, DestinationIPAddress=10.40.20.31, DestinationPort=1645, UserName=traitmelbu@southernute-nsn.gov, Protocol=Radius, NetworkDeviceName=df_VPN, User-Name=traitmelbu@southernute-nsn.gov, NAS-IP-Address=10.30.14.44, NAS-Port=96026624, Called-Station-ID=154.221.145.35, Calling-Station-ID=174.217.17.154, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 174.217.17.154, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=device-mac=98-97-b2-58-40-5a, cisco-av-pair=mdm-tlv=device-platform-version=10.0.19045 , cisco-av-pair=mdm-tlv=device-type=Panasonic Corporation FZG2-1, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 4.10.05085, cisco-av-pair=mdm-tlv=device-uid=894B3BD1EDDB0DC01A37B8439D6DE1DF02209CB2EAB08CEA47C8364E9ED11ACA, cisco-av-pair=audit-session-id=0a0a013705b9400065818477, cisco-av-pair=ip:source-ip=174.217.17.154, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=DoubleAuthenticaiton-Cert-Password, OriginalUserName=traitmelbu@southernute-nsn.gov, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, SSID=154.221.145.35, CVPN3000/ASA/PIX7x-Client-Type=2, AcsSessionID=DU-ISEPSN-P3/481603622/7297681, AuthenticationIdentityStore=AD_df, AuthenticationMethod=PAP_ASCII, SelectedAccessService=theta_AD_802.1x, SelectedAuthorizationProfiles=VPN_df_Users, IsMachineAuthentication=false, RequestLatency=39, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15041, Step=15048, Step=15048, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24402, Step=22037, Step=24715, Step=15036, Step=24209, Step=24211, Step=24432, Step=24355, Step=24416, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=AD_df, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#theta-df, NetworkDeviceGroups=Device Type#All Device Types#Firewall, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=802.1x-PEAP_Access, AuthorizationPolicyMatchedRule=VPN- beta USERS, cisco-av-pair=AuthenticationIdentityStore=AD_df, cisco-av-pair=FQSubjectName=42a5cde0-a71e-11e8-bbf5-0242e16b9c1b#traitmelbu@df.knotmata.com, cisco-av-pair=UniqueSubjectID=8606b2d5086b6c8d24998b2887799182b07ef973, CPMSessionID=0a0a013705b9400065818477, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows10-Workstation, ISEPolicySetName=theta-VPN, IdentitySelectionMatchedRule=802.1x-PEAP_Access, AD-User-Resolved-Identities=traitmelbu@df.knotmata.com, AD-User-Candidate-Identities=traitmelbu@df.knotmata.com, AD-User-Join-Point=df.knotmata.COM, StepData=4= DEVICE.Device Type, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=8= Network Access.EapAuthentication (2 times), StepData=9= Network Access.Device IP Address, StepData=10=AD_df, StepData=11=AD_df, StepData=12=traitmelbu@southernute-nsn.gov, StepData=13=df.knotmata.com, StepData=14=knotmata.com, StepData=16=traitmelbu@df.knotmata.com, StepData=17=AD_df, StepData=0=AD_df, StepData=1=df.knotmata.com, StepData=2=AD_df, StepData=26= AD_df.ExternalGroups, TotalAuthenLatency=39, ClientLatency=0, AD-User-Resolved-DNs=CN=Atcitty\\\\\\, Jolita\\,OU=SUPD ToughPad Users\\,OU=Users SUPD\\,OU=SUPD\\,OU=J&R\\,OU=df Department Users and Computers\\,DC=df\\,DC=knotmata\\,DC=com, AD-User-DNS-Domain=df.knotmata.com, AD-Groups-Names=df.knotmata.com/df Department Users and Computers/J&R/beta Admin/Groups beta Admin/J&R VPN Users, AD-Groups-Names=df.knotmata.com/Users/Domain Users, AD-User-NetBios-Name=df, IsMachineIdentity=false, UserAccountControl=512, AD-User-SamAccount-Name=traitmelbu, AD-User-Qualified-Name=traitmelbu@southernute-nsn.gov, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-2750, ExternalGroups=S-1-5-21-2139161802-2342954143-1248463453-513, IdentityAccessRestricted=false, Network Device Profile=Cisco, Location=Location#All Locations#theta-df, Device Type=Device Type#All Device Types#Firewall, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=df_VPN_Users; Class=CACS:0a0a013705b9400065818477:DU-ISEPSN-P3/481603622/7297681; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3; cisco-av-pair=profile-name=Windows10-Workstation; LicenseTypes=1; },"
],
"destination.ip": [
"10.40.20.31"
],
"cisco_ise.log.identity.group": [
"Endpoint Identity Groups:Profiled:Workstation"
],
"event.action": [
"passed-authentication"
],
"event.ingested": [
"2023-12-19T11:59:00.000Z"
],
"@timestamp": [
"2023-12-19T11:59:00.140Z"
],
"cisco_ise.log.cpm.session.id": [
"0a0a013705b9400065818477"
],
"cisco_ise.log.identity.selection.matched.rule": [
"802.1x-PEAP_Access"
],
"cisco_ise.log.calling_station.id": [
"174.217.17.154"
],
"cisco_ise.log.request.latency": [
39
],
"data_stream.dataset": [
"cisco_ise.log"
],
"event.type": [
"info"
],
"cisco_ise.log.nas.port.number": [
96026624
],
"agent.ephemeral_id": [
"a1344f29-b9af-44ba-8a31-96375fae84e9"
],
"cisco_ise.log.network.device.name": [
"df_VPN"
],
"cisco_ise.log.message.code": [
"5200"
],
"cisco_ise.log.network.device.profile_id": [
"b0699505-3150-4215-a80e-6753d45bf56c"
],
"cisco_ise.log.message.id": [
"0009964326"
],
"event.dataset": [
"cisco_ise.log"
],
"cisco_ise.log.authentication.status": [
"AuthenticationPassed"
],
"user.name.text": [
"traitmelbu@southernute-nsn.gov"
]
}
}
qcorporation
commented
3 months ago To the implementor: The recommended ECS field is client.nat.ip conditional if the value for cisco_ise.log.calling_station.id matches against an IP value. Not mapped if ..calling_station.id is not a real IP address
cc.ing @taylor-swanson @jamiehynds @cpascale43
The client field is enriched with geo data. The client field is most likely to be a RFC 1918 address and not have geo data associated with it. When a user logins to VPN the cisco_ise.log.calling_station.id is the field that contains the user's public IP and can have geo IP data tied to it.