Webex¶
About¶
Cisco Webex Meetings is a software-as-a-service (SaaS) solution delivered through the Cisco Webex Cloud, a highly secure service-delivery platform with industry-leading performance, integration, flexibility, scalability, and availability. The Cisco Webex Cloud offers ease of deployment and application delivery to lower your total cost of ownership while making possible the highest grade of enterprise security.
Product Details¶
Vendor URL: Webex
Product Type: SaaS
Product Tier: Tier III
Integration Method: Webex Collector
Integration URL: Webex Integration guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: WEBEX_SAAS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| actionText | security_result.summary |
| actorClientName | principal.application |
| actorEmail | principal.email |
| actorEmail | principal.user.userid |
| actorId | principal.user.product_object_id |
| actorIp | principal.ip |
| actorName | principal.hostname |
| actorOauthClient | principal.resource.attribute.labels |
| actorOrgId | principal.asset.product_object_id |
| actorOrgName | principal.user.company_name |
| actorUserAgent | network.http.user_agent |
| authenticationMethod | additional.fields |
| authenticationMethod | extensions.auth.type |
| changedAttributes | security_result.detection_fields |
| changeDetailId | security_result.detection_fields |
| changedGroupMembers | target.group.attribute.labels |
| configKey | additional.fields |
| configValue.previousValue | security_result.detection_fields |
| configValue.value | security_result.detection_fields |
| emailType | additional.fields |
| entitlements.previousValue | security_result.detection_fields |
| entitlements.value | security_result.detection_fields |
| entityType | target.resource.attribute.labels |
| eventCategory | metadata.product_event |
| eventDescription | metadata.description |
| eventStatus | security_result.action |
| failedReason | security_result.detection_fields |
| id | metadata.product_log_id |
| integrationName | target.resource.name |
| locale | principal.location.name |
| locationName | target.location.name |
| logoutMethod | additional.fields |
| logoutMethod | extensions.auth.type |
| onboardMethod | additional.fields |
| operationType | security_result.action_details |
| previousValue | additional.fields |
| roleAdded | target.user.attribute.roles.name |
| settingKey | additional.fields |
| settingName | target.resource.name |
| settingValue | additional.fields |
| targetEmail | target.email |
| targetId | target.user.product_object_id |
| targetName | target.user.userid |
| targetName | target.hostname |
| targetName | target.resource.name |
| targetOrgId | target.asset.product_object_id |
| targetOrgName | target.user.company_name |
| targetType | target.resource.type |
| templateName | target.resource.name |
| templateType | target.resource.attribute.labels |
| trackingId | network.session_id |
| updatedSettings | additional.fields |
| userRoles | target.user.attribute.roles.name |
| userRoles.previousValue | additional.fields |
| userServices | security_result.detection_fields |
| userServices.previousValue | security_result.detection_fields |
| userServices.value | security_result.detection_fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| DEVICES - deleted | RESOURCE_DELETION |
| Gneric | GENERIC_EVENT |
| HELPDESK - launched | USER_RESOURCE_ACCESS |
| LOGINS | USER_LOGIN |
| LOGOUT | USER_LOGOUT |
| ORG_SETTINGS - CREATE | SETTING_CREATION |
| ORG_SETTINGS - UPDATE | SETTING_MODIFICATION |
| ORG_TEMPLATES | RESOURCE_CREATION |
| USERS | USER_UNCATEGORIZED |
| USERS - deleted | USER_DELETION |
| USERS - role was updated | USER_CHANGE_PERMISSIONS |
| WEBEX_CALLING - added | RESOURCE_CREATION |
| WEBEX_CALLING - deleted | RESOURCE_DELETION |
| WEBEX_IDENTITY - group member was changed | GROUP_MODIFICATION |
| WEBEX_IDENTITY - user was created | USER_CREATION |
| WEBEX_IDENTITY - user was updated | USER_UNCATEGORIZED |
Log Sample¶
{"actorId":"ABCD1234ABCD1234567","actorOrgId":"XXXXX12345XXXX12345","created":"2024-05-01T21:54:50.115Z","data":{"actionText":"John Doe created user Brown, Jane. The change source is IDaaS Partner SCIM Client. The change detail ID 12345678-123a1234-123a-12a3-123456789.","actorClientId":"C4ca14fe00b0e51efb414ebd45aa88c1858c3bfb949b2405dba10b0ca4bc37402","actorClientName":"IDaaS Partner SCIM Client","actorEmail":"jdoe@naic.org","actorIp":"10.0.0.0","actorName":"John Doe","actorOrgName":"EXAMPLE COMPANY","actorUserAgent":"NoUserAgentAvailableBot/0.1 (+http://www.cisco.com)","changeDetailId":"12345678-123a1234-123a-12a3-123456789","eventCategory":"WEBEX_IDENTITY","eventDescription":"User was created","targetId":"AbCAD134fhdFD14353JfkfbsdfbF","targetName":"Brown, Jane","targetOrgId":"XXXXX12345XXXX12345","targetOrgName":"EXAMPLE COMPANY","targetType":"PERSON","trackingId":"ROUTERGW_12345678-123-1234-12345678"},"id":"MzlhMmQzZDQtOTJiYy00ZTRlLWFhZTQtOGMwMWU4ZDcxYTJl"}
Sample Parsing¶
metadata.product_log_id = "MzlhMmQzZDQtOTJiYy00ZTRlLWFhZTQtOGMwMWU4ZDcxYTJl"
metadata.event_type = "USER_CREATION"
metadata.vendor_name = "Webex"
metadata.product_name = "SAAS"
metadata.product_event_type = "WEBEX_IDENTITY-user"
metadata.description = "User was created"
principal.hostname = "John Doe"
principal.user.product_object_id = "ABCD1234ABCD1234567"
principal.user.userid = "jdoe"
principal.user.company_name = "EXAMPLE COMPANY"
principal.asset.product_object_id = "XXXXX12345XXXX12345"
principal.ip = "10.0.0.0"
principal.administrative_domain = "example.org"
principal.email = "jdoe@example.org"
principal.application = "IDaaS Partner SCIM Client"
target.user.product_object_id = "AbCAD134fhdFD14353JfkfbsdfbF"
target.user.userid = "Brown, Jane"
target.user.company_name = "EXAMPLE COMPANY"
target.asset.product_object_id = "XXXXX12345XXXX12345"
target.resource.type = "PERSON"
target.resource.name = "Brown, Jane"
security_result.detection_fields.key = "changeDetailId"
security_result.detection_fields.value = "12345678-123a1234-123a-12a3-123456789"
security_result.summary = "John Doe created user Brown, Jane. The change source is IDaaS Partner SCIM Client. The change detail ID 12345678-123a1234-123a-12a3-123456789."
network.session_id = "ROUTERGW_12345678-123-1234-12345678"
network.http.user_agent = "NoUserAgentAvailableBot/0.1 (+http://www.cisco.com)"