Cisco ISE Function Not Working

[macna]

Describe the bug
The "CiscoISEEvent" function included with the Cisco ISE solution parses the data incorrectly, resulting in data appearing in the incorrect columns.

To Reproduce
Steps to reproduce the behavior:

1. Go to Sentinel or Log Analytics
2. Attempt to perform a search using the "CiscoISEEvent" function.
3. See error

Expected behavior
Data to be returned in the correct columns.

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Edge
• Version: 130.0.2849.46

Additional context
I believe this to be the same issue as #10070

[v-sudkharat]

Hi @macna, Did you follow this step as well? - #10070 (comment)
If not, can you check with setting in Cisco side. Thanks!

[macna]

Hi @v-sudkharat - we've checked the configuration in ISE and those options are enabled, as are several others. Are only certain categories supported by this parser?

[v-sudkharat]

@macna, can you send the logs in below mail ID to check the format: v-sudkharat@microsoft.com

[v-sudkharat]

@macna, Waiting for logs to check on this issue. Thanks!

[v-sudkharat]

Hi @macna, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

[macna]

Hi, apologies @v-sudkharat , I've forwarded you an example of the messages. Please reopen the issue.

[v-sudkharat]

@macna, No problem.
Thanks for share the mail

[v-sudkharat]

@macna, we have checked the logs which shared via a mail, there is no SyslogMessage column we found into the logs. As parser extract the SyslogMessage to parse the fields.

could you please check with the Cisco end configurations set up correctly? and also, please check the RAW log to ensure it having in correct format.

[krisbogaerts]

Hi, we have the same problem. it seems that for some reason or maybe new feature on Cisco ISE. It is sending multiple logs for one event. It happens for event ids 5002/3001 when there are a lot external groups. The log format has a log identifier and sequence number in beginning of the log line which is not compatible with the current function. Cannot share the logs but the screen shot should give you an idea.

I created a custom function parser which combines the logs when needed and it works but want validation before using it in production.

First part of the custom function:
let EventData = Syslog | where ProcessName has_any ("CSCO", "CISE") | extend EventVendor = 'CISCO' | extend EventProduct = 'ISE' | parse SyslogMessage with LogIdentifier: string " " * " " SequenceNumber: int " " * " " RestOfMessage | sort by TimeGenerated asc, LogIdentifier asc | summarize CombinedMessage = make_list(RestOfMessage), arg_max(TimeGenerated, *) by LogIdentifier | extend CombinedMessage = strcat_array(CombinedMessage, " ") | parse CombinedMessage with * " " * " " * " " EventId " " EventSeverity " " EventCategory " " RestOfMessage

[v-sudkharat]

Hi, we have the same problem. it seems that for some reason or maybe new feature on Cisco ISE. It is sending multiple logs for one event. It happens for event ids 5002/3001 when there are a lot external groups. The log format has a log identifier and sequence number in beginning of the log line which is not compatible with the current function. Cannot share the logs but the screen shot should give you an idea.

I created a custom function parser which combines the logs when needed and it works but want validation before using it in production.

First part of the custom function: let EventData = Syslog | where ProcessName has_any ("CSCO", "CISE") | extend EventVendor = 'CISCO' | extend EventProduct = 'ISE' | parse SyslogMessage with LogIdentifier: string " " * " " SequenceNumber: int " " * " " RestOfMessage | sort by TimeGenerated asc, LogIdentifier asc | summarize CombinedMessage = make_list(RestOfMessage), arg_max(TimeGenerated, *) by LogIdentifier | extend CombinedMessage = strcat_array(CombinedMessage, " ") | parse CombinedMessage with * " " * " " * " " EventId " " EventSeverity " " EventCategory " " RestOfMessage

One of the customers was having parsing issue, so we shared the modified parser with some changes. So is below one working for you too?
Parser file has been added into this comment - #9746 (comment)
You can check by running it into the LAW

[krisbogaerts]

Hi, we have the same problem. it seems that for some reason or maybe new feature on Cisco ISE. It is sending multiple logs for one event. It happens for event ids 5002/3001 when there are a lot external groups. The log format has a log identifier and sequence number in beginning of the log line which is not compatible with the current function. Cannot share the logs but the screen shot should give you an idea.

I created a custom function parser which combines the logs when needed and it works but want validation before using it in production.
First part of the custom function: let EventData = Syslog | where ProcessName has_any ("CSCO", "CISE") | extend EventVendor = 'CISCO' | extend EventProduct = 'ISE' | parse SyslogMessage with LogIdentifier: string " " * " " SequenceNumber: int " " * " " RestOfMessage | sort by TimeGenerated asc, LogIdentifier asc | summarize CombinedMessage = make_list(RestOfMessage), arg_max(TimeGenerated, *) by LogIdentifier | extend CombinedMessage = strcat_array(CombinedMessage, " ") | parse CombinedMessage with * " " * " " * " " EventId " " EventSeverity " " EventCategory " " RestOfMessage

One of the customers was having parsing issue, so we shared the modified parser with some changes. So is below one working for you too? Parser file has been added into this comment - #9746 (comment) You can check by running it into the LAW

I tried this parser in the beginning but it has the same problem. The order is wrong because off the additional log field in the beginning off the log string

[macna]

Hi @v-sudkharat - the syslog column is present; otherwise, the function wouldn't parse any data.

I think @krisbogaerts has the right of it - the function needs to be updated to facilitate the log format now coming out of ISE appliances.

[v-sudkharat]

@macna, While checking on shared CSV file, could not fount the SyslogMessage column into it, so could you please check and share the correct logs with us, which will help us to understand the issue. Thanks!

[macna]

Hi @v-sudkharat, just so I'm clear, do you want the raw data from the syslog table or the parsed data after the function has run on it?

[v-sudkharat]

@macna, The RAW logs for syslog to understand the new format and you can also share the SyslogMessage by using below query -

Syslog
| getschema 
    | where ProcessName has_any  ("CSCO", "CISE")
    | extend EventVendor = 'CISCO'
    | extend EventProduct = 'ISE'
    | project SyslogMessage

Thanks!

[macna]

Hi @v-sudkharat please see output below:

I have emailed you the log export separately.

[v-sudkharat]

@macna, Received the logs, we will check on it and get back to you. Many Thanks!

[v-sudkharat]

Hi @macna,

Can you run below Parser in workspace and let us know the result -

let EventData = Syslog
    | where ProcessName has_any  ("CSCO", "CISE")
    | extend EventVendor = 'CISCO'
    | extend EventProduct = 'ISE'
    //| parse SyslogMessage with * " " * " " * " " EventId " " EventSeverity " " EventCategory " " RestOfMessage
    | parse SyslogMessage with EventId:string " " EventSeverity:string " " EventCategory:string " " * " " * " " " " RestOfMessage:string
    | parse SyslogMessage with * ": " EventMessage"," *
    | parse-kv SyslogMessage as (ConfigVersionId:int, ['Device IP Address']:string, NetworkDeviceName:string, DestinationIPAddress:string, DestinationPort:int, UserName:string, Protocol:string, RequestLatency:int, ['NAS-IP-Address']:string, ['NAS-Port']:int, ['NAS-Port-Type']:string, ['NAS-Identifier']:string, ['Service-Type']:string, ['Framed-MTU']:int, ['Called-Station-ID']:string, ['Calling-Station-ID']:string, Action:string, ['Privilege-Level']:int, ['Remote-Address']:string, NetworkDeviceProfileId:string, AcsSessionID:string, ['Acct-Session-Id']:string, ['Authen-Type']:string, AuthenticationIdentityStore:string, AuthenticationMethod:string, Service:string, SelectedAccessService:string, SelectedShellProfile:string, IdentityGroup:string, ['Service-Argument']:string, CmdSet:string, MatchedCommandSet:string, ['Authen-Method']:string, SelectedCommandSet:string, NetworkDeviceProfileName:string, PostureStatus:string, SelectedAuthorizationProfiles:string, AuthorizationPolicyMatchedRule:string, MisconfiguredClientFixReason:string, RadiusPacketType:string, FailureReason:string, Type:string, DetailedInfo:string) with (pair_delimiter=', ', kv_delimiter='=')
    | project-rename DvcIpAddr = ['Device IP Address']
    				,DvcHostname = NetworkDeviceName
    				,DstIpAddr = DestinationIPAddress
    				,DstPortNumber = DestinationPort
    				,DstUserName = UserName
    				,NetworkProtocol = Protocol
    				,RequestLatency = RequestLatency
    				,NasIpAddress = ['NAS-IP-Address']
    				,NasPort = ['NAS-Port']
    				,NasPortType = ['NAS-Port-Type']
    				,NasIdentifier = ['NAS-Identifier']
    				,ServiceType = ['Service-Type']
    				,FramedMtu = ['Framed-MTU']
    				,CalledStationId = ['Called-Station-ID']
    				,CallingStationId = ['Calling-Station-ID']
    				,EventType = Type
    				,DvcAction = Action
    				,PrivilegeLevel = ['Privilege-Level']
    				,SrcIpAddr = ['Remote-Address']
    				,NetworkDeviceProfileId = NetworkDeviceProfileId
    				,AcsSessionId = AcsSessionID
    				,AcctSessionId = ['Acct-Session-Id']
    				,AuthenType = ['Authen-Type']
    				,AuthenticationIdentityStore = AuthenticationIdentityStore
    				,AuthenticationMethod = AuthenticationMethod
    				,SelectedAccessService = SelectedAccessService
    				,SelectedShellProfile = SelectedShellProfile
    				,IdentityGroup = IdentityGroup
    				,Service = Service
    				,ServiceArgument = ['Service-Argument']
    				,CmdSet = CmdSet
    				,MatchedCommandSet = MatchedCommandSet
    				,AuthenMethod = ['Authen-Method']
    				,SelectedCommandSet = SelectedCommandSet
    				,NetworkDeviceProfileName = NetworkDeviceProfileName
    				,PostureStatus = PostureStatus
    				,SelectedAuthorizationProfiles = SelectedAuthorizationProfiles
    				,AuthorizationPolicyMatchedRule = AuthorizationPolicyMatchedRule
    				,MisconfiguredClientFixReason = MisconfiguredClientFixReason
    				,RadiusPacketType = RadiusPacketType
    				,EventTypeDetailed = FailureReason
    				,EventResultDetails = DetailedInfo
    | parse SyslogMessage with * "device-mac=" DvcMacAddr"," *
    | parse SyslogMessage with * "device-public-mac=" DevicePublicMac"," *
    | parse SyslogMessage with * "device-platform=" DevicePlatform"," *
    | parse SyslogMessage with * "device-platform-version=" DevicePlatformVersion"," *
    | parse SyslogMessage with * "=device-type=" DeviceType"," *
    | parse SyslogMessage with * "ac-user-agent=" HttpUserAgentOriginal"," *;
    let EventName=datatable(EventId:string, EventDescription:string)["5200","User authentication ended successfully","5201", "User authentication ended successfully","5202","The requested Command Authorization passed","5203","The requested Session Authorization passed","5205","Dynamic Authorization succeeded","5231","Guest Authentication Passed","5236","Authorize-Only ended successfully","5238","","5240","Previously rejected endpoint was released to continue authentications","5400","User authentication failed. See FailureReason for more information","5401","User authentication failed. See FailureReason for more information","5405","RADIUS request dropped","5406","","5407","TACACS+ Authorization failed","5411","Supplicant did not respond to the last message that ISE sent to it","5417","Dynamic Authorization failed","5434","Endpoint conducted several failed authentications of the same scenario","5436","Ignoring this request because it is a duplicate of another packet that is currently being processed","5440","Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication","5449","Endpoint failed authentication of the same scenario several times and all further requests will be rejected for the duration of the Request Rejection Interval","12508","EAP-TLS handshake failed","12514","EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain","12516","EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain","60114","ISE server shutdown has been initiated","60166","Certificate Expiration warning","60167","Certificate has expired","80002","This message is generated when a profiler endpoint is profiled","86009","Guest user record is not found in the database","86010","Guest user authentication failed. Please check your password and account permission","86011","Guest user authentication failed. User is not enabled. Please contact your System Administrator","86012","Guest User must accept Access-Use policy before network access is granted","86013","Portal is not found in the database. Please contact your System Administrator","86014","User authentication failed. User account is suspended","86015","Invalid password change. Use correct password based on the password policy","86016","Timeout from server has exceeded the threshold. Please contact your System Administrator","86017","SessionID is missing. Please contact your System Administrator","86018","Guest Change of Authorization has failed. Please contact your System Administrator","86019","User access is restricted based on time profile. Please contact your System Administrator","86020","User authentication failed. Please contact your System Administrator"];
    EventData
    | lookup EventName on EventId
    | project TimeGenerated
            , EventVendor
            , EventProduct
            , EventId
            , EventSeverity
            , EventCategory
            , EventMessage
            , EventDescription
            , ConfigVersionId
            , DvcIpAddr
            , DvcHostname
            , DstIpAddr
            , DstPortNumber
            , DstUserName
            , NetworkProtocol
            , RequestLatency
            , NasIpAddress
            , NasPort
            , NasPortType
            , NasIdentifier
            , ServiceType
            , FramedMtu
            , CalledStationId
            , CallingStationId
            , EventType
            , DvcAction
            , PrivilegeLevel
            , SrcIpAddr
            , NetworkDeviceProfileId
            , AcsSessionId
            , AuthenType
            , AuthenticationIdentityStore
            , AuthenticationMethod
            , SelectedAccessService
            , SelectedShellProfile
            , IdentityGroup
            , Service
            , ServiceArgument
            , CmdSet
            , MatchedCommandSet
            , AuthenMethod
            , SelectedCommandSet
            , NetworkDeviceProfileName
            , PostureStatus
            , SelectedAuthorizationProfiles
            , AuthorizationPolicyMatchedRule
            , DvcMacAddr
            , DevicePublicMac
            , DevicePlatform
            , DevicePlatformVersion
            , DeviceType
            , HttpUserAgentOriginal
            , MisconfiguredClientFixReason
            , RadiusPacketType
            , EventTypeDetailed
            , EventResultDetails

[macna]

Hi @v-sudkharat - that does seem to work better. We are seeing, however, that every other line is now missing the event ID and severity:

[v-sudkharat]

@macna, The data which you have shared with us, is in 2 different format which highlighted into the below screenshot and due that the parser is able to parse the supported 1st syslogmessage data-

Thanks!

[v-sudkharat]

@macna , Anything for us?

[v-sudkharat]

Hi @macna, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 11-12-2024 date, we will be closing this issue.
Thanks!

[macna]

Hi @v-sudkharat. I think we understand the problem, but is the parser going to be updated to correctly parse both message types?

[v-sudkharat]

@macna , it's quite difficult, as the message from source has been different. Tying to fill the blank spaces and also added new columns into the parser EapAuthentication and CPMSessionID based on the requirement.
Could you please run below parser and let us know is it meet your requirement -

let EventData = Syslog
    | where ProcessName has_any  ("CSCO", "CISE")
    | extend EventVendor = 'CISCO'
    | extend EventProduct = 'ISE'
    | parse SyslogMessage with EventId:string  " " EventSeverity " " EventCategory " " RestOfMessage
    | parse SyslogMessage with * ": " EventMessage"," *
    | parse-kv SyslogMessage as (ConfigVersionId:int, ['Device IP Address']:string, NetworkDeviceName:string, DestinationIPAddress:string, DestinationPort:int, UserName:string, Protocol:string, RequestLatency:int, ['NAS-IP-Address']:string, ['NAS-Port']:int, ['NAS-Port-Type']:string, ['NAS-Identifier']:string, ['Service-Type']:string, ['Framed-MTU']:int, ['Called-Station-ID']:string, ['Calling-Station-ID']:string, Action:string, ['Privilege-Level']:int, ['Remote-Address']:string, NetworkDeviceProfileId:string, AcsSessionID:string, ['Acct-Session-Id']:string, ['Authen-Type']:string, AuthenticationIdentityStore:string, AuthenticationMethod:string, Service:string, SelectedAccessService:string,CPMSessionID:string, EapAuthentication:string, SelectedShellProfile:string, IdentityGroup:string, ['Service-Argument']:string, CmdSet:string, MatchedCommandSet:string, ['Authen-Method']:string, SelectedCommandSet:string, NetworkDeviceProfileName:string, PostureStatus:string, SelectedAuthorizationProfiles:string, AuthorizationPolicyMatchedRule:string, MisconfiguredClientFixReason:string, RadiusPacketType:string, FailureReason:string, Type:string, DetailedInfo:string) with (pair_delimiter=', ', kv_delimiter='=')
    | project-rename DvcIpAddr = ['Device IP Address']
    				,DvcHostname = NetworkDeviceName
    				,DstIpAddr = DestinationIPAddress
    				,DstPortNumber = DestinationPort
    				,DstUserName = UserName
    				,NetworkProtocol = Protocol
    				,RequestLatency = RequestLatency
    				,NasIpAddress = ['NAS-IP-Address']
    				,NasPort = ['NAS-Port']
    				,NasPortType = ['NAS-Port-Type']
    				,NasIdentifier = ['NAS-Identifier']
    				,ServiceType = ['Service-Type']
    				,FramedMtu = ['Framed-MTU']
    				,CalledStationId = ['Called-Station-ID']
    				,CallingStationId = ['Calling-Station-ID']
    				,EventType = Type
    				,DvcAction = Action
    				,PrivilegeLevel = ['Privilege-Level']
    				,SrcIpAddr = ['Remote-Address']
    				,NetworkDeviceProfileId = NetworkDeviceProfileId
    				,AcsSessionId = AcsSessionID
    				,AcctSessionId = ['Acct-Session-Id']
    				,AuthenType = ['Authen-Type']
    				,AuthenticationIdentityStore = AuthenticationIdentityStore
    				,AuthenticationMethod = AuthenticationMethod
    				,SelectedAccessService = SelectedAccessService
    				,SelectedShellProfile = SelectedShellProfile
    				,IdentityGroup = IdentityGroup
    				,Service = Service
    				,ServiceArgument = ['Service-Argument']
    				,CmdSet = CmdSet
    				,MatchedCommandSet = MatchedCommandSet
    				,AuthenMethod = ['Authen-Method']
    				,SelectedCommandSet = SelectedCommandSet
    				,NetworkDeviceProfileName = NetworkDeviceProfileName
    				,PostureStatus = PostureStatus
    				,SelectedAuthorizationProfiles = SelectedAuthorizationProfiles
    				,AuthorizationPolicyMatchedRule = AuthorizationPolicyMatchedRule
    				,MisconfiguredClientFixReason = MisconfiguredClientFixReason
    				,RadiusPacketType = RadiusPacketType
    				,EventTypeDetailed = FailureReason
    				,EventResultDetails = DetailedInfo
    | parse SyslogMessage with * "device-mac=" DvcMacAddr"," *
    | parse SyslogMessage with * "device-public-mac=" DevicePublicMac"," *
    | parse SyslogMessage with * "device-platform=" DevicePlatform"," *
    | parse SyslogMessage with * "device-platform-version=" DevicePlatformVersion"," *
    | parse SyslogMessage with * "=device-type=" DeviceType"," *
    | parse SyslogMessage with * "ac-user-agent=" HttpUserAgentOriginal"," *;
    let EventName=datatable(EventId:string, EventDescription:string)["5200","User authentication ended successfully","5201", "User authentication ended successfully","5202","The requested Command Authorization passed","5203","The requested Session Authorization passed","5205","Dynamic Authorization succeeded","5231","Guest Authentication Passed","5236","Authorize-Only ended successfully","5238","","5240","Previously rejected endpoint was released to continue authentications","5400","User authentication failed. See FailureReason for more information","5401","User authentication failed. See FailureReason for more information","5405","RADIUS request dropped","5406","","5407","TACACS+ Authorization failed","5411","Supplicant did not respond to the last message that ISE sent to it","5417","Dynamic Authorization failed","5434","Endpoint conducted several failed authentications of the same scenario","5436","Ignoring this request because it is a duplicate of another packet that is currently being processed","5440","Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication","5449","Endpoint failed authentication of the same scenario several times and all further requests will be rejected for the duration of the Request Rejection Interval","12508","EAP-TLS handshake failed","12514","EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain","12516","EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain","60114","ISE server shutdown has been initiated","60166","Certificate Expiration warning","60167","Certificate has expired","80002","This message is generated when a profiler endpoint is profiled","86009","Guest user record is not found in the database","86010","Guest user authentication failed. Please check your password and account permission","86011","Guest user authentication failed. User is not enabled. Please contact your System Administrator","86012","Guest User must accept Access-Use policy before network access is granted","86013","Portal is not found in the database. Please contact your System Administrator","86014","User authentication failed. User account is suspended","86015","Invalid password change. Use correct password based on the password policy","86016","Timeout from server has exceeded the threshold. Please contact your System Administrator","86017","SessionID is missing. Please contact your System Administrator","86018","Guest Change of Authorization has failed. Please contact your System Administrator","86019","User access is restricted based on time profile. Please contact your System Administrator","86020","User authentication failed. Please contact your System Administrator"];
    EventData
    | lookup EventName on EventId
    | project TimeGenerated
            , EventVendor
            , EventProduct
            , EventId
            , EventSeverity
            , EventCategory
            , EventMessage
            , EventDescription
            , ConfigVersionId
            , DvcIpAddr
            , DvcHostname
            , DstIpAddr
            , DstPortNumber
            , DstUserName
            , NetworkProtocol
            , RequestLatency
            , NasIpAddress
            , NasPort
            , NasPortType
            , NasIdentifier
            , ServiceType
            , FramedMtu
            , CalledStationId
            , CallingStationId
            , EventType
            , DvcAction
            , PrivilegeLevel
            , SrcIpAddr
            , NetworkDeviceProfileId
            , AcsSessionId
            , AuthenType
            , AuthenticationIdentityStore
            , AuthenticationMethod
            , SelectedAccessService
            , EapAuthentication
            , CPMSessionID
            , SelectedShellProfile
            , IdentityGroup
            , Service
            , ServiceArgument
            , CmdSet
            , MatchedCommandSet
            , AuthenMethod
            , SelectedCommandSet
            , NetworkDeviceProfileName
            , PostureStatus
            , SelectedAuthorizationProfiles
            , AuthorizationPolicyMatchedRule
            , DvcMacAddr
            , DevicePublicMac
            , DevicePlatform
            , DevicePlatformVersion
            , DeviceType
            , HttpUserAgentOriginal
            , MisconfiguredClientFixReason
            , RadiusPacketType
            , EventTypeDetailed
            , EventResultDetails

Many Thanks!

[v-sudkharat]

@macna, Did you get a chance to check on above comment? Could you please confirm if your issue resolve, for ticket closer. Thanks!

[macna]

Hi @v-sudkharat, thanks for this. I have colleagues testing and will let you know how they get on.

[v-sudkharat]

@macna, Noted. Please let us know once done. Thanks!

[v-sudkharat]

@macna, Any update on testing? waiting for the response.

[macna]

Hi @v-sudkharat - we have performed some testing of the new parser but continue to have problems unfortunately. It seems that the EventId column is not being parsed correctly, and so we find that the extended event descriptions in the EventName datatable are not showing as expected.