Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cisco ISE] Improve ECS mappings #10538

Open
jamiehynds opened this issue Jul 19, 2024 · 3 comments · May be fixed by #11280
Open

[Cisco ISE] Improve ECS mappings #10538

jamiehynds opened this issue Jul 19, 2024 · 3 comments · May be fixed by #11280
Assignees
@aleksmaus
Labels
enhancement New feature or request Integration:cisco_ise Cisco ISE Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]

Comments

@jamiehynds
Copy link

Some of the fields in our Cisco ISE integration are not-complaint with ECS and can be improved upon. Below are the fields which require improvements, based on customer request:

event.category: authentication and event.outcome: success needs to be set for events where cisco_ise.log.category.name: CISE_Passed_Authentications (currently this is missing)
event.category: authentication and event.outcome: failure is missing for events where event.code is [5404, 5434,5413]
event.kind: event is not being being set for any events
Rename cisco_ise.log.endpoint.mac.address to client.mac

Can request sample data if required.
@jamiehynds jamiehynds added the Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] label Jul 19, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@jamiehynds jamiehynds added Integration:cisco_ise Cisco ISE enhancement New feature or request labels Jul 19, 2024
@aleksmaus aleksmaus self-assigned this Sep 30, 2024
@aleksmaus
Copy link
Member

I checked the latest pipeline tests
for

  "category": {
      "name": "CISE_Passed_Authentications"
  },

the event.category is already set to authentication

integrations/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json

Line 204 in d770649

"authentication"

adding event.outcome: success under the same conditionds as the event.category

      if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5231','5233','5239'].contains(ctx.cisco_ise.log.message.code)

adding event.outcome: failure for events where event.code is [5404, 5434,5413]

event.kind is already set

integrations/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json

Line 207 in d770649

"kind": "event",

Adding:

  • Set cisco_ise.log.endpoint.mac.address to client.mac
  • Set cisco_ise.log.ep.mac.address to client.mac

Will have PR shortly.
Let me know if anything is missing.

@aleksmaus aleksmaus linked a pull request Sep 30, 2024 that will close this issue
Open
4 tasks
@aleksmaus
Copy link
Member

It would be helpful if you have some example logs for event.code is [5404, 5434,5413]. Didn't see anything in the existing logs, so I just added the lines with this code, but some sample data might be better to have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aleksmaus aleksmaus

Labels
enhancement New feature or request Integration:cisco_ise Cisco ISE Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[cisco_ise] Improve ECS mappings aleksmaus/integrations
3 participants
@aleksmaus @elasticmachine @jamiehynds