Cisco ISE
Use the IBM Security QRadar Custom Properties for Cisco ISE content extension to closely monitor your Cisco ISE deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Cisco ISE content extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Cisco ISE content extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
AccountID | No | 1 | UserAccountControl=(.*?), |
Called Station ID | No | 1 | Called-Station-ID=(.*?), |
Calling Station ID | No | 1 | Calling-Station-ID=(.*?), |
Classification | No | 1 | Class=(.*?), |
Device Name | No | 1 | NetworkDeviceName=(.*?), |
DNS Host Name | No | 1 | AD-Host-DNS-Domain=(.*?), |
DNS Request Domain | No | 1 | AD-Host-Resolved-DNs=(.*?),+\s |
Group Name | Yes | 1 | AD-Groups-Names=(.*?), |
Packets Received | No | 1 | Acct-Output-Packets=(\d+), |
Packet Sent | No | 1 | Acct-Input-Packets=(\d+), |
SAM Account Name | No | 1 | AD-Host-SamAccount-Name=(.*?), |
State | No | 1 | State=(.*?), |
TLS Cypher | No | 1 | TLSCipher=(.*?), |
TLS Version | Yes | 1 | TLSVersion=(.*?), |
Type | No | 1 | Acct-Status-Type=(.*?), |