Skip to content

SafeConnect NAC

SafeConnect NAC

About

Is an essential network security solution for protecting your critical data and intellectual property, combining the real-time visibility, security and orchestration required to address regulatory compliance and security policy automation.

Product Details

Vendor URL: MetaAccess NAC (formerly Impulse SafeConnect)

Product Type: NAC

Product Tier: Tier III

Integration Method: Syslog

Log Guide: Syslog Overview

Parser Details

Log Format: CEF

Expected Normalization Rate: Near 100%

Data Label: SAFECONNECT_NAC

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
cs2 principal.hostname
cs3 principal.platform_version
principal.platform
cs4 security_result.rule_name
cs9 security_result.action_details
cs10 security_result.rule.type
cs5_2 intermediary.asset.product_object_id
cs5_3 intermediary.resource.name
cs5_4 intermediary.mac
cs5_5 intermediary.port
suser principal.user.userid
smac principal.mac
src principal.ip
record principal.asset.attribute.roles
_cs5 principal.administrative_domain
observer_host observer.hostname
_IPS intermediary.ip

Product Event Types

Description metadata.event_type
Login USER_LOGIN
Logout USER_LOGOUT
Authentication GENERIC_EVENT
complianceChange GENERIC_EVENT

Log Sample

Dec 30 15:46:42 syslog2: CEF:0|ImpulsePoint|IdentityPublisher|1.0.5|clientDelta|clientDelta suid=4
src=10.10.1.1 cs1Label=localIP cs1=null smac=005056ae4b8e cs2Label=machineName cs2=null
cs3Label=hostRefType cs3=PC cs4Label=policyGroup cs4=My Group cs5Label=deviceAttributes
cs5=LDAP:UserDomain:PD suser=tester1 cs6Label=roles cs6=TestUsers cs9Label=complianceState 
cs9=compliant cs10Label=failedPolicy cs10=null cs11Label=eventTyle cs11=logout

Sample Parsing

metadata.event_timestamp = "2022-01-14T19:53:54.526579Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "SAFECONNECT NAC"
principal.user.userid = "user"
principal.ip = "10.10.1.1"
principal.mac = "a6:a8:a3:ae:a3:af"
principal.administrative_domain = "domain"
principal.platform_version = "Apple Mobile"
principal.asset.attribute.roles.name = "role_name"
intermediary.resource.name = "SSID"
intermediary.asset.product_object_id = "AAAABBBBCCCC"
intermediary.ip = "10.10.1.2"
intermediary.port = 3
intermediary.mac = "a8:ae:a8:a4:a3:ab"
observer.hostname = "hostname"
security_result.rule_name = "Mobile Devices"
security_result.action_details = "compliant"

Parser Alerting

This product currently does not have any Parser-based Alerting