Clearpass¶
About¶
IoT and remote workers are changing the way we think about network access control. Reduce your risk by applying consistent policies and granular security to controls to both your wired and wireless networks.
Product Details¶
Vendor URL: Aruba Clearpass
Product Type: Network Access Control
Product Tier: Tier III
Integration Method: Custom
Integration URL: Clearpass - Integration Guide
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: CLEARPASS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| cat | security_result.summary |
| description | metadata.description |
| destinationServiceName | target.application |
| dpriv | security_result.category_details |
| dst | target.ip |
| dsthost | target.hostname |
| dstip | target.ip |
| duser | principal.user.userid |
| duser | target.user.userid |
| dvc | intermediary.ip |
| gid | principal.group.group_display_name |
| group | principal.group.group_display_name |
| group | target.user.userid |
| inter_ip | observer.ip |
| path | target.file.full_path |
| product_event | metadata.product_event_type |
Product Event Types¶
Some products we only support certain event types. Here are the supported Clearpass events.
| product_event | UDM Event Classification |
|---|---|
| adding user | USER_CREATION |
| delete | USER_DELETION |
| Failed Authentications | USER_LOGIN |
| Logged in users | USER_LOGIN |
| name | USER_CREATION |
| RADIUS Authentications | USER_LOGIN |
| session opened for user | USER_LOGIN |
Log Sample¶
<143>May 09 2022 02:32:55 10.10.1.2 CEF:0|Aruba Networks|ClearPass|6.7.8.109113|2001|Failed Authentications|5|cat=Session Logs dvc=10.10.1.2 duser=user1 destinationServiceName=Cisco IOS dpriv=admin, [User Authenticated] cs2=AD:host2 cs2Label=Auth Source requestMethod=PAP cs4=UNKNOWN cs4Label=System Posture Token outcome=ReadWrite src=10.10.1.4 cn1=0 cn1Label=Error Code rt=May 09 2022 02:32:44
Sample Parsing¶
metadata.event_timestamp = "2022-05-09T02:32:55Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "ArubaNetworks"
metadata.product_name = "ClearPass"
metadata.product_version = "6.7.8.109113"
metadata.product_event_type = "2001"
metadata.description = "Failed Authentications"
metadata.ingested_timestamp = "2022-05-09T00:33:23.290461Z"
principal.user.userid = "user1"
principal.ip = "10.10.1.4"
principal.asset.ip = "10.10.1.4"
target.ip = "10.10.1.2"
target.application = "Cisco IOS"
target.asset.ip = "10.10.1.2"
intermediary.ip = "10.10.1.2"
observer.ip = "10.10.1.2"
security_result.category_details = "admin, [User Authenticated]"
security_result.summary = "Session Logs"
security_result.action = "FAIL"
extensions.auth.type = "MACHINE"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon