Cisco ISE
Use the IBM Security QRadar Custom Properties for Cisco ISE content extension to closely monitor your Cisco ISE deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Cisco ISE content extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Cisco ISE content extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| AccountID | No | 1 | UserAccountControl=(.*?), |
| Called Station ID | No | 1 | Called-Station-ID=(.*?), |
| Calling Station ID | No | 1 | Calling-Station-ID=(.*?), |
| Classification | No | 1 | Class=(.*?), |
| Device Name | No | 1 | NetworkDeviceName=(.*?), |
| DNS Host Name | No | 1 | AD-Host-DNS-Domain=(.*?), |
| DNS Request Domain | No | 1 | AD-Host-Resolved-DNs=(.*?),+\s |
| Group Name | Yes | 1 | AD-Groups-Names=(.*?), |
| Packets Received | No | 1 | Acct-Output-Packets=(\d+), |
| Packet Sent | No | 1 | Acct-Input-Packets=(\d+), |
| SAM Account Name | No | 1 | AD-Host-SamAccount-Name=(.*?), |
| State | No | 1 | State=(.*?), |
| TLS Cypher | No | 1 | TLSCipher=(.*?), |
| TLS Version | Yes | 1 | TLSVersion=(.*?), |
| Type | No | 1 | Acct-Status-Type=(.*?), |