Cisco Cyber Vision¶
About¶
Cisco Cyber Vision provides an in-depth view of operational technology (OT) security postures—and easily deployed at scale.
Product Details¶
Vendor URL: Cyber Vision
Product Type: Data Security
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: CISCO_CYBER_VISION
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "Cisco" | metadata.vendor_name |
| "Cyber Vision" | metadata.product_name |
| description | metadata.description |
| category | metadata.product_event_type |
| sensor.version | metadata.product_version |
| observer | observer.hostname |
| sensor.id | observer.asset.asset_id |
| flow-id | network.session_id |
| port_scan_details.protocol | network.ip_protocol |
| cmp-a-ip | principal.ip |
| cmp-a-port | principal.port |
| cmp-a-mac | principal.mac |
| user | principal.user.userid |
| flow.cmpA.component.id | principal.asset.asset_id |
| cmp-b-ip | target.ip |
| cmp-b-port | target.port |
| cmp-b-mac | target.mac |
| hostname | target.hostname |
| flow.cmpB.component.id | target.asset.asset_id |
| EventType | security_result.description |
| pe | security_result.description |
| difference.type | security_result.description |
| severity | security_result.severity_details |
| severity | security_result.severity |
| type | security_result.category_details |
| sensor.id | security_result.about.asset.asset_id |
| component-id | security_result.about.asset.asset_id |
| sensor.ip | security_result.about.ip |
| sensor.name | security_result.about.hostname |
| component.name | security_result.about.hostname |
| sensor.action | security_result.summary |
| family | security_result.detection_fields |
| tags | security_result.detection_fields |
| baseline | security_result.detection_fields |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| Control Systems Events | with flow and orientation information | NETWORK_FLOW |
| Security Events | with flow and orientation information | NETWORK_FLOW |
| Security Events | Port Scan | SCAN_NETWORK |
| All | All other events | GENERIC_EVENT |
Log Sample¶
<158>Feb 2 21:28:22 HOSTNAME-01 cybervision[1]: type="Behavioral" severity="Low" category="Security Events" family="PLC Control" description="New REMOTE_ADMIN communication has been detected from 10.10.0.39:49255 to 10.10.127.29:22" flow-id="123-d67b-5816-986b-eb26d3666833" cmp-a-mac="00:00:00:00:00:00" cmp-b-mac="00:00:00:00:00:00" cmp-a-ip="10.10.0.39" cmp-b-ip="10.10.127.29" cmp-a-port="49255" cmp-b-port="22" flow-properties="EventType=\"flow_new\", event_details.orientation=\"A→B\", flow.cmpA.component.id=\"123-b449-5ad5-84a2-8f272f948aee\", flow.cmpA.component.name=\"\", flow.cmpB.component.id=\"123-1db5-5fb2-98ac-c699d1e93b41\", flow.cmpB.component.name=\"\", flow.communication_type=\"REMOTE_ADMIN\", flow.id=\"123-d67b-5816-986b-eb26d3666833\", sensor.id=\"123-a85d-403e-9564-1e4dc3dff232\""
Sample Parsing¶
metadata.event_type = "NETWORK_FLOW"
metadata.vendor_name = "Cisco"
metadata.product_name = "Cyber Vision"
metadata.product_event_type = "Security Events"
metadata.description = "New REMOTE_ADMIN communication has been detected from 10.10.0.39:49255 to 10.10.127.29:22"
principal.ip = "10.10.0.39"
principa.port = 49255
principal.mac = "00:00:00:00:00:00"
target.ip = "10.10.127.29"
target.port = 22
target.mac = "00:00:00:00:00:00"
observer.hostname = "HOSTNAME-01"
security_result.about.asset.asset_id = "cv: 123-a85d-403e-9564-1e4dc3dff232"
security_result.category_details = "Behavioral"
security_result.description = "flow_new"
security_result.detection_fields.key = "family"
security_result.detection_fields.value = "PLC Control"
security_result.severity = LOW
security_result.severity_details = "Low"
network.session_id = "123-d67b-5816-986b-eb26d3666833"