elastic · mjwolf · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 18, 2026
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.32.7"
+  changes:
+    - description: Correctly parse key-value pairs where the value contains commas.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/19562
 - version: "1.32.6"
   changes:
     - description: Add missing event.category, event.type, and event.outcome for existing and new message codes to CISE_Passed_Authentications and CISE_Failed_Attempts pipelines.

@@ -100,7 +100,7 @@
                         "id": "0000019355"
                     },
                     "operation_message": {
-                        "text": "Authentication failed due to invalid user or password\\"
+                        "text": "Authentication failed due to invalid user or password\\, or account is disabled/locked"
                     },
                     "segment": {
                         "number": 0,

@@ -18,3 +18,4 @@
 <181>Mar 15 11:20:00 host005 CISE_Passed_Authentications 2000100011 1 0 2022-03-15 11:20:00.100 +00:00 2000200011 5238 NOTICE Passed-Authentication: Endpoint authentication problem was fixed, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50011, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=38, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777787, RequestLatency=27, Step=11001, Step=11017, Step=5238,
 <181>Mar 15 11:21:00 host005 CISE_Passed_Authentications 2000100012 1 0 2022-03-15 11:21:00.200 +00:00 2000200012 5240 NOTICE Passed-Authentication: Previously rejected endpoint was released to continue authentications, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50012, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=39, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777788, RequestLatency=11, Step=11001, Step=11017, Step=5240,
 <181>Mar 15 11:22:00 host005 CISE_Passed_Authentications 2000100013 1 0 2022-03-15 11:22:00.300 +00:00 2000200013 5241 NOTICE Passed-Authentication: RADIUS DTLS handshake succeeded, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50013, DestinationIPAddress=198.51.100.43, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=40, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777789, RequestLatency=65, Step=11001, Step=11017, Step=5241,
+<181>Jun 10 08:58:34 cisco-ise-host CISE_Passed_Authentications 0138892462 1 0 2026-06-10 08:58:34.421 +02:00 0138892461 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=469, Device IP Address=10.10.1.20, DestinationIPAddress=10.40.10.1, DestinationPort=1912, UserName=DD-EE-EE-DD-00-11, Protocol=Radius, NetworkDeviceName=loki-02, User-Name=ddeeeedd0011, NAS-IP-Address=10.30.1.1, NAS-Port=90119, Service-Type=Call Check, Framed-IP-Address=172.32.200.200, Framed-MTU=1464, Called-Station-ID=AA-AA-AA-BB-BB-BB, Calling-Station-ID=BB-BB-BB-AA-AA-AA, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/18, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A02500A0001732398ABCBED, cisco-av-pair=method=mab, cisco-av-pair=client-iif-id=341543999, cisco-av-pair=dc-profile-name=Cisco-Device, cisco-av-pair=dc-device-name=CISCO SYSTEMS, INC, cisco-av-pair=dc-device-class-tag=Cisco-Device, cisco-av-pair=dc-certainty-metric=10, cisco-av-pair=89:43:2d:33:99:36:24:dd:54:3d:03:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, OriginalUserName=ddeeeedd0011, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=403ea8fc-9933-41c3-b00d-27964031a08d, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=DB-99-33-22-AD-52, AcsSessionID=ise05/569692712/4448349, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Wired MAB, SelectedAuthorizationProfiles=Permit-ReAuth, UseCase=Host Lookup, RequestLatency=7, IdentityGroup=Endpoint Identity Groups:COMMERTRUST, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=15036, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Device Type#All Device Types#DEV_CAMPUS_SWITCH, NetworkDeviceGroups=Deployment stage#Deployment stage#802.1x-Closed-Mode, NetworkDeviceGroups=Location#All Locations, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Commercia, cisco-av-pair=AuthenticationIdentityStore=Internal Endpoints, UserType=Host, CPMSessionID=0A02500DDDDDDDDDFFFF6B3C, EndPointMACAddress=BB-CC-DD-EE-FF-02, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Cisco-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired Campus MAB Closed, IdentitySelectionMatchedRule=Default, StepLatency=1=0;2=0;3=2;4=0;5=0;6=1;7=0;8=0;9=1;10=0;11=0;12=1;13=0;14=1;15=1, StepData=5= DEVICE.Device Type, StepData=6= DEVICE.Deployment stage, StepData=8=Internal Endpoints, StepData=13= EndPoints.EndPointPolicy, TotalAuthenLatency=7, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:COMMERTRUST, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types#DEV_CAMPUS_SWITCH, Deployment stage=Deployment stage#Deployment stage#802.1x-Closed-Mode, EndPointPolicy=17052800-ffff-11e6-dddd-005056bf500a, Name=Endpoint Identity Groups:COMMERTRUST, Response={UserName=dd:ee:ee:dd:00:11; User-Name=DD-EE-EE-DD-00-11; Class=CACS:0A02500A00017593DEDEDB3C:ise05/569698899/4349324; Session-Timeout=28800; Termination-Action=RADIUS-Request; cisco-av-pair=profile-name=Cisco-Device; LicenseTypes=1; },
@@ -64,7 +64,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - date:

@@ -34,7 +34,7 @@ processors:
             tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_daf63ad7
             field: cisco_ise.log.log_details_raw
             target_field: cisco_ise.log.log_details
-            field_split: ', '
+            field_split: ', (?=[^,=]+=)'
             value_split: =
   - kv:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_08f93f23
@@ -85,7 +85,7 @@ processors:
         - kv:
             tag: kv_cisco_ise_log_log_details_raw_33ef295f
             field: cisco_ise.log.log_details_raw
-            field_split: ', '
+            field_split: ', (?=[^,=]+=)'
             value_split: =
   - remove:
       tag: remove_cisco_ise_log_log_details_log_detail_937798e9
@@ -130,7 +130,7 @@ processors:
       if: '!["60067", "61025", "61026", "52001", "52002"].contains(ctx.cisco_ise.log.message.code)'
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       trim_key: " "
       ignore_failure: true

@@ -58,7 +58,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - dissect:

@@ -249,7 +249,7 @@ processors:
   - kv:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
       target_field: cisco_ise.log.log_details

@@ -61,7 +61,7 @@ processors:
   - kv:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
       target_field: cisco_ise.log.log_details

@@ -111,7 +111,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - dissect:

@@ -81,7 +81,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - convert:

@@ -62,7 +62,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - script:

@@ -191,7 +191,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - dissect:

@@ -62,7 +62,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - grok:

@@ -62,7 +62,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - script:

@@ -64,7 +64,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - grok:

@@ -124,7 +124,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - dissect:

@@ -43,7 +43,7 @@ processors:
       if: ctx.cisco_ise?.log?.message?.code != "70001"
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - kv:

@@ -62,7 +62,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - foreach:

@@ -98,7 +98,7 @@ processors:
       tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac
       field: cisco_ise.log.log_details_raw
       target_field: cisco_ise.log.log_details
-      field_split: ', '
+      field_split: ', (?=[^,=]+=)'
       value_split: =
       ignore_failure: true
   - rename:

@@ -231,6 +231,8 @@
           type: keyword
         - name: audit-session-id
           type: keyword
+        - name: client-iif-id
+          type: keyword
         - name: coa-push
           type: boolean
         - name: cts-device-capability
@@ -241,6 +243,16 @@
           type: keyword
         - name: cts-pac-opaque
           type: keyword
+        - name: dc-certainty-metric
+          type: keyword
+        - name: dc-device-class-tag
+          type: keyword
+        - name: dc-device-name
+          type: keyword
+        - name: dc-profile-name
+          type: keyword
+        - name: dc-protocol-map
+          type: keyword
         - name: device-uid-global
           type: keyword
         - name: FQSubjectName
@@ -266,6 +278,10 @@
               type: keyword
             - name: device-uid-global
               type: keyword
+        - name: method
+          type: keyword
+        - name: service-type
+          type: keyword
     - name: class
       type: keyword
     - name: client

@@ -424,11 +424,17 @@ The following table lists the exported fields for this data stream:
 | cisco_ise.log.cisco_av_pair.AuthenticationIdentityStore |  | keyword |
 | cisco_ise.log.cisco_av_pair.FQSubjectName |  | keyword |
 | cisco_ise.log.cisco_av_pair.audit-session-id |  | keyword |
+| cisco_ise.log.cisco_av_pair.client-iif-id |  | keyword |
 | cisco_ise.log.cisco_av_pair.coa-push |  | boolean |
 | cisco_ise.log.cisco_av_pair.cts-device-capability |  | keyword |
 | cisco_ise.log.cisco_av_pair.cts-environment-data |  | keyword |
 | cisco_ise.log.cisco_av_pair.cts-environment-version |  | keyword |
 | cisco_ise.log.cisco_av_pair.cts-pac-opaque |  | keyword |
+| cisco_ise.log.cisco_av_pair.dc-certainty-metric |  | keyword |
+| cisco_ise.log.cisco_av_pair.dc-device-class-tag |  | keyword |
+| cisco_ise.log.cisco_av_pair.dc-device-name |  | keyword |
+| cisco_ise.log.cisco_av_pair.dc-profile-name |  | keyword |
+| cisco_ise.log.cisco_av_pair.dc-protocol-map |  | keyword |
 | cisco_ise.log.cisco_av_pair.device-uid-global |  | keyword |
 | cisco_ise.log.cisco_av_pair.mdm-tlv.ac-user-agent |  | keyword |
 | cisco_ise.log.cisco_av_pair.mdm-tlv.computer-name |  | keyword |
@@ -439,6 +445,8 @@ The following table lists the exported fields for this data stream:
 | cisco_ise.log.cisco_av_pair.mdm-tlv.device-type |  | keyword |
 | cisco_ise.log.cisco_av_pair.mdm-tlv.device-uid |  | keyword |
 | cisco_ise.log.cisco_av_pair.mdm-tlv.device-uid-global |  | keyword |
+| cisco_ise.log.cisco_av_pair.method |  | keyword |
+| cisco_ise.log.cisco_av_pair.service-type |  | keyword |
 | cisco_ise.log.class |  | keyword |
 | cisco_ise.log.client.latency |  | long |
 | cisco_ise.log.cmdset |  | keyword |

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ise
 title: Cisco ISE
-version: "1.32.6"
+version: "1.32.7"
 description: Collect logs from Cisco ISE with Elastic Agent.
 type: integration
 categories: