Issue with parser for CISCO ISE in Sentinel #9746
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @v-nguyentruong, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 15-01-2024. Thanks! |
|
Hi @v-nguyentruong, Could you please check with below shared parser file. Sharing the steps to configure it -
Please let us know if it works or you need any assistance on it. |
|
Hi @v-nguyentruong, we are waiting for your response on above comment. Thanks! |
|
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
Thanks for your response.
I'm still checking this parser on customer environment. I'm still waiting for the customer to send a reply. I will update you if I get any response.
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
…________________________________
From: v-sudkharat ***@***.***>
Sent: Tuesday, January 16, 2024 12:54 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelson Truong (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
Hi @v-nguyentruong<https://github.com/v-nguyentruong>, we are waiting for your response on above comment. Thanks!
—
Reply to this email directly, view it on GitHub<#9746 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFGXNLUD2LPF22GNHRUCWZDYOYIZRAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJTGEYTGMBRGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @v-nguyentruong, Please let us know once you get update from customer on this. Thanks! |
|
Hi @v-nguyentruong, Any update from customer on this? Thanks! |
|
Hi @v-sudkharat. Customer is still monitoring for few more days after trying the parser before letting me know the status. |
|
Hi @v-nguyentruong, thanks for sharing update with us, please let us know, once you get more update from customer on this. |
|
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
Hope you doing well
Just got a response from customer. Everything is working fine except there is no timestamp this time (No TimeGenerated column). Can you check the parser again?
Here is the screenshots from customer:
[cid:7389d18d-085f-46d0-a6f5-0c2bc3d9738c]
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
…________________________________
From: v-sudkharat ***@***.***>
Sent: Friday, January 19, 2024 5:04 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelson Truong (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
Hi @v-nguyentruong<https://github.com/v-nguyentruong>, thanks for sharing update with us, please let us know, once you get more update from customer on this.
Thanks!
—
Reply to this email directly, view it on GitHub<#9746 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFGXNLUL2NVBWRLM7ZMZ7JDYPJALXAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBQGEYDOMRXHA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @v-nguyentruong, your shared screenshot is not visible for me, could you please reshare it. Thanks! |
|
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
Here is the screenshot:
[cid:accc5ade-4b7a-41a1-ba4e-116e5b4ce74e]
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
…________________________________
From: v-sudkharat ***@***.***>
Sent: Monday, January 29, 2024 10:54 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelson Truong (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
Hi @v-nguyentruong<https://github.com/v-nguyentruong>, your shared screenshot is not visible for me, could you please reshare it. Thanks!
—
Reply to this email directly, view it on GitHub<#9746 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFGXNLRY3Y3TMATOCQJQ64TYQ7A2LAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJUHE4TQNJXHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @v-nguyentruong, still not visible, Could you please sent it on below mail id - v-sudkharat@microsoft.com Thanks! |
|
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
I just sent the screenshot to your email. Can you check it if it is visible?
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
…________________________________
From: v-sudkharat ***@***.***>
Sent: Wednesday, January 31, 2024 3:13 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelson Truong (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
Hi @v-nguyentruong<https://github.com/v-nguyentruong>, still not visible, Could you please sent it on below mail id - ***@***.******@***.***>
image.png (view on web)<https://github.com/Azure/Azure-Sentinel/assets/132428394/432b654d-4515-47a0-8b69-031f87fd7722>
Thanks!
—
Reply to this email directly, view it on GitHub<#9746 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFGXNLR4JURH3EKLPX4YKR3YRH4LLAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJYGU4TKNZYGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @v-nguyentruoy - ng, yes, it's visible now. We will check on it and get back to you by 07-01-2024. Thanks! |
|
Hi @v-nguyentruong, could you please ask customer to expand the one of the raw and check for the TimeGenerated Column. And still it is not visible, could you please below with below updated parser file - Please let us know if issue is still persists. |
|
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
I checked from our end and the raw doesn't have any TimeGenerated Column. Here is the screenshots:
[cid:b433c2c1-5e48-48aa-b347-ad1832b63c49]
[cid:9bfa16f6-dd57-4612-8a11-34ebf2e23f7e]
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
…________________________________
From: v-sudkharat ***@***.***>
Sent: Thursday, February 1, 2024 4:09 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelson Truong (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
Hi @v-nguyentruong<https://github.com/v-nguyentruong>, could you please ask customer to expand the one of the raw and check for the TimeGenerated Column.
image.png (view on web)<https://github.com/Azure/Azure-Sentinel/assets/132428394/9c136c2d-7bb9-45f3-9d54-39c58111d444>
Thanks!
—
Reply to this email directly, view it on GitHub<#9746 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFGXNLUUNYPLVY2OGZ2M6W3YRNLWLAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRQHA2DGMZXHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @v-nguyentruong, have you checked with updated parser? - https://github.com/Azure/Azure-Sentinel/files/14122744/CiscoISEParser_Updated1.txt |
|
Thanks for the update parser file. I just checked and seem like it will work. Let's me check this with customers. I will response if I have any update from them. |
|
@v-nguyentruong, Sure. Please share update with us once it done. Thanks! |
|
Hi @v-sudkharat . Just got response from customer and the field TimeGenerated still not appear. |
|
@v-nguyentruong, thanks for update. We will check on this and get back to you by - 08-02-2024. Thanks! |
|
Hi @v-nguyentruong, We have updated the parser and tested in our workspace with available data. Could you please check it in customer environment and let us know still TimeGenerated column is not visible. Thanks!
|
|
Thanks for the update parser file. Let's me check this with customers. I will response if I have any update from them. |
|
@v-nguyentruong, please let us know once it gets completed. Thanks! |
|
Hi @v-nguyentruong, Any update from customer. Thanks! |
|
@v-sudkharat I have just tried and below is the result |
|
Hi @v-sudkharat. I'm still waiting for cx response. |
|
@v-nguyentruong, Ok. Thanks! |
|
Hi @v-sudkharat . Cx just response and said that the AcsSessionID still have ComputerName in it also there isn't any Computers column. |
|
Hi @v-nguyentruong, Could you please request cx to share the sample data with us, so we can modify the query accordingly. Thanks! |
|
Hi @v-sudkharat . Sure, I'll let you know if I got the sample data from cx. |
|
Hi @v-sudkharat can I share the sample data with you? So you can provide the query . Please let me know. |
|
Hi @sandeep5234, we have received the data from customer. thank you for your response. |
|
Hi @v-nguyentruong, We have make those modification as per customer requirement in Parser and added the new column as Could you please share the latest updated parser with the customer and let us know the feedback with us. Thanks! |
|
Hi @v-sudkharat . Thanks for the update parser, I'll let you know if I get update from cx. |
|
@v-nguyentruong, Ok |
|
Nelson Truong (WICLOUD CORPORATION) ***@***.***) has sent you a protected message.
Read the message Learn about messages protected by Microsoft Purview Message Encryption.
This is a secure message from Microsoft. The contents of this email message and any attachments are intended solely for the addressee(s) on this message and will contain confidential and/or privileged information. It is strictly prohibited to share any part of this message with any third party. Privacy Statement
Learn More on email encryption. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
|
|
@v-sudkharat I have just tested the new updated parser and results are below seems same issue for me. |
|
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
Just got a response from cx. There is Computer column now and it has computer name in it. However, some stay blank. Screenshot below.
[cid:a84575ce-00e2-4da5-9dfb-2a81e544143f]
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
…________________________________
From: Nelson Truong (WICLOUD CORPORATION) ***@***.***>
Sent: Tuesday, February 27, 2024 6:42 PM
To: Azure/Azure-Sentinel ***@***.***>; Azure/Azure-Sentinel ***@***.***>; Sudarshan Kharat (Tata Consultancy Services Limi) ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
Hi @sudarshan Kharat (Tata Consultancy Services ***@***.***>
Just got a response from cx. There is Computer column now and it has computer name in it. However, some stay blank. Screenshot below.
[cid:41917ba0-adf2-4fac-89a9-cf8fd7acfbfe]
Best Regards,
Nelson Truong
Support Engineer
Azure - Security
Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)
Need help outside of my working hours?
Locate an engineer: ***@***.******@***.***>
Manager: Olivia Li/ ***@***.***
[image]
________________________________
From: v-sudkharat ***@***.***>
Sent: Tuesday, February 27, 2024 4:50 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nelson Truong (WICLOUD CORPORATION) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)
@v-nguyentruong<https://github.com/v-nguyentruong>, Ok
—
Reply to this email directly, view it on GitHub<#9746 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFGXNLXKSHZJOBG4TVAOHV3YVWUAFAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRWGE3TAMZUGY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@v-nguyentruong, checking on Parser. |
|
@v-sudkharat We have Cisco ISE network device from where we collect logs in Syslog format, the Cisco ISE parser available as part of the Cisco ISE package in Azure sentinel repository doesn't parse the data to correct columns. This is my issue in short. |
|
Hi @v-nguyentruong, We have updated the parser, and it successfully showing the expected result in cx shared CISCO ISE sample data. Please check with cx - Cisco.txt Thanks! |
|
Hii @sandeep5234, Could you please raise a new GitHub issue and shared details over there with adding the sample data. So our team check on your case and update you. Thanks! |
|
@v-sudkharat I have created a new issue This is the one. |
|
Hi @v-nguyentruong, Waiting for your response on above comment. Thanks! |
|
Hi @v-sudkharat . Cx deployed the new parser, and it was working fine. However, they want to monitor the parser for few more days to check if new issue arises. I'll let you know if there is new update from them. |
|
@v-nguyentruong, Sure. Please confirm once it done. Thanks! |
|
Hi @v-nguyentruong, Any update from cx? Thanks! |
|
Hi @v-sudkharat . The parser working fine now. Thanks for your help. |
|
Hi @v-sudkharat . The parser working fine now. Thanks for your help. |
|
@v-nguyentruong, Always welcome. |
Describe the bug
Parsing issue with Cisco ISE data source
Using the parser from the Cisco Identity Service Engine data connector page in Sentinel provide and still got wrong information in the logs.
I found out that the parser will apply for these logs:
Syslog
| where ProcessName has_any ("CSCO", "CISE")
There are many logs with different structures of SyslogMessage which causes the parser to not be able to function properly.
When applied this line in parser for the above results, there will be an eventid with a date (Ex 1: 2024-01-05) and an eventid with a string (Ex 2: NetworkDeviceGroups...).
| parse SyslogMessage with * " " * " " * " " EventId " " EventSeverity " " EventCategory " " RestOfMessage
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Correct data from Syslog parse into the correct field in CiscoISEEvent table.
Screenshots
The text was updated successfully, but these errors were encountered: