Change log for CISCO_ISE
| Date | Changes |
|---|---|
| 2025-04-17 | Enhancement:
- `kv` : Added support for `kv` format. - `event.idm.read_only_udm.principal.nat_ip`: Newly mapped `NAS-IP-Address` raw log field with `event.idm.read_only_udm.principal.nat_ip` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `DestinationIPAddress` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field and set `has_target` to `true`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `Device_IP_Address` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field and set `has_principal` to `true`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `UserName` and `User-Name` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `NetworkDeviceProfileId` raw log field with `event.idm.read_only_udm.principal.asset.asset_id` UDM field. - `event.idm.read_only_udm.principal.asset.mac` : Newly mapped `EndpointMacAddress` raw log field with `event.idm.read_only_udm.principal.asset.mac` UDM field. - `event.idm.read_only_udm.principal.ip` : Newly mapped `ISELocalAddress` raw log field with `event.idm.read_only_udm.principal.ip` UDM field and set `has_principal` to `true`. - `event.idm.read_only_udm.principal.asset.ip` : Newly mapped `ISELocalAddress` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field and set `has_principal` to `true`. - `event.idm.read_only_udm.principal.asset.asset_id`: Newly mapped `NetworkDeviceProfileName` raw log field with `event.idm.read_only_udm.principal.asset.asset_id` UDM field. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as `NETWORK_CONNECTION` when owner `has_principal` and `has_target` are not null. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as `STATUS_UPDATE` when owner `has_principal` is not null. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as `GENERIC_EVENT` when `has_principal` and `has_target` are null. - Newly added multiple grok patterns in order to parse the logs with syslog+kv format. - Added gsub for `Device Ip Address` raw log field. |
| 2025-04-11 | Enhancement:
- Added support for the event "CISE_Guest" and relevant corresponding raw log fields. - event.idm.read_only_udm.principal.user.userid: Newly mapped `UserName` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field and set `has_principal_user` to `true`. - event.idm.read_only_udm.principal.mac: Newly mapped `MacAddress` raw log field with `event.idm.read_only_udm.principal.mac` and `event.idm.read_only_udm.principal.asset.mac` UDM fields. - event.idm.read_only_udm.principal.ip: Newly mapped `IpAddress` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields and set `has_principal` to `true`. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `UserType` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `PortalName` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.intermediary.ip: Newly mapped `NADAddress` raw log field with `event.idm.read_only_udm.intermediary.ip` and `event.idm.read_only_udm.intermediary.asset.ip` UDM fields and set `has_intermediary` to `true`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `AuditSessionId` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional_fields: Newly mapped `ResponseTime` raw log field with `event.idm.read_only_udm.additional_fields` UDM field. - event.idm.read_only_udm.metadata.event_type: Removed condition to unnecessarily map `event.idm.read_only_udm.metadata.event_type` to `GENERIC_EVENT` for the event `CISE_RADIUS_Diagnostics` as these logs have important data to map to other "event_types". |
| 2025-03-17 | Enhancement:
- Mapped "EndPointMACAddress" to "principal.asset.mac". - Mapped "ISEPolicySetName to "target.resource.name". - Mapped "CPMSessionID" to "network.session_id". - Mapped "StepLatency" to "additional.fields". - Mapped "TotalAuthenLatency" to "sec_result.detection_fields". - Mapped "ClientLatency" to "sec_result.detection_fields". - Mapped "HostIdentityGroup" to "additional_fields". |
| 2025-03-13 | Enhancement:
- Added a Grok pattern to parse NTP Server value. - Mapped "ntp_server_1", "ntp_server_2", and "ntp_server_3" to "target.ip" and "target.asset.ip". - Added support to parse CSV logs. - Mapped "column11" to "metadata.description". - Mapped "column14" to "metadata.product_log_id". - Mapped "column16" to "principal.hostname" and "principal.asset.hostname". |
| 2025-03-05 | Enhancement:
- Added a new Grok pattern to support logs with a new format. |
| 2025-02-19 | Enhancement:
- Added support for a new format of logs. - Mapped "user" to "principal.user.userid". - Mapped "Source" to "principal.ip" and "principal.asset.ip". - Mapped "localport" to "principal.port". |
| 2025-01-23 | Enhancement:
- Mapped "ntp_server_1", "ntp_server_2", and "ntp_server_3" to "target.ip". |
| 2024-12-19 | Enhancement:
- Added a Grok pattern to parse a new log pattern. - Mapped "dc-protocol-map" , "audit-session-id" , "vlan-id" , "method" , "cisco-wlan-ssid" , "SelectedAccessService" , and "Network_Device_Profile" to "security_result.detection_fields". |
| 2024-11-19 | Enhancement:
- Added a Grok pattern to map "UserName" to "principal.user.userid". |
| 2024-11-18 | Enhancement:
- Added Grok pattern to parse a new log pattern. - Added null check to "r_ip_or_host" before mapping it to "observer.hostname". - Added null check to "r_ip_or_host" before mapping it to "principal.hostname" and "principal.asset.hostname" or merging it with "principal.ip" and "principal.asset.ip". - Added a new Grok pattern to parse "msg_attrs". - Mapped "threshold_value" to "additional.fields". - Mapped "used_space_value" to "additional.fields". |
| 2024-10-30 | Enhancement:
- Mapped "Nas-Port-id" to "security_result.detection_fields". - Mapped "UserName" to "principal.mac". - Mapped "SSID" to "security_result.detection_fields". |
| 2024-10-29 | Enhancement:
- Added a new Grok pattern to parse logs with nested syslog headers. |
| 2024-09-18 | Enhancement:
- Removed mapping of SYSLOG header "hostname" from "intermediary.hostname". |
| 2024-08-06 | Enhancement:
- Mapped "hostname" from SYSLOG header to "intermediary.hostname". |
| 2024-07-30 | Enhancement:
- Mapped "RadiusFlowType" to "security_result.detection_fields". |
| 2024-05-10 | Enhancement:
- Mapped "ExternalGroups" to "additional.fields". |
| 2024-05-09 | Enhancement:
- Added Grok patterns to parse new formats of "CISE_Profiler". - Mapped some fields for "CISE_Administrative_and_Operational_Audit" and "CISE_Alarm". |
| 2024-04-18 | Enhancement:
- Mapped "msg_sev" to "security_result.severity_details". - Mapped "r_total_seg", "r_seg_num", "msg_code", and "r_msg_id" to "security_result.detection_fields". - Mapped "r_cat_name" to "security_result.category_details". - Mapped "msg_text" and "msg_class" to "metadata.description". - Aligned "target.ip" and "target.asset.ip" mappings. - Aligned "target.hostname" and "target.asset.hostname" mappings. - Aligned "principal.ip" and "principal.asset.ip" mappings. - Aligned "principal.hostname" and "principal.asset.hostname" mappings. - Added a Grok pattern to parse "msg_attrs". |
| 2024-04-10 | Bug-Fix:
- Added Grok patterns to parse new formats of "PeerName". |
| 2023-11-20 | Enhancement:
- Added new Grok patterns to parse failing Syslogs. - Added "msg_code" "5412" to parse logs having the same "msg_code". |
| 2023-09-29 | Enhancement:
- Added support for a new pattern of JSON logs. - Mapped "EndpointSourceEvent", "NASIdentifier", "NAS-Port-Type", "NAS-Port-Id", "ProfilerServer" to "security_result.detection_fields" for 80002 and 80006 logs. - Changed mapping of "Location" from "principal.location" to "target.location" for 80002 and 80006 logs. - Added on_error check to replace and merge functions. - Modified date mapping to parse date with "MEST" and "MESZ" timezones. |
| 2023-08-02 | Enhancement -
- Added KV mapping to parse and map "cisco-av-pair=dhcp-option=host-name" to "target.hostname". - Changed mapping of "security_result.action" from "FAIL" to "BLOCK" when "msg_text" contains "failed|dropped|stop|rejected|down|abandoned|block|blocking|invalid". |
| 2023-07-18 | Enhancement -
- Mapped "cisco-av-pair=dhcp-option=host-name" to "target.hostname". - Changed mapping of "User-Name" from "target.user.userid" to "principal.user.userid". - Changed mapping of "UserName" from "target.user.userid" to "principal.user.userid". - Changed mapping of "User" from "target.user.userid" to "principal.user.userid". - Changed mapping of "PhoneNumber" from "target.user.phone_numbers" to "principal.user.phone_numbers". - Mapped "FramedIPAddress" to "security_result.detection_fields" for Profiler event types 80002, 80006. - Modified date mapping to parse date with "EASTERN" timezone. - Added Grok pattern to match "PeerAddress". |
| 2023-06-07 | Enhancement-
- Added Grok pattern to parse a new log pattern. |
| 2023-05-26 | Enhancement-
- Modified date mapping to parse date with 'BJ' timezone. |
| 2023-04-18 | Enhancement-
- Added a 'json' block to handle JSON logs. - Mapped "logstash.irm_region" to "additional.fields". - Mapped "logstash.irm_environment" to "additional.fields". - Mapped "logstash.irm_site" to "additional.fields". - Mapped "logstash.ingest.timestamp" to "metadata.ingested_timestamp". - Mapped "logstash.process.timestamp" to "metadata.collected_timestamp". |
| 2023-03-01 | Enhancement-
- Whenever 'Calling-Station-ID' is an IP address, then map it to 'principal.ip'. - Added a regular expression condition to validate MAC address for field 'device-mac' before mapping to 'principal.mac'. |
| 2022-12-08 | Enhancement-
-Mapped 'assetDeviceType' to 'principal.resource.name'. -Mapped 'assetIncidentScore' to 'security_result.detection_fields'. -Mapped 'PostureAssessmentStatus' to 'security_result.detection_fields'. -Mapped 'PolicyVersion' to 'security_result.detection_fields'. -Mapped 'EndPointVersion' to 'security_result.detection_fields'. -Mapped 'EndPointPolicyID' to 'security_result.detection_fields'. |
| 2022-10-13 | Enhancement- Corrected the date mapping for SYSLOGTIMESTAMP date formats.
|
| 2022-08-12 | Bug fix -
-Modified mapping for the field 'prinicipal.asset.hostname' to 'intermediary.hostname'. -Modfied event_type from GENERIC_EVENT to STATUS_UPDATE or NETWORK_CONNECTION. |
| 2022-08-10 | Enhancement- Modified mappings for the following fields from 'additional.fields' to 'security_result.detection_fields'.
- 'CPMSessionID', 'NASPort', 'AD-Log-Id', 'AD-Srv-Query', 'AD-Srv-Record', 'Tunnel-Client-Endpoint', 'IsThirdPartyDeviceFlow', 'PostureStatus', 'OperationMessageText', 'AcsSessionID', 'SelectedAccessService', 'RadiusPacketType', 'ISELocalAddress', 'ISEModuleName', 'ISEServiceName', 'ConnectionStatus', 'UniqueConnectionIdentifier', 'Audit_session_id', 'EndpointCertainityMetric', 'EndpointNADAddress', 'EndpointOUI', 'EndpointProperty', 'AuthenticationIdentityStore', 'AD-Host-Candidate-Identities', 'PostureExpiry', 'allowEasyWiredSession', 'ConfigVersionId', 'RequestLatency', 'Service-Type', 'Framed-Protocol', 'Class', 'Called-Station-ID', 'Calling-Station-ID', 'Acct-Status-Type', 'Acct-Delay-Time', 'Acct-Input-Octets', 'Acct-Output-Octets', 'Acct-Session-Id', 'Acct-Authentic', 'Acct-Session-Time', 'Acct-Input-Packets', 'Acct-Output-Packets', 'Acct-Terminate-Cause', 'Protocol'. |
| 2022-07-11 | Bug-fix - Mapped NetworkDeviceName to "event.idm.read_only_udm.principal.hostname" where Product_event_type is 5440 RADIUS.
- Mapped r_ip_or_host to observer.ip or observer.hostname. - Dropped malformed/encoded logs. |
| 2022-05-02 | Bug-fix - Corrected mapping for 'security_result.action' from 'ALLOW' to 'FAIL' where the log_type is 'CISE_Failed_Attempts'.
|
| 2022-04-21 | Enhancement-Parsed the logs with log_type='CISE_Profiler'
-For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED' -Added proper condition for 'NASPort' field and 'Port' field. |
| 2022-04-18 | -Mapped 'foreign_ip' to 'intermediary.ip'
-Parsed the logs with log_type='CISE_TACACS_Accounting' and 'CISE_RADIUS_Accounting' -For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED' -Added proper condition for 'NASPort' field. |
| 2022-04-13 | - Mapped NAS-Port-Id in event: 5200.
- Mapped hostname in events: 60188, 60125, 60116, 60115, 60081, 60080, 51021, 51020, 51003, 51002, 51001, 51000, 52000, 52001, 52002. - Mapped Operation Message text in about.labels in event: 52000. - Mapped Serial Number in additional_fields in event: 5200. |