Change log for CISCO_ISE

Date Changes
2024-11-19 Enhancement:
- Added a Grok pattern to map "UserName" to "principal.user.userid".
2024-11-18 Enhancement:
- Added Grok pattern to parse a new log pattern.
- Added null check to "r_ip_or_host" before mapping it to "observer.hostname".
- Added null check to "r_ip_or_host" before mapping it to "principal.hostname" and "principal.asset.hostname" or merging it with "principal.ip" and "principal.asset.ip".
- Added a new Grok pattern to parse "msg_attrs".
- Mapped "threshold_value" to "additional.fields".
- Mapped "used_space_value" to "additional.fields".
2024-10-30 Enhancement:
- Mapped "Nas-Port-id" to "security_result.detection_fields".
- Mapped "UserName" to "principal.mac".
- Mapped "SSID" to "security_result.detection_fields".
2024-10-29 Enhancement:
- Added a new Grok pattern to parse logs with nested syslog headers.
2024-09-18 Enhancement:
- Removed mapping of SYSLOG header "hostname" from "intermediary.hostname".
2024-08-06 Enhancement:
- Mapped "hostname" from SYSLOG header to "intermediary.hostname".
2024-07-30 Enhancement:
- Mapped "RadiusFlowType" to "security_result.detection_fields".
2024-05-10 Enhancement:
- Mapped "ExternalGroups" to "additional.fields".
2024-05-09 Enhancement:
- Added Grok patterns to parse new formats of "CISE_Profiler".
- Mapped some fields for "CISE_Administrative_and_Operational_Audit" and "CISE_Alarm".
2024-04-18 Enhancement:
- Mapped "msg_sev" to "security_result.severity_details".
- Mapped "r_total_seg", "r_seg_num", "msg_code", and "r_msg_id" to "security_result.detection_fields".
- Mapped "r_cat_name" to "security_result.category_details".
- Mapped "msg_text" and "msg_class" to "metadata.description".
- Aligned "target.ip" and "target.asset.ip" mappings.
- Aligned "target.hostname" and "target.asset.hostname" mappings.
- Aligned "principal.ip" and "principal.asset.ip" mappings.
- Aligned "principal.hostname" and "principal.asset.hostname" mappings.
- Added a Grok pattern to parse "msg_attrs".
2024-04-10 Bug-Fix:
- Added Grok patterns to parse new formats of "PeerName".
2023-11-20 Enhancement:
- Added new Grok patterns to parse failing Syslogs.
- Added "msg_code" "5412" to parse logs having the same "msg_code".
2023-09-29 Enhancement:
- Added support for a new pattern of JSON logs.
- Mapped "EndpointSourceEvent", "NASIdentifier", "NAS-Port-Type", "NAS-Port-Id", "ProfilerServer" to "security_result.detection_fields" for 80002 and 80006 logs.
- Changed mapping of "Location" from "principal.location" to "target.location" for 80002 and 80006 logs.
- Added on_error check to replace and merge functions.
- Modified date mapping to parse date with "MEST" and "MESZ" timezones.
2023-08-02 Enhancement -
- Added KV mapping to parse and map "cisco-av-pair=dhcp-option=host-name" to "target.hostname".
- Changed mapping of "security_result.action" from "FAIL" to "BLOCK" when "msg_text" contains "failed|dropped|stop|rejected|down|abandoned|block|blocking|invalid".
2023-07-18 Enhancement -
- Mapped "cisco-av-pair=dhcp-option=host-name" to "target.hostname".
- Changed mapping of "User-Name" from "target.user.userid" to "principal.user.userid".
- Changed mapping of "UserName" from "target.user.userid" to "principal.user.userid".
- Changed mapping of "User" from "target.user.userid" to "principal.user.userid".
- Changed mapping of "PhoneNumber" from "target.user.phone_numbers" to "principal.user.phone_numbers".
- Mapped "FramedIPAddress" to "security_result.detection_fields" for Profiler event types 80002, 80006.
- Modified date mapping to parse date with "EASTERN" timezone.
- Added Grok pattern to match "PeerAddress".
2023-06-07 Enhancement-
- Added Grok pattern to parse a new log pattern.
2023-05-26 Enhancement-
- Modified date mapping to parse date with 'BJ' timezone.
2023-04-18 Enhancement-
- Added a 'json' block to handle JSON logs.
- Mapped "logstash.irm_region" to "additional.fields".
- Mapped "logstash.irm_environment" to "additional.fields".
- Mapped "logstash.irm_site" to "additional.fields".
- Mapped "logstash.ingest.timestamp" to "metadata.ingested_timestamp".
- Mapped "logstash.process.timestamp" to "metadata.collected_timestamp".
2023-03-01 Enhancement-
- Whenever 'Calling-Station-ID' is an IP address, then map it to 'principal.ip'.
- Added a regular expression condition to validate MAC address for field 'device-mac' before mapping to 'principal.mac'.
2022-12-08 Enhancement-
-Mapped 'assetDeviceType' to 'principal.resource.name'.
-Mapped 'assetIncidentScore' to 'security_result.detection_fields'.
-Mapped 'PostureAssessmentStatus' to 'security_result.detection_fields'.
-Mapped 'PolicyVersion' to 'security_result.detection_fields'.
-Mapped 'EndPointVersion' to 'security_result.detection_fields'.
-Mapped 'EndPointPolicyID' to 'security_result.detection_fields'.
2022-10-13 Enhancement- Corrected the date mapping for SYSLOGTIMESTAMP date formats.
2022-08-12 Bug fix -
-Modified mapping for the field 'prinicipal.asset.hostname' to 'intermediary.hostname'.
-Modfied event_type from GENERIC_EVENT to STATUS_UPDATE or NETWORK_CONNECTION.
2022-08-10 Enhancement- Modified mappings for the following fields from 'additional.fields' to 'security_result.detection_fields'.
- 'CPMSessionID', 'NASPort', 'AD-Log-Id', 'AD-Srv-Query', 'AD-Srv-Record', 'Tunnel-Client-Endpoint', 'IsThirdPartyDeviceFlow', 'PostureStatus', 'OperationMessageText', 'AcsSessionID', 'SelectedAccessService', 'RadiusPacketType', 'ISELocalAddress', 'ISEModuleName', 'ISEServiceName', 'ConnectionStatus', 'UniqueConnectionIdentifier', 'Audit_session_id', 'EndpointCertainityMetric', 'EndpointNADAddress', 'EndpointOUI', 'EndpointProperty', 'AuthenticationIdentityStore', 'AD-Host-Candidate-Identities', 'PostureExpiry', 'allowEasyWiredSession', 'ConfigVersionId', 'RequestLatency', 'Service-Type', 'Framed-Protocol', 'Class', 'Called-Station-ID', 'Calling-Station-ID', 'Acct-Status-Type', 'Acct-Delay-Time', 'Acct-Input-Octets', 'Acct-Output-Octets', 'Acct-Session-Id', 'Acct-Authentic', 'Acct-Session-Time', 'Acct-Input-Packets', 'Acct-Output-Packets', 'Acct-Terminate-Cause', 'Protocol'.
2022-07-11 Bug-fix - Mapped NetworkDeviceName to "event.idm.read_only_udm.principal.hostname" where Product_event_type is 5440 RADIUS.
- Mapped r_ip_or_host to observer.ip or observer.hostname.
- Dropped malformed/encoded logs.
2022-05-02 Bug-fix - Corrected mapping for 'security_result.action' from 'ALLOW' to 'FAIL' where the log_type is 'CISE_Failed_Attempts'.
2022-04-21 Enhancement-Parsed the logs with log_type='CISE_Profiler'
-For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
-Added proper condition for 'NASPort' field and 'Port' field.
2022-04-18 -Mapped 'foreign_ip' to 'intermediary.ip'
-Parsed the logs with log_type='CISE_TACACS_Accounting' and 'CISE_RADIUS_Accounting'
-For log_type='CISE_TACACS_Accounting changed event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
-Added proper condition for 'NASPort' field.
2022-04-13 - Mapped NAS-Port-Id in event: 5200.
- Mapped hostname in events: 60188, 60125, 60116, 60115, 60081, 60080, 51021, 51020, 51003, 51002, 51001, 51000, 52000, 52001, 52002.
- Mapped Operation Message text in about.labels in event: 52000.
- Mapped Serial Number in additional_fields in event: 5200.