From 5c793b43225e68f978666b753123937e63176f20 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Tue, 16 Jun 2026 15:52:24 -0700 Subject: [PATCH 1/3] [cisco_ise] Correct parsing of kv pairs with commas Fixed KV pair parsing in 16 Cisco ISE ingest pipelines to handle values containing commas, by adding a look-ahead pattern to determine if the comma is part of the value field or delimiter of the value. --- packages/cisco_ise/changelog.yml | 5 + ...ve-and-operational-audit.log-expected.json | 2 +- .../test-pipeline-passed-authentications.log | 1 + ...e-passed-authentications.log-expected.json | 266 ++++++++++++++++++ .../ingest_pipeline/pipeline_ad_connector.yml | 2 +- ...e_administrative_and_operational_audit.yml | 6 +- ...peline_authentication_flow_diagnostics.yml | 2 +- .../pipeline_failed_attempts.yml | 2 +- .../ingest_pipeline/pipeline_guest.yml | 2 +- .../pipeline_identity_stores_diagnostics.yml | 2 +- ...peline_internal_operations_diagnostics.yml | 2 +- .../ingest_pipeline/pipeline_mydevices.yml | 2 +- .../pipeline_passed_authentications.yml | 2 +- .../pipeline_policy_diagnostics.yml | 2 +- ..._posture_and_client_provisioning_audit.yml | 2 +- .../pipeline_radius_accounting.yml | 2 +- .../pipeline_radius_diagnostics.yml | 2 +- .../pipeline_system_statistics.yml | 2 +- .../pipeline_tacacs_accounting.yml | 2 +- .../pipeline_threat_centric_nac.yml | 2 +- .../data_stream/log/fields/fields.yml | 16 ++ packages/cisco_ise/manifest.yml | 2 +- 22 files changed, 308 insertions(+), 20 deletions(-) diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index aa50eaddf3b..66987b66e11 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.32.7" + changes: + - description: Correctly parse key-value pairs where the value contains commas. + type: bugfix + link: https://github.com/elastic/integrations/pull/999999 - version: "1.32.6" changes: - description: Add missing event.category, event.type, and event.outcome for existing and new message codes to CISE_Passed_Authentications and CISE_Failed_Attempts pipelines. diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json index 23b4655ade6..d8039c2af06 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json @@ -100,7 +100,7 @@ "id": "0000019355" }, "operation_message": { - "text": "Authentication failed due to invalid user or password\\" + "text": "Authentication failed due to invalid user or password\\, or account is disabled/locked" }, "segment": { "number": 0, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log index f82443294d3..b95d90e42bc 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log @@ -18,3 +18,4 @@ <181>Mar 15 11:20:00 host005 CISE_Passed_Authentications 2000100011 1 0 2022-03-15 11:20:00.100 +00:00 2000200011 5238 NOTICE Passed-Authentication: Endpoint authentication problem was fixed, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50011, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=38, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777787, RequestLatency=27, Step=11001, Step=11017, Step=5238, <181>Mar 15 11:21:00 host005 CISE_Passed_Authentications 2000100012 1 0 2022-03-15 11:21:00.200 +00:00 2000200012 5240 NOTICE Passed-Authentication: Previously rejected endpoint was released to continue authentications, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50012, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=39, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777788, RequestLatency=11, Step=11001, Step=11017, Step=5240, <181>Mar 15 11:22:00 host005 CISE_Passed_Authentications 2000100013 1 0 2022-03-15 11:22:00.300 +00:00 2000200013 5241 NOTICE Passed-Authentication: RADIUS DTLS handshake succeeded, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50013, DestinationIPAddress=198.51.100.43, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=40, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777789, RequestLatency=65, Step=11001, Step=11017, Step=5241, +<181>Jun 10 08:58:34 cisco-ise-host CISE_Passed_Authentications 0138892462 1 0 2026-06-10 08:58:34.421 +02:00 0138892461 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=469, Device IP Address=10.10.1.20, DestinationIPAddress=10.40.10.1, DestinationPort=1912, UserName=DD-EE-EE-DD-00-11, Protocol=Radius, NetworkDeviceName=loki-02, User-Name=ddeeeedd0011, NAS-IP-Address=10.30.1.1, NAS-Port=90119, Service-Type=Call Check, Framed-IP-Address=172.32.200.200, Framed-MTU=1464, Called-Station-ID=AA-AA-AA-BB-BB-BB, Calling-Station-ID=BB-BB-BB-AA-AA-AA, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/18, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A02500A0001732398ABCBED, cisco-av-pair=method=mab, cisco-av-pair=client-iif-id=341543999, cisco-av-pair=dc-profile-name=Cisco-Device, cisco-av-pair=dc-device-name=CISCO SYSTEMS, INC, cisco-av-pair=dc-device-class-tag=Cisco-Device, cisco-av-pair=dc-certainty-metric=10, cisco-av-pair=89:43:2d:33:99:36:24:dd:54:3d:03:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, OriginalUserName=ddeeeedd0011, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=403ea8fc-9933-41c3-b00d-27964031a08d, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=DB-99-33-22-AD-52, AcsSessionID=ise05/569692712/4448349, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Wired MAB, SelectedAuthorizationProfiles=Permit-ReAuth, UseCase=Host Lookup, RequestLatency=7, IdentityGroup=Endpoint Identity Groups:COMMERTRUST, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=15036, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Device Type#All Device Types#DEV_CAMPUS_SWITCH, NetworkDeviceGroups=Deployment stage#Deployment stage#802.1x-Closed-Mode, NetworkDeviceGroups=Location#All Locations, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Commercia, cisco-av-pair=AuthenticationIdentityStore=Internal Endpoints, UserType=Host, CPMSessionID=0A02500DDDDDDDDDFFFF6B3C, EndPointMACAddress=BB-CC-DD-EE-FF-02, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Cisco-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired Campus MAB Closed, IdentitySelectionMatchedRule=Default, StepLatency=1=0;2=0;3=2;4=0;5=0;6=1;7=0;8=0;9=1;10=0;11=0;12=1;13=0;14=1;15=1, StepData=5= DEVICE.Device Type, StepData=6= DEVICE.Deployment stage, StepData=8=Internal Endpoints, StepData=13= EndPoints.EndPointPolicy, TotalAuthenLatency=7, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:COMMERTRUST, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types#DEV_CAMPUS_SWITCH, Deployment stage=Deployment stage#Deployment stage#802.1x-Closed-Mode, EndPointPolicy=17052800-ffff-11e6-dddd-005056bf500a, Name=Endpoint Identity Groups:COMMERTRUST, Response={UserName=dd:ee:ee:dd:00:11; User-Name=DD-EE-EE-DD-00-11; Class=CACS:0A02500A00017593DEDEDB3C:ise05/569698899/4349324; Session-Timeout=28800; Termination-Action=RADIUS-Request; cisco-av-pair=profile-name=Cisco-Device; LicenseTypes=1; }, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json index 10908297429..3e30387d5c0 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json @@ -2652,6 +2652,272 @@ "user13" ] } + }, + { + "@timestamp": "2026-06-10T08:58:34.421+02:00", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "ise05/569692712/4448349" + } + }, + "allow": { + "easy": { + "wired": { + "session": "false" + } + } + }, + "auth": { + "policy": { + "matched": { + "rule": "Commercia" + } + } + }, + "authentication": { + "identity_store": "Internal Endpoints", + "method": "Lookup", + "status": "AuthenticationPassed" + }, + "calling_station": { + "id": "BB-BB-BB-AA-AA-AA" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "cisco_av_pair": { + "AuthenticationIdentityStore": "Internal Endpoints", + "audit-session-id": "0A02500A0001732398ABCBED", + "client-iif-id": "341543999", + "dc-certainty-metric": "10", + "dc-device-class-tag": "Cisco-Device", + "dc-device-name": "CISCO SYSTEMS, INC", + "dc-profile-name": "Cisco-Device", + "dc-protocol-map": "1", + "method": "mab", + "service-type": "Call Check" + }, + "client": { + "latency": 0 + }, + "config_version": { + "id": 469 + }, + "cpm": { + "session": { + "id": "0A02500DDDDDDDDDFFFF6B3C" + } + }, + "device": { + "type": "Device Type#All Device Types#DEV_CAMPUS_SWITCH" + }, + "dtls_support": "Unknown", + "endpoint": { + "mac": { + "address": "BB-CC-DD-EE-FF-02" + } + }, + "identity": { + "group": "Endpoint Identity Groups:COMMERTRUST", + "policy": { + "matched": { + "rule": "Default" + } + }, + "selection": { + "matched": { + "rule": "Default" + } + } + }, + "is_third_party_device_flow": false, + "ise": { + "policy": { + "set_name": "Wired Campus MAB Closed" + } + }, + "location": "Location#All Locations", + "log_details": { + "Called-Station-ID": "AA-AA-AA-BB-BB-BB", + "Deployment stage": "Deployment stage#Deployment stage#802.1x-Closed-Mode", + "DeviceRegistrationStatus": "notRegistered", + "EndPointMatchedProfile": "Cisco-Device", + "EndPointPolicy": "17052800-ffff-11e6-dddd-005056bf500a", + "Framed-IP-Address": "172.32.200.200", + "Framed-MTU": "1464", + "HostIdentityGroup": "Endpoint Identity Groups:COMMERTRUST", + "Name": "Endpoint Identity Groups:COMMERTRUST", + "SSID": "DB-99-33-22-AD-52", + "StepLatency": "1=0;2=0;3=2;4=0;5=0;6=1;7=0;8=0;9=1;10=0;11=0;12=1;13=0;14=1;15=1" + }, + "message": { + "code": "5200", + "description": "Passed-Authentication: Authentication succeeded", + "id": "0138892462" + }, + "nas": { + "ip": "10.30.1.1", + "port": { + "id": "GigabitEthernet1/0/18", + "number": 90119, + "type": "Ethernet" + } + }, + "network": { + "device": { + "groups": [ + "Device Type#All Device Types#DEV_CAMPUS_SWITCH", + "Deployment stage#Deployment stage#802.1x-Closed-Mode", + "Location#All Locations" + ], + "name": "loki-02", + "profile": "Cisco", + "profile_id": "403ea8fc-9933-41c3-b00d-27964031a08d", + "profile_name": "Cisco" + } + }, + "posture": { + "assessment": { + "status": "NotApplicable" + } + }, + "radius": { + "flow": { + "type": "WiredMAB" + } + }, + "request": { + "latency": 7 + }, + "response": { + "Class": "CACS:0A02500A00017593DEDEDB3C:ise05/569698899/4349324", + "LicenseTypes": "1", + "Session-Timeout": "28800", + "Termination-Action": "RADIUS-Request", + "User-Name": "DD-EE-EE-DD-00-11", + "UserName": "dd:ee:ee:dd:00:11", + "cisco-av-pair": "profile-name=Cisco-Device" + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Wired MAB" + }, + "authentication": { + "identity_stores": "Internal Endpoints" + }, + "authorization": { + "profiles": "Permit-ReAuth" + } + }, + "service": { + "type": "Call Check" + }, + "step": [ + "11001", + "11017", + "11027", + "15049", + "15008", + "15048", + "15048", + "15041", + "15013", + "24209", + "24211", + "22037", + "15036", + "15048", + "15016", + "11002" + ], + "step_data": [ + "5= DEVICE.Device Type", + "6= DEVICE.Deployment stage", + "8=Internal Endpoints", + "13= EndPoints.EndPointPolicy" + ], + "total": { + "authen": { + "latency": 7 + } + }, + "usecase": "Host Lookup", + "user": { + "type": "Host" + } + } + }, + "client": { + "ip": "10.10.1.20", + "mac": "BB-CC-DD-EE-FF-02" + }, + "destination": { + "ip": "10.40.10.1", + "port": 1912 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "code": "5200", + "kind": "event", + "original": "<181>Jun 10 08:58:34 cisco-ise-host CISE_Passed_Authentications 0138892462 1 0 2026-06-10 08:58:34.421 +02:00 0138892461 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=469, Device IP Address=10.10.1.20, DestinationIPAddress=10.40.10.1, DestinationPort=1912, UserName=DD-EE-EE-DD-00-11, Protocol=Radius, NetworkDeviceName=loki-02, User-Name=ddeeeedd0011, NAS-IP-Address=10.30.1.1, NAS-Port=90119, Service-Type=Call Check, Framed-IP-Address=172.32.200.200, Framed-MTU=1464, Called-Station-ID=AA-AA-AA-BB-BB-BB, Calling-Station-ID=BB-BB-BB-AA-AA-AA, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/18, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A02500A0001732398ABCBED, cisco-av-pair=method=mab, cisco-av-pair=client-iif-id=341543999, cisco-av-pair=dc-profile-name=Cisco-Device, cisco-av-pair=dc-device-name=CISCO SYSTEMS, INC, cisco-av-pair=dc-device-class-tag=Cisco-Device, cisco-av-pair=dc-certainty-metric=10, cisco-av-pair=89:43:2d:33:99:36:24:dd:54:3d:03:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, OriginalUserName=ddeeeedd0011, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=403ea8fc-9933-41c3-b00d-27964031a08d, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=DB-99-33-22-AD-52, AcsSessionID=ise05/569692712/4448349, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Wired MAB, SelectedAuthorizationProfiles=Permit-ReAuth, UseCase=Host Lookup, RequestLatency=7, IdentityGroup=Endpoint Identity Groups:COMMERTRUST, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=15036, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Device Type#All Device Types#DEV_CAMPUS_SWITCH, NetworkDeviceGroups=Deployment stage#Deployment stage#802.1x-Closed-Mode, NetworkDeviceGroups=Location#All Locations, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Commercia, cisco-av-pair=AuthenticationIdentityStore=Internal Endpoints, UserType=Host, CPMSessionID=0A02500DDDDDDDDDFFFF6B3C, EndPointMACAddress=BB-CC-DD-EE-FF-02, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Cisco-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired Campus MAB Closed, IdentitySelectionMatchedRule=Default, StepLatency=1=0;2=0;3=2;4=0;5=0;6=1;7=0;8=0;9=1;10=0;11=0;12=1;13=0;14=1;15=1, StepData=5= DEVICE.Device Type, StepData=6= DEVICE.Deployment stage, StepData=8=Internal Endpoints, StepData=13= EndPoints.EndPointPolicy, TotalAuthenLatency=7, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:COMMERTRUST, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types#DEV_CAMPUS_SWITCH, Deployment stage=Deployment stage#Deployment stage#802.1x-Closed-Mode, EndPointPolicy=17052800-ffff-11e6-dddd-005056bf500a, Name=Endpoint Identity Groups:COMMERTRUST, Response={UserName=dd:ee:ee:dd:00:11; User-Name=DD-EE-EE-DD-00-11; Class=CACS:0A02500A00017593DEDEDB3C:ise05/569698899/4349324; Session-Timeout=28800; Termination-Action=RADIUS-Request; cisco-av-pair=profile-name=Cisco-Device; LicenseTypes=1; },", + "outcome": "success", + "sequence": 138892461, + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2026-06-10 08:58:34.421 +02:00 0138892461 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=469, Device IP Address=10.10.1.20, DestinationIPAddress=10.40.10.1, DestinationPort=1912, UserName=DD-EE-EE-DD-00-11, Protocol=Radius, NetworkDeviceName=loki-02, User-Name=ddeeeedd0011, NAS-IP-Address=10.30.1.1, NAS-Port=90119, Service-Type=Call Check, Framed-IP-Address=172.32.200.200, Framed-MTU=1464, Called-Station-ID=AA-AA-AA-BB-BB-BB, Calling-Station-ID=BB-BB-BB-AA-AA-AA, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/18, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A02500A0001732398ABCBED, cisco-av-pair=method=mab, cisco-av-pair=client-iif-id=341543999, cisco-av-pair=dc-profile-name=Cisco-Device, cisco-av-pair=dc-device-name=CISCO SYSTEMS, INC, cisco-av-pair=dc-device-class-tag=Cisco-Device, cisco-av-pair=dc-certainty-metric=10, cisco-av-pair=89:43:2d:33:99:36:24:dd:54:3d:03:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, OriginalUserName=ddeeeedd0011, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=403ea8fc-9933-41c3-b00d-27964031a08d, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=DB-99-33-22-AD-52, AcsSessionID=ise05/569692712/4448349, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Wired MAB, SelectedAuthorizationProfiles=Permit-ReAuth, UseCase=Host Lookup, RequestLatency=7, IdentityGroup=Endpoint Identity Groups:COMMERTRUST, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=15036, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Device Type#All Device Types#DEV_CAMPUS_SWITCH, NetworkDeviceGroups=Deployment stage#Deployment stage#802.1x-Closed-Mode, NetworkDeviceGroups=Location#All Locations, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Commercia, cisco-av-pair=AuthenticationIdentityStore=Internal Endpoints, UserType=Host, CPMSessionID=0A02500DDDDDDDDDFFFF6B3C, EndPointMACAddress=BB-CC-DD-EE-FF-02, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Cisco-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired Campus MAB Closed, IdentitySelectionMatchedRule=Default, StepLatency=1=0;2=0;3=2;4=0;5=0;6=1;7=0;8=0;9=1;10=0;11=0;12=1;13=0;14=1;15=1, StepData=5= DEVICE.Device Type, StepData=6= DEVICE.Deployment stage, StepData=8=Internal Endpoints, StepData=13= EndPoints.EndPointPolicy, TotalAuthenLatency=7, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:COMMERTRUST, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types#DEV_CAMPUS_SWITCH, Deployment stage=Deployment stage#Deployment stage#802.1x-Closed-Mode, EndPointPolicy=17052800-ffff-11e6-dddd-005056bf500a, Name=Endpoint Identity Groups:COMMERTRUST, Response={UserName=dd:ee:ee:dd:00:11; User-Name=DD-EE-EE-DD-00-11; Class=CACS:0A02500A00017593DEDEDB3C:ise05/569698899/4349324; Session-Timeout=28800; Termination-Action=RADIUS-Request; cisco-av-pair=profile-name=Cisco-Device; LicenseTypes=1; },", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "10.30.1.1", + "10.40.10.1", + "10.10.1.20" + ], + "user": [ + "DD-EE-EE-DD-00-11", + "ddeeeedd0011" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "DD-EE-EE-DD-00-11", + "ddeeeedd0011" + ] + } } ] } diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml index 4ea41d731c5..0fa80bdcf5d 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml @@ -64,7 +64,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - date: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml index 4ac1b782703..3157227eb1a 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml @@ -34,7 +34,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_daf63ad7 field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = - kv: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_08f93f23 @@ -85,7 +85,7 @@ processors: - kv: tag: kv_cisco_ise_log_log_details_raw_33ef295f field: cisco_ise.log.log_details_raw - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = - remove: tag: remove_cisco_ise_log_log_details_log_detail_937798e9 @@ -130,7 +130,7 @@ processors: if: '!["60067", "61025", "61026", "52001", "52002"].contains(ctx.cisco_ise.log.message.code)' field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = trim_key: " " ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml index 0353cdc2b49..24ff5dc70a8 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml @@ -58,7 +58,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - dissect: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml index f2f2f00aa36..31e594076ed 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml @@ -249,7 +249,7 @@ processors: - kv: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true target_field: cisco_ise.log.log_details diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml index 58c556af479..e9f74b2219b 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml @@ -61,7 +61,7 @@ processors: - kv: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true target_field: cisco_ise.log.log_details diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml index 44fab757b83..53905beaffd 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml @@ -111,7 +111,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - dissect: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml index a226513ab58..50464b91714 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml @@ -81,7 +81,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - convert: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml index 73e44e83767..eac6a8f2f67 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml @@ -62,7 +62,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - script: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml index d5e632530e5..d8bcd978cb8 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml @@ -191,7 +191,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - dissect: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml index 9c794989beb..8994472a3d8 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml @@ -62,7 +62,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - grok: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml index 76fea15190c..1b76317251c 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml @@ -62,7 +62,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - script: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml index 63680f7687a..062ab74c704 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml @@ -64,7 +64,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - grok: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml index ac7c5911355..e290fb4216a 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml @@ -124,7 +124,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - dissect: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml index b6ef79fceae..560708a53cb 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml @@ -43,7 +43,7 @@ processors: if: ctx.cisco_ise?.log?.message?.code != "70001" field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - kv: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml index 47bff952a61..d8b0fd68249 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml @@ -62,7 +62,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - foreach: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml index c49b4e27cae..d9d37c76208 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml @@ -98,7 +98,7 @@ processors: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details - field_split: ', ' + field_split: ', (?=[^,=]+=)' value_split: = ignore_failure: true - rename: diff --git a/packages/cisco_ise/data_stream/log/fields/fields.yml b/packages/cisco_ise/data_stream/log/fields/fields.yml index 482191b0107..0b6e65244e8 100644 --- a/packages/cisco_ise/data_stream/log/fields/fields.yml +++ b/packages/cisco_ise/data_stream/log/fields/fields.yml @@ -231,6 +231,8 @@ type: keyword - name: audit-session-id type: keyword + - name: client-iif-id + type: keyword - name: coa-push type: boolean - name: cts-device-capability @@ -241,6 +243,16 @@ type: keyword - name: cts-pac-opaque type: keyword + - name: dc-certainty-metric + type: keyword + - name: dc-device-class-tag + type: keyword + - name: dc-device-name + type: keyword + - name: dc-profile-name + type: keyword + - name: dc-protocol-map + type: keyword - name: device-uid-global type: keyword - name: FQSubjectName @@ -266,6 +278,10 @@ type: keyword - name: device-uid-global type: keyword + - name: method + type: keyword + - name: service-type + type: keyword - name: class type: keyword - name: client diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index 58f339fe5a0..9417392e1b0 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ise title: Cisco ISE -version: "1.32.6" +version: "1.32.7" description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: From d926695d605c527e1369e617b8c2cfed378c19f0 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Tue, 16 Jun 2026 15:58:10 -0700 Subject: [PATCH 2/3] Update changelog --- packages/cisco_ise/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 66987b66e11..f3cd1d97311 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Correctly parse key-value pairs where the value contains commas. type: bugfix - link: https://github.com/elastic/integrations/pull/999999 + link: https://github.com/elastic/integrations/pull/19562 - version: "1.32.6" changes: - description: Add missing event.category, event.type, and event.outcome for existing and new message codes to CISE_Passed_Authentications and CISE_Failed_Attempts pipelines. From 28042f53f340a923fba23cfb400e7cd46c3b7df5 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Tue, 16 Jun 2026 16:31:35 -0700 Subject: [PATCH 3/3] Update readme --- packages/cisco_ise/docs/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 3dc25d0d366..43f0a0cfda5 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -424,11 +424,17 @@ The following table lists the exported fields for this data stream: | cisco_ise.log.cisco_av_pair.AuthenticationIdentityStore | | keyword | | cisco_ise.log.cisco_av_pair.FQSubjectName | | keyword | | cisco_ise.log.cisco_av_pair.audit-session-id | | keyword | +| cisco_ise.log.cisco_av_pair.client-iif-id | | keyword | | cisco_ise.log.cisco_av_pair.coa-push | | boolean | | cisco_ise.log.cisco_av_pair.cts-device-capability | | keyword | | cisco_ise.log.cisco_av_pair.cts-environment-data | | keyword | | cisco_ise.log.cisco_av_pair.cts-environment-version | | keyword | | cisco_ise.log.cisco_av_pair.cts-pac-opaque | | keyword | +| cisco_ise.log.cisco_av_pair.dc-certainty-metric | | keyword | +| cisco_ise.log.cisco_av_pair.dc-device-class-tag | | keyword | +| cisco_ise.log.cisco_av_pair.dc-device-name | | keyword | +| cisco_ise.log.cisco_av_pair.dc-profile-name | | keyword | +| cisco_ise.log.cisco_av_pair.dc-protocol-map | | keyword | | cisco_ise.log.cisco_av_pair.device-uid-global | | keyword | | cisco_ise.log.cisco_av_pair.mdm-tlv.ac-user-agent | | keyword | | cisco_ise.log.cisco_av_pair.mdm-tlv.computer-name | | keyword | @@ -439,6 +445,8 @@ The following table lists the exported fields for this data stream: | cisco_ise.log.cisco_av_pair.mdm-tlv.device-type | | keyword | | cisco_ise.log.cisco_av_pair.mdm-tlv.device-uid | | keyword | | cisco_ise.log.cisco_av_pair.mdm-tlv.device-uid-global | | keyword | +| cisco_ise.log.cisco_av_pair.method | | keyword | +| cisco_ise.log.cisco_av_pair.service-type | | keyword | | cisco_ise.log.class | | keyword | | cisco_ise.log.client.latency | | long | | cisco_ise.log.cmdset | | keyword |