Change log for CISCO_ISE
| Date | Changes |
|---|---|
| 2024-09-18 | Enhancement:
- Removed mapping of SYSLOG header "hostname" from "intermediary.hostname". |
| 2024-08-06 | Enhancement:
- Mapped "hostname" from SYSLOG header to "intermediary.hostname". |
| 2024-07-30 | Enhancement:
- Mapped "RadiusFlowType" to "security_result.detection_fields". |
| 2024-05-10 | Enhancement:
- Mapped "ExternalGroups" to "additional.fields". |
| 2024-05-09 | Enhancement:
- Added Grok patterns to parse new formats of "CISE_Profiler". - Mapped some fields for "CISE_Administrative_and_Operational_Audit" and "CISE_Alarm". |
| 2024-04-18 | Enhancement:
- Mapped "msg_sev" to "security_result.severity_details". - Mapped "r_total_seg", "r_seg_num", "msg_code", and "r_msg_id" to "security_result.detection_fields". - Mapped "r_cat_name" to "security_result.category_details". - Mapped "msg_text" and "msg_class" to "metadata.description". - Aligned "target.ip" and "target.asset.ip" mappings. - Aligned "target.hostname" and "target.asset.hostname" mappings. - Aligned "principal.ip" and "principal.asset.ip" mappings. - Aligned "principal.hostname" and "principal.asset.hostname" mappings. - Added a Grok pattern to parse "msg_attrs". |
| 2024-04-10 | Bug-Fix:
- Added Grok patterns to parse new formats of "PeerName". |
| 2023-11-20 | Enhancement:
- Added new Grok patterns to parse failing Syslogs. - Added "msg_code" "5412" to parse logs having the same "msg_code". |
| 2023-09-29 | Enhancement:
- Added support for a new pattern of JSON logs. - Mapped "EndpointSourceEvent", "NASIdentifier", "NAS-Port-Type", "NAS-Port-Id", "ProfilerServer" to "security_result.detection_fields" for 80002 and 80006 logs. - Changed mapping of "Location" from "principal.location" to "target.location" for 80002 and 80006 logs. - Added on_error check to replace and merge functions. - Modified date mapping to parse date with "MEST" and "MESZ" timezones. |
| 2023-08-02 | Enhancement -
- Added KV mapping to parse and map "cisco-av-pair=dhcp-option=host-name" to "target.hostname". - Changed mapping of "security_result.action" from "FAIL" to "BLOCK" when "msg_text" contains "failed|dropped|stop|rejected|down|abandoned|block|blocking|invalid". |
| 2023-07-18 | Enhancement -
- Mapped "cisco-av-pair=dhcp-option=host-name" to "target.hostname". - Changed mapping of "User-Name" from "target.user.userid" to "principal.user.userid". - Changed mapping of "UserName" from "target.user.userid" to "principal.user.userid". - Changed mapping of "User" from "target.user.userid" to "principal.user.userid". - Changed mapping of "PhoneNumber" from "target.user.phone_numbers" to "principal.user.phone_numbers". - Mapped "FramedIPAddress" to "security_result.detection_fields" for Profiler event types 80002, 80006. - Modified date mapping to parse date with "EASTERN" timezone. - Added Grok pattern to match "PeerAddress". |
| 2023-06-07 | Enhancement-
- Added Grok pattern to parse a new log pattern. |
| 2023-05-26 | Enhancement-
- Modified date mapping to parse date with 'BJ' timezone. |
| 2023-04-18 | Enhancement-
- Added a 'json' block to handle JSON logs. - Mapped "logstash.irm_region" to "additional.fields". - Mapped "logstash.irm_environment" to "additional.fields". - Mapped "logstash.irm_site" to "additional.fields". - Mapped "logstash.ingest.timestamp" to "metadata.ingested_timestamp". - Mapped "logstash.process.timestamp" to "metadata.collected_timestamp". |
| 2023-03-01 | Enhancement-
- Whenever 'Calling-Station-ID' is an IP address, then map it to 'principal.ip'. - Added a regular expression condition to validate MAC address for field 'device-mac' before mapping to 'principal.mac'. |
| 2022-12-08 | Enhancement-
-Mapped 'assetDeviceType' to 'principal.resource.name'. -Mapped 'assetIncidentScore' to 'security_result.detection_fields'. -Mapped 'PostureAssessmentStatus' to 'security_result.detection_fields'. -Mapped 'PolicyVersion' to 'security_result.detection_fields'. -Mapped 'EndPointVersion' to 'security_result.detection_fields'. -Mapped 'EndPointPolicyID' to 'security_result.detection_fields'. |
| 2022-10-13 | Enhancement- Corrected the date mapping for SYSLOGTIMESTAMP date formats.
|
| 2022-08-12 | Bug fix -
-Modified mapping for the field 'prinicipal.asset.hostname' to 'intermediary.hostname'. -Modfied event_type from GENERIC_EVENT to STATUS_UPDATE or NETWORK_CONNECTION. |
| 2022-08-10 | Enhancement- Modified mappings for the following fields from 'additional.fields' to 'security_result.detection_fields'.
- 'CPMSessionID', 'NASPort', 'AD-Log-Id', 'AD-Srv-Query', 'AD-Srv-Record', 'Tunnel-Client-Endpoint', 'IsThirdPartyDeviceFlow', 'PostureStatus', 'OperationMessageText', 'AcsSessionID', 'SelectedAccessService', 'RadiusPacketType', 'ISELocalAddress', 'ISEModuleName', 'ISEServiceName', 'ConnectionStatus', 'UniqueConnectionIdentifier', 'Audit_session_id', 'EndpointCertainityMetric', 'EndpointNADAddress', 'EndpointOUI', 'EndpointProperty', 'AuthenticationIdentityStore', 'AD-Host-Candidate-Identities', 'PostureExpiry', 'allowEasyWiredSession', 'ConfigVersionId', 'RequestLatency', 'Service-Type', 'Framed-Protocol', 'Class', 'Called-Station-ID', 'Calling-Station-ID', 'Acct-Status-Type', 'Acct-Delay-Time', 'Acct-Input-Octets', 'Acct-Output-Octets', 'Acct-Session-Id', 'Acct-Authentic', 'Acct-Session-Time', 'Acct-Input-Packets', 'Acct-Output-Packets', 'Acct-Terminate-Cause', 'Protocol'. |
| 2022-07-11 | Bug-fix - Mapped NetworkDeviceName to "event.idm.read_only_udm.principal.hostname" where Product_event_type is 5440 RADIUS.
- Mapped r_ip_or_host to observer.ip or observer.hostname. - Dropped malformed/encoded logs. |
| 2022-05-02 | Bug-fix - Corrected mapping for 'security_result.action' from 'ALLOW' to 'FAIL' where the log_type is 'CISE_Failed_Attempts'.
|
| 2022-04-21 | Enhancement-Parsed the logs with log_type='CISE_Profiler'
-For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED' -Added proper condition for 'NASPort' field and 'Port' field. |
| 2022-04-18 | -Mapped 'foreign_ip' to 'intermediary.ip'
-Parsed the logs with log_type='CISE_TACACS_Accounting' and 'CISE_RADIUS_Accounting' -For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED' -Added proper condition for 'NASPort' field. |
| 2022-04-13 | - Mapped NAS-Port-Id in event: 5200.
- Mapped hostname in events: 60188, 60125, 60116, 60115, 60081, 60080, 51021, 51020, 51003, 51002, 51001, 51000, 52000, 52001, 52002. - Mapped Operation Message text in about.labels in event: 52000. - Mapped Serial Number in additional_fields in event: 5200. |