Collect Cisco ISE logs

Supported in:

Google secops SIEM

This document describes how you can collect Cisco Identify Services Engine (ISE) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations .

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CISCO_ISE ingestion label.

Configure Cisco ISE

Sign in to Cisco ISE console using administrator credentials.
In the Cisco ISE console, select Administration > System > Logging > Remote logging targets.
In the Remote logging targetswindow, click Add. The New logging targetwindow appears.
In the Logging targetsection, specify values for the following fields:
Field

Description
Name

Name of the Google Security Operations forwarder.

Description

Description of the Google Security Operations forwarder.

Type

Type of the remote log target, such as syslog.

IP address

IP address of the Google Security Operations forwarder.

Target type

Select TCP syslog or UDP syslog.

Port

Use a high port, such as 10514.
Facility code
You can specify one of the following values:

LOCAL0 (code = 16)

LOCAL1 (code = 17)

LOCAL2 (code = 18)

LOCAL3 (code = 19)

LOCAL4 (code = 20)

LOCAL5 (code = 21)

LOCAL6 (code = 22; default)

LOCAL7 (code = 23)
Maximum length

The recommended value is 1024.
Click Submit. The Remote log targetswindow appears with the new Google Security Operations forwarder configuration.
In the Cisco ISE console, select Administration > System > Logging > Logging categories.
In the Logging categorieswindow, select the categories for which you want to set the remote syslog target and add the remote syslog target.

The following are the sample categories: AAA audits, AAA diagnostics, accounting, administrative and operational audit, posture and client provisioning audit, posture and client provisioning diagnostics, profiler, system diagnostics, and system statistics.

Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs

Go to SIEM Settings > Forwarders.
Click Add new forwarder.
In the Forwarder Namefield, enter a unique name for the forwarder.
Click Submit. The forwarder is added and the Add collector configurationwindow appears.
In the Collector namefield, type a name.
Select Cisco ISEas the Log type.
Select Syslogas the Collector type.
Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation . For information about requirements for each forwarder type, see Forwarder configuration by type . If you encounter issues when you create forwarders, contact Google Security Operations support .

Field mapping reference

This parser extracts Cisco ISE logs from syslog messages, normalizes the data into UDM format, and enriches the event with additional context. It handles various ISE log categories, including authentication successes and failures, administrative audits, system statistics, and more, mapping relevant fields to the UDM schema and adding specific labels for detailed analysis.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`Acct-Authentic`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Delay-Time`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Input-Octets`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Input-Packets`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Output-Octets`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Output-Packets`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Session-Id`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Session-Time`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Status-Type`	`sec_result.detection_fields.value`	Directly mapped.
`Acct-Terminate-Cause`	`sec_result.detection_fields.value`	Directly mapped.
`AcsSessionID`	`sec_result.detection_fields.value`	Directly mapped as "Acs SessionID".
`AD-Account-Name`	`principal.user.userid`	Directly mapped.
`AD-Domain`	`principal.group.group_display_name`	Directly mapped.
`AD-Domain-Controller`	`target.administrative_domain`	Directly mapped.
`AD-Error-Details`	`sec_result.description`	Directly mapped.
`AD-Host-Candidate-Identities`	`sec_result.detection_fields.value`	Directly mapped.
`AD-IP-Address`	`target.ip` , `target.asset.ip`	Directly mapped.
`AD-Log-Id`	`sec_result.detection_fields.value`	Directly mapped as "AD-Log-Id".
`AD-Operating-System`	`principal.asset.platform_software.platform_version`	Directly mapped as `ad_operating_system` . If contains "Windows", `principal.platform` is set to "WINDOWS".
`AD-Site`	`target.location.name`	Directly mapped.
`AD-Srv-Query`	`sec_result.detection_fields.value`	Directly mapped as "AD-Srv-Query".
`AD-Srv-Record`	`sec_result.detection_fields.value`	Directly mapped as "AD-Srv-Record".
`AD-User-Resolved-Identities`	`sec_result.detection_fields.value`	Directly mapped.
`AD-User-SamAccount-Name`	`principal.user.attribute.labels.value`	Directly mapped.
`AdminIPAddress`	`principal.ip` , `principal.asset.ip`	Directly mapped.
`AdminInterface`	`principal.user.attribute.labels.value`	Directly mapped as "Admin Interface".
`AdminName`	`principal.user.userid`	Directly mapped. A `user.attribute.roles` with type "ADMINISTRATOR" is also added.
`AuthenticationIdentityStore`	`sec_result.detection_fields.value`	Directly mapped as "Authentication Identity Store".
`AuthenticationStatus`	`sec_result.action_details`	Directly mapped. If value matches "AuthenticationPassed", `sec_result.action` is set to "ALLOW", otherwise "BLOCK".
`AuthorizationPolicyMatchedRule`	`sec_result.rule_name`	Mapped with prefix "AuthorizationPolicyMatchedRule : ".
`BYODRegistration`	`sec_result.detection_fields.value`	Directly mapped.
`Called-Station-ID`	`sec_result.detection_fields.value`	Directly mapped.
`Calling-Station-ID`	`sec_result.detection_fields.value` , `principal.ip` , `principal.asset.ip`	Directly mapped. If it's an IP address, also mapped to `principal.ip` and `principal.asset.ip` .
`cdpCachePlatform`	`principal.asset.hardware.model`	Directly mapped.
`Class`	`sec_result.detection_fields.value`	Directly mapped.
`ClientLatency`	`sec_result.detection_fields.value`	Directly mapped.
`CmdSet`	`target.process.command_line`	Directly mapped after removing surrounding brackets and spaces.
`ConfigVersionId`	`sec_result.detection_fields.value`	Directly mapped as "Config Version Id".
`ConnectionStatus`	`sec_result.detection_fields.value`	Directly mapped as "Connection Status".
`CPMSessionID`	`sec_result.detection_fields.value`	Directly mapped.
`CreateTime`	`principal.asset.attribute.creation_time`	Parsed as UNIX_MS timestamp.
`DetailedInfo`	`sec_result.description`	Directly mapped after removing backslashes.
`DestinationIPAddress`	`target.ip` , `target.asset.ip`	Directly mapped. Sets `has_target` to "true".
`DestinationPort`	`target.port`	Directly mapped if numeric.
`Device IP Address`	`principal.ip` , `principal.asset.ip` , `_intermediary.ip` , `target.ip` , `target.asset.ip`	Mapped as `DeviceIPAddress` . Used in various logic to populate `principal.ip` , `_intermediary.ip` , or `target.ip` depending on the log category and other fields.
`Device Port`	`principal.port` , `_intermediary.port` , `target.port`	Mapped as `DevicePort` . Used in various logic to populate `principal.port` , `_intermediary.port` , or `target.port` depending on the log category and other fields.
`Device Type`	`principal.asset.hardware.model`	Directly mapped as `device-type` .
`DTLSSupport`	`sec_result.detection_fields.value`	Directly mapped.
`EndPointMACAddress`	`principal.asset.mac`	Directly mapped after converting to lowercase and replacing hyphens with colons.
`EndPointMatchedProfile`	`sec_result.about.labels.value`	Directly mapped.
`EndpointCertainityMetric`	`sec_result.detection_fields.value`	Directly mapped as "Endpoint Certainity Metric".
`EndpointIdentityGroup`	`principal.group.group_display_name`	Directly mapped.
`EndpointIPAddress`	`principal.asset.ip`	Directly mapped.
`EndpointNADAddress`	`sec_result.detection_fields.value`	Directly mapped as "Endpoint NAD Address".
`EndpointOUI`	`sec_result.detection_fields.value`	Directly mapped as "Endpoint OUI".
`EndpointPolicy`	`principal.asset.platform_software.platform_version`	Directly mapped.
`EndpointProperty`	`sec_result.detection_fields.value`	Directly mapped as "Endpoint Property".
`EndpointSourceEvent`	`sec_result.detection_fields.value`	Directly mapped.
`EndpointUserAgent`	`network.http.user_agent`	Directly mapped.
`EndPointVersion`	`sec_result.detection_fields.value`	Directly mapped.
`FailureReason`	`sec_result.detection_fields.value` , `sec_result.summary` , `sec_result.description`	Mapped as `FailureReason` . Used to populate `sec_result.detection_fields` as "Failure Reason", `sec_result.summary` , or `sec_result.description` depending on the context.
`FirstCollection`	`principal.asset.first_discover_time`	Parsed as UNIX_MS timestamp.
`Framed-IP-Address`	`sec_result.detection_fields.value`	Directly mapped.
`Framed-IPv6-Address`	`FramedIPAddress`	Directly mapped.
`Framed-Protocol`	`sec_result.detection_fields.value`	Directly mapped.
`IdentityGroup`	`principal.group.group_display_name`	Directly mapped.
`IdentityGroupID`	`principal.group.product_object_id`	Directly mapped.
`IdentityPolicyMatchedRule`	`sec_result.about.labels.value`	Directly mapped.
`IdentitySelectionMatchedRule`	`sec_result.detection_fields.value`	Directly mapped.
`IMEI`	`target.asset.product_object_id`	Directly mapped.
`ISELocalAddress`	`_intermediary.ip` , `principal.ip` , `principal.asset.ip` , `_intermediary.port` , `principal.port` , `sec_result.detection_fields.value`	If in `CISE_Administrative_and_Operational_Audit` , IP and port are extracted and mapped to `_intermediary` and `principal` . Otherwise, mapped directly as "ISE Local Address" to `sec_result.detection_fields` .
`ISEModuleName`	`sec_result.detection_fields.value`	Directly mapped as "ISE Module Name".
`ISEServiceName`	`sec_result.detection_fields.value`	Directly mapped as "ISE Service Name".
`IsThirdPartyDeviceFlow`	`sec_result.detection_fields.value`	Directly mapped.
`Issuer`	`about.labels.value`	Directly mapped.
`LastActivity`	`principal.asset.last_discover_time`	Parsed as UNIX_MS timestamp.
`LastNmapScanTime`	`sec_result.detection_fields.value`	Directly mapped.
`lldpChassisId`	`target.mac`	Directly mapped after parsing as MAC address.
`lldpSystemName`	`target.hostname` , `target.asset.hostname`	Directly mapped.
`Location`	`principal.location.country_or_region` , `target.location.country_or_region`	Directly mapped to either `principal` or `target` location depending on the log category.
`Manufacturer`	`target.asset.hardware.manufacturer`	Directly mapped.
`MessageCode`	`sec_result.detection_fields.value` , `metadata.event_type`	Directly mapped as `msg_code` . Used in logic to determine `metadata.event_type` .
`Model`	`target.asset.hardware.model`	Directly mapped.
`NAS-IP-Address`	`principal.nat_ip`	Directly mapped.
`NAS-Identifier`	`principal.labels.value`	Directly mapped as `nas_identifier` .
`NAS-Port`	`principal.nat_port` , `sec_result.detection_fields.value` , `principal.labels.value`	Mapped as `NASPort` . If numeric and less than 2147483648, mapped to `principal.nat_port` . Otherwise, mapped as string to `sec_result.detection_fields` as "NAS Port" or `principal.labels` as "NAS-Port".
`NAS-Port-Id`	`principal.labels.value` , `sec_result.detection_fields.value`	Mapped as `NASPortId` . Used to populate `principal.labels` as "nas_port_id" or `sec_result.detection_fields` as "nas_port_id".
`NAS-Port-Type`	`principal.labels.value` , `sec_result.detection_fields.value`	Mapped as `NASPortType` . Used to populate `principal.labels` as "nas_port_type" or `sec_result.detection_fields` as "Nas-Port-Type".
`NetworkDeviceGroups`	`sec_result.detection_fields.value`	Directly mapped.
`NetworkDeviceName`	`_intermediary.hostname` , `principal.hostname` , `principal.asset.hostname` , `target.hostname` , `target.asset.hostname`	Mapped as `NetworkDeviceName` . Used in various logic to populate `_intermediary.hostname` , `principal.hostname` , or `target.hostname` depending on the log category and other fields.
`NetworkDeviceProfileId`	`principal.asset.asset_id`	Mapped with prefix "Cisco_ISE:".
`NetworkDeviceProfileName`	`principal.asset.attribute.labels.value`	Directly mapped.
`ObjectName`	`sec_result.about.labels.value`	Directly mapped.
`ObjectType`	`sec_result.about.labels.value`	Directly mapped.
`OperatingSystem`	`target.asset.platform_software.platform_version` , `principal.asset.platform_software.platform_version` , `principal.platform`	Mapped as `OperatingSystem` . Used to populate `target.asset.platform_software.platform_version` or `principal.asset.platform_software.platform_version` . If contains "Win", `principal.platform` is set to "WINDOWS". If contains "lin", `principal.platform` is set to "LINUX". If contains "iOS", `principal.platform` is set to "MAC".
`OperationMessageText`	`sec_result.detection_fields.value` , `about.labels.value` , `sec_result.summary`	Mapped as `OperationMessageText` . Used to populate `sec_result.detection_fields` as "Operation Message Text", `about.labels` as "Operation Message Text", or `sec_result.summary` depending on the context. If it contains connection details, those are extracted and mapped to `src` and `target` .
`OriginalUserName`	`principal.user.userid`	Directly mapped as `User` .
`PeerAddress`	`target.mac`	Directly mapped after converting to lowercase and replacing hyphens with colons.
`PeerName`	`target.hostname` , `target.asset.hostname`	IP and hostname are extracted and mapped to `target.ip` and `target.hostname` .
`PhoneID`	`principal.user.phone_numbers`	Directly mapped as `User-Fetch-Telephone` .
`PhoneNumber`	`principal.user.phone_numbers`	Directly mapped.
`PolicyVersion`	`sec_result.detection_fields.value`	Directly mapped.
`Port`	`_intermediary.port` , `principal.port` , `target.port`	Mapped as `Port` . Used in various logic to populate `_intermediary.port` , `principal.port` , or `target.port` depending on the log category and other fields.
`PostureAssessmentStatus`	`sec_result.detection_fields.value`	Directly mapped.
`PostureExpiry`	`sec_result.detection_fields.value`	Directly mapped.
`PostureStatus`	`sec_result.detection_fields.value`	Directly mapped as "Posture Status".
`ProfilerServer`	`sec_result.detection_fields.value`	Directly mapped.
`Protocol`	`sec_result.detection_fields.value`	Directly mapped.
`r_cat_name`	`metadata.product_event_type`	Directly mapped.
`r_ip_or_host`	`observer.ip` , `observer.hostname` , `principal.ip` , `principal.asset.ip` , `principal.hostname` , `principal.asset.hostname` , `target.ip` , `target.asset.ip` , `target.hostname` , `target.asset.hostname`	If an IP, mapped to `observer.ip` . If a hostname, mapped to `observer.hostname` . Also used in various logic to populate `principal` or `target` IP/hostname depending on the log category and other fields.
`r_msg_id`	`sec_result.detection_fields.value` , `metadata.product_log_id`	Directly mapped as "r_msg_id". Also used as `metadata.product_log_id` if `sequence_num` is not available.
`r_seg_num`	`sec_result.detection_fields.value` , `metadata.product_log_id`	Directly mapped as "r_seg_num". Also used as `metadata.product_log_id` if `sequence_num` is not available.
`r_total_seg`	`sec_result.detection_fields.value`	Directly mapped.
`RadiusFlowType`	`sec_result.detection_fields.value`	Directly mapped.
`RadiusPacketType`	`sec_result.detection_fields.value`	Directly mapped as "Radius Packet Type".
`RegisterStatus`	`sec_result.rule_name`	Directly mapped.
`RequestLatency`	`sec_result.detection_fields.value`	Directly mapped as "Request Latency".
`SelectedAccessService`	`sec_result.detection_fields.value`	Directly mapped as "Selected Access Service".
`SelectedAuthorizationProfiles`	`sec_result.detection_fields.value`	Directly mapped.
`Serial Number`	`network.tls.server.certificate.serial` , `about.labels.value`	Mapped as `serial_number` . Used to populate `network.tls.server.certificate.serial` or `about.labels` as "Serial Number" depending on the context.
`Service-Type`	`sec_result.detection_fields.value`	Directly mapped.
`SessionId`	`network.session_id`	Directly mapped.
`ShutdownReason`	`sec_result.detection_fields.value`	Directly mapped as "ShutdownReason".
`SSID`	`sec_result.detection_fields.value`	Directly mapped.
`StaticGroupAssignment`	`sec_result.detection_fields.value`	Directly mapped.
`Subject`	`about.labels.value`	Directly mapped.
`Subject Alternative Name`	`about.labels.value`	Directly mapped as "Subject Alternative Name".
`SysStatsCpuCount`	`target.asset.hardware.cpu_number_cores`	Directly mapped.
`SysStatsProcessMemoryMB`	`target.asset.hardware.ram`	Directly mapped as `__hardware.ram` .
`SysStatsUtilizationNetwork`	`target.resource.name` , `network.sent_bytes` , `network.received_bytes`	Network adapter name, sent bytes, and received bytes are extracted and mapped. `target.resource.resource_type` is set to "UNSPECIFIED".
`TimeToProfile`	`sec_result.detection_fields.value`	Directly mapped.
`Total Certainty Factor`	`sec_result.detection_fields.value`	Directly mapped.
`TotalFailedTime`	`sec_result.detection_fields.value`	Directly mapped.
`Tunnel-Client-Endpoint`	`sec_result.detection_fields.value`	Directly mapped as "Tunnel Client Endpoint".
`UniqueConnectionIdentifier`	`sec_result.detection_fields.value`	Directly mapped as "Unique Connection Identifier".
`UpdateTime`	`sec_result.detection_fields.value`	Directly mapped.
`User`	`principal.user.userid`	Directly mapped.
`User-Fetch-Email`	`sec_result.detection_fields.value`	Directly mapped.
`User-Fetch-Last-Name`	`principal.user.last_name`	Directly mapped.
`User-Fetch-LocalityName`	`sec_result.detection_fields.value`	Directly mapped.
`User-Fetch-StateOrProvinceName`	`sec_result.detection_fields.value`	Directly mapped.
`User-Fetch-Telephone`	`principal.user.phone_numbers`	Directly mapped as `PhoneID` .
`UserName`	`principal.user.userid`	Directly mapped. If not empty, and not "" or "unknown", it's converted to lowercase, hyphens are replaced with colons, and if it matches a MAC address pattern, it's also mapped to `principal.mac` .
`User-Name`	`principal.user.userid`	Directly mapped.
`UserType`	`principal.user.attribute.labels.value`	Directly mapped.
(Parser Logic) `action`	`sec_result.action`	Set to "ALLOW" if `msg_text` contains success keywords, "BLOCK" if it contains failure keywords, and "UNKNOWN_ACTION" otherwise.
(Parser Logic) `about.hostname`	`about.hostname`	Derived from `StepData=4` or `stepdata` .
(Parser Logic) `event.idm.read_only_udm.about`	`event.idm.read_only_udm.about`	Populated with various fields like `about.hostname` , `about.application` , and `about.process.pid` .
(Parser Logic) `event.idm.read_only_udm.extensions.auth.mechanism`	`event.idm.read_only_udm.extensions.auth.mechanism`	Set to "NETWORK" in certain cases within the `CISE_TACACS_Diagnostics` category.
(Parser Logic) `event.idm.read_only_udm.extensions.auth.type`	`event.idm.read_only_udm.extensions.auth.type`	Set to "MACHINE" for various login/logout events, "TACACS" for certain TACACS events, and "AUTHTYPE_UNSPECIFIED" for other login events.
(Parser Logic) `event.idm.read_only_udm.metadata.collected_timestamp`	`event.idm.read_only_udm.metadata.collected_timestamp`	Parsed from `logstash.process.timestamp` if available.
(Parser Logic) `event.idm.read_only_udm.metadata.description`	`event.idm.read_only_udm.metadata.description`	Constructed from `msg_class` and `msg_text` or just `msg_text` if `msg_class` is not available.
(Parser Logic) `event.idm.read_only_udm.metadata.event_timestamp`	`event.idm.read_only_udm.metadata.event_timestamp`	Parsed from the `datetime` field, which is derived from either `datetime` and `timezone` or `r_datetime` .
(Parser Logic) `event.idm.read_only_udm.metadata.event_type`	`event.idm.read_only_udm.metadata.event_type`	Determined based on `r_cat_name` , `msg_code` , and other fields. Can be GENERIC_EVENT, STATUS_UPDATE, NETWORK_CONNECTION, STATUS_HEARTBEAT, STATUS_STARTUP, STATUS_SHUTDOWN, USER_LOGIN, USER_LOGOUT, USER_RESOURCE_ACCESS, USER_UNCATEGORIZED, RESOURCE_READ, SCAN_NETWORK, STATUS_UNCATEGORIZED, NETWORK_FLOW.
(Parser Logic) `event.idm.read_only_udm.metadata.ingested_timestamp`	`event.idm.read_only_udm.metadata.ingested_timestamp`	Parsed from `logstash.ingest.timestamp` if available.
(Parser Logic) `event.idm.read_only_udm.metadata.log_type`	`event.idm.read_only_udm.metadata.log_type`	Set to "CISCO_ISE".
(Parser Logic) `event.idm.read_only_udm.metadata.product_event_type`	`event.idm.read_only_udm.metadata.product_event_type`	Derived from `r_cat_name` .
(Parser Logic) `event.idm.read_only_udm.metadata.product_log_id`	`event.idm.read_only_udm.metadata.product_log_id`	Derived from `sequence_num` , `r_seg_num` , or `r_msg_id` depending on availability.
(Parser Logic) `event.idm.read_only_udm.metadata.product_name`	`event.idm.read_only_udm.metadata.product_name`	Set to "ISE", or to `MDMServerName` if available.
(Parser Logic) `event.idm.read_only_udm.metadata.vendor_name`	`event.idm.read_only_udm.metadata.vendor_name`	Set to "Cisco".
(Parser Logic) `event.idm.read_only_udm.network.http.user_agent`	`event.idm.read_only_udm.network.http.user_agent`	Derived from `ac-user-agent` or `EndpointUserAgent` .
(Parser Logic) `event.idm.read_only_udm.network.ip_protocol`	`event.idm.read_only_udm.network.ip_protocol`	Set to "TCP" for certain event types.
(Parser Logic) `event.idm.read_only_udm.network.session_id`	`event.idm.read_only_udm.network.session_id`	Derived from `SessionId` .
(Parser Logic) `event.idm.read_only_udm.network.tls.cipher`	`event.idm.read_only_udm.network.tls.cipher`	Derived from `TLSCipher` .
(Parser Logic) `event.idm.read_only_udm.network.tls.server.certificate.serial`	`event.idm.read_only_udm.network.tls.server.certificate.serial`	Derived from `Serial Number` .
(Parser Logic) `event.idm.read_only_udm.network.tls.version`	`event.idm.read_only_udm.network.tls.version`	Derived from `TLSVersion` .
(Parser Logic) `event.idm.read_only_udm.principal.asset.asset_id`	`event.idm.read_only_udm.principal.asset.asset_id`	Derived from `NetworkDeviceProfileId` with prefix "Cisco_ISE:".
(Parser Logic) `event.idm.read_only_udm.principal.asset.hardware`	`event.idm.read_only_udm.principal.asset.hardware`	Populated with fields like `hardware.manufacturer` and `hardware.model` .
(Parser Logic) `event.idm.read_only_udm.principal.asset.ip`	`event.idm.read_only_udm.principal.asset.ip`	Derived from various IP address fields depending on the log category and other fields.
(Parser Logic) `event.idm.read_only_udm.principal.asset.mac`	`event.idm.read_only_udm.principal.asset.mac`	Derived from `EndpointMacAddress` , `parsed_endpoint_mac` , or other MAC address fields after appropriate formatting.
(Parser Logic) `event.idm.read_only_udm.principal.asset.platform_software.platform_version`	`event.idm.read_only_udm.principal.asset.platform_software.platform_version`	Derived from `OperatingSystem` , `EndpointPolicy` , or `ad_operating_system` .
(Parser Logic) `event.idm.read_only_udm.principal.group.group_display_name`	`event.idm.read_only_udm.principal.group.group_display_name`	Derived from `AD-Domain` , `IdentityGroup` , or `EndpointIdentityGroup` .
(Parser Logic) `event.idm.read_only_udm.principal.group.product_object_id`	`event.idm.read_only_udm.principal.group.product_object_id`	Derived from `IdentityGroupID` .
(Parser Logic) `event.idm.read_only_udm.principal.hostname`	`event.idm.read_only_udm.principal.hostname`	Derived from `r_ip_or_host` , `NetworkDeviceName` , or other hostname fields depending on the log category and other fields.
(Parser Logic) `event.idm.read_only_udm.principal.ip`	`event.idm.read_only_udm.principal.ip`	Derived from various IP address fields depending on the log category and other fields.
(Parser Logic) `event.idm.read_only_udm.principal.labels`	`event.idm.read_only_udm.principal.labels`	Populated with fields like `nas_identifier` , `nas_port_type` , and `nas_port_id` .
(Parser Logic) `event.idm.read_only_udm.principal.location.country_or_region`	`event.idm.read_only_udm.principal.location.country_or_region`	Derived from `Location` .
(Parser Logic) `event.idm.read_only_udm.principal.nat_ip`	`event.idm.read_only_udm.principal.nat_ip`	Derived from `NAS-IP-Address` .
(Parser Logic) `event.idm.read_only_udm.principal.nat_port`	`event.idm.read_only_udm.principal.nat_port`	Derived from `NAS-Port` if numeric and less than 2147483648.
(Parser Logic) `event.idm.read_only_udm.principal.platform`	`event.idm.read_only_udm.principal.platform`	Derived from `device-platform` or `OperatingSystem` . Can be WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM.
(Parser Logic) `event.idm.read_only_udm.principal.platform_version`	`event.idm.read_only_udm.principal.platform_version`	Derived from `platform-version` .
(Parser Logic) `event.idm.read_only_udm.principal.port`	`event.idm.read_only_udm.principal.port`	Derived from `Device Port` or `Port` if numeric.
(Parser Logic) `event.idm.read_only_udm.principal.user.attribute.labels`	`event.idm.read_only_udm.principal.user.attribute.labels`	Populated with fields like "Admin Interface", "UserType", and "Chargeable-User-Identity".
(Parser Logic) `event.idm.read_only_udm.principal.user.phone_numbers`	`event.idm.read_only_udm.principal.user.phone_numbers`	Derived from `PhoneID` or `PhoneNumber` .
(Parser Logic) `event.idm.read_only_udm.principal.user.userid`	`event.idm.read_only_udm.principal.user.userid`	Derived from `User` , `UserName` , `User-Name` , `AdminName` , `OriginalUserName` , or other username fields depending on the log category and other fields.
(Parser Logic) `event.idm.read_only_udm.security_result.about.labels`	`event.idm.read_only_udm.security_result.about.labels`	Populated with fields like "IdentityPolicyMatchedRule", "EndPointMatchedProfile", "ObjectType", and "ObjectName".
(Parser Logic) `event.idm.read_only_udm.security_result.action`	`event.idm.read_only_udm.security_result.action`	Derived from `msg_text` or `AuthenticationStatus` . Can be ALLOW, BLOCK, or UNKNOWN_ACTION.
(Parser Logic) `event.idm.read_only_udm.security_result.detection_fields`	`event.idm.read_only_udm.security_result.detection_fields`	Populated with various fields depending on the log category and other fields.
(Parser Logic) `event.idm.read_only_udm.security_result.description`	`event.idm.read_only_udm.security_result.description`	Derived from `AD-Error-Details` or `DetailedInfo` .
(Parser Logic) `event.idm.read_only_udm.security_result.rule_name`	`event.idm.read_only_udm.security_result.rule_name`	Derived from `AuthorizationPolicyMatchedRule` or `RegisterStatus` .
(Parser Logic) `event.idm.read_only_udm.security_result.severity`	`event.idm.read_only_udm.security_result.severity`	Derived from `msg_sev` . Can be CRITICAL, ERROR, HIGH, MEDIUM, or INFORMATIONAL.
(Parser Logic) `event.idm.read_only_udm.security_result.severity_details`	`event.idm.read_only_udm.security_result.severity_details`	Derived from `msg_sev` .
(Parser Logic) `event.idm.read_only_udm.security_result.summary`	`event.idm.read_only_udm.security_result.summary`	Derived from `msg_text` or `FailureReason` .
(Parser Logic) `event.idm.read_only_udm.src.ip`	`event.idm.read_only_udm.src.ip`	Derived from `source_ip` extracted from `OperationMessageText` .
(Parser Logic) `event.idm.read_only_udm.src.port`	`event.idm.read_only_udm.src.port`	Derived from `source_port` extracted from `OperationMessageText` if numeric.
(Parser Logic) `event.idm.read_only_udm.target.administrative_domain`	`event.idm.read_only_udm.target.administrative_domain`	Derived from `AD-Domain-Controller` .
(Parser Logic) `event.idm.read_only_udm.target.asset.hardware`	`event.idm.read_only_udm.target.asset.hardware`	Populated with fields like `_hardware.cpu_number_cores` .
(Parser Logic) `event.idm.read_only_udm.target.asset.hostname`	`

Need more help? Get answers from Community members and Google SecOps professionals.