SafeConnect NAC¶
About¶
Is an essential network security solution for protecting your critical data and intellectual property, combining the real-time visibility, security and orchestration required to address regulatory compliance and security policy automation.
Product Details¶
Vendor URL: MetaAccess NAC (formerly Impulse SafeConnect)
Product Type: NAC
Product Tier: Tier III
Integration Method: Syslog
Log Guide: Syslog Overview
Parser Details¶
Log Format: CEF
Expected Normalization Rate: Near 100%
Data Label: SAFECONNECT_NAC
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
cs2 | principal.hostname |
cs3 | principal.platform_version |
principal.platform | |
cs4 | security_result.rule_name |
cs9 | security_result.action_details |
cs10 | security_result.rule.type |
cs5_2 | intermediary.asset.product_object_id |
cs5_3 | intermediary.resource.name |
cs5_4 | intermediary.mac |
cs5_5 | intermediary.port |
suser | principal.user.userid |
smac | principal.mac |
src | principal.ip |
record | principal.asset.attribute.roles |
_cs5 | principal.administrative_domain |
observer_host | observer.hostname |
_IPS | intermediary.ip |
Product Event Types¶
Description | metadata.event_type |
---|---|
Login | USER_LOGIN |
Logout | USER_LOGOUT |
Authentication | GENERIC_EVENT |
complianceChange | GENERIC_EVENT |
Log Sample¶
Dec 30 15:46:42 syslog2: CEF:0|ImpulsePoint|IdentityPublisher|1.0.5|clientDelta|clientDelta suid=4
src=10.10.1.1 cs1Label=localIP cs1=null smac=005056ae4b8e cs2Label=machineName cs2=null
cs3Label=hostRefType cs3=PC cs4Label=policyGroup cs4=My Group cs5Label=deviceAttributes
cs5=LDAP:UserDomain:PD suser=tester1 cs6Label=roles cs6=TestUsers cs9Label=complianceState
cs9=compliant cs10Label=failedPolicy cs10=null cs11Label=eventTyle cs11=logout
Sample Parsing¶
metadata.event_timestamp = "2022-01-14T19:53:54.526579Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "SAFECONNECT NAC"
principal.user.userid = "user"
principal.ip = "10.10.1.1"
principal.mac = "a6:a8:a3:ae:a3:af"
principal.administrative_domain = "domain"
principal.platform_version = "Apple Mobile"
principal.asset.attribute.roles.name = "role_name"
intermediary.resource.name = "SSID"
intermediary.asset.product_object_id = "AAAABBBBCCCC"
intermediary.ip = "10.10.1.2"
intermediary.port = 3
intermediary.mac = "a8:ae:a8:a4:a3:ab"
observer.hostname = "hostname"
security_result.rule_name = "Mobile Devices"
security_result.action_details = "compliant"
Parser Alerting¶
This product currently does not have any Parser-based Alerting