Azure-Sentinel Issue with parser for CISCO ISE in Sentinel

Describe the bug Parsing issue with Cisco ISE data source Using the parser from the Cisco Identity Service Engine data connector page in Sentinel provide and still got wrong information in the logs. I found out that the parser will apply for these logs: Syslog | where ProcessName has_any ("CSCO", "CISE") There are many logs with different structures of SyslogMessage which causes the parser to not be able to function properly. When applied this line in parser for the above results, there will be an eventid with a date (Ex 1: 2024-01-05) and an eventid with a string (Ex 2: NetworkDeviceGroups...). | parse SyslogMessage with * " " * " " * " " EventId " " EventSeverity " " EventCategory " " RestOfMessage

To Reproduce Steps to reproduce the behavior:

Go to Sentinel portal > Data Connectors > Cisco Identity Service Engine
Click on "Follow these steps"
Copy the function code then paste into Logs then Save as function.
See wrong information in CiscoISEEvent table.

Expected behavior Correct data from Syslog parse into the correct field in CiscoISEEvent table.

Screenshots

Jan 09 '24 13:01 v-nguyentruong

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

Jan 09 '24 13:01 github-actions[bot]

Hi @v-nguyentruong, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 15-01-2024. Thanks!

Jan 10 '24 05:01 v-sudkharat

Hi @v-nguyentruong, Could you please check with below shared parser file. CiscoISEParser_Updated3.txt

Sharing the steps to configure it -

Go to Log Analytics workspace and select your workspace.
Click on Logs. In the Schema and Filter Pane, select Functions tab and enter Parser name (e.g. CiscoISEEvent) in the search box, function list would be filtered.
Hover over the function name and click on Load the function code link in the flyout.
This would load the definition of the parser in the new query window. Copy and paste the content of the function in a notepad and save it.

Please let us know if it works or you need any assistance on it. Thanks!

Jan 12 '24 11:01 v-sudkharat

Hi @v-nguyentruong, we are waiting for your response on above comment. Thanks!

Jan 16 '24 05:01 v-sudkharat

Hi @Sudarshan Kharat (Tata Consultancy Services @.***>

Thanks for your response.

I'm still checking this parser on customer environment. I'm still waiting for the customer to send a reply. I will update you if I get any response.

Best Regards,

Nelson Truong

Support Engineer

Azure - Security

Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)

Need help outside of my working hours?

Locate an engineer: @.@.>

Manager: Olivia Li/ @.***

[image]

From: v-sudkharat @.> Sent: Tuesday, January 16, 2024 12:54 PM To: Azure/Azure-Sentinel @.> Cc: Nelson Truong (WICLOUD CORPORATION) @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)

Hi @v-nguyentruonghttps://github.com/v-nguyentruong, we are waiting for your response on above comment. Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/9746#issuecomment-1893113010, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFGXNLUD2LPF22GNHRUCWZDYOYIZRAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJTGEYTGMBRGA. You are receiving this because you were mentioned.Message ID: @.***>

Jan 16 '24 09:01 v-nguyentruong

Hi @v-nguyentruong, Please let us know once you get update from customer on this. Thanks!

Jan 17 '24 05:01 v-sudkharat

Hi @v-nguyentruong, Any update from customer on this? Thanks!

Jan 19 '24 09:01 v-sudkharat

Hi @v-sudkharat. Customer is still monitoring for few more days after trying the parser before letting me know the status.

Jan 19 '24 09:01 v-nguyentruong

Hi @v-nguyentruong, thanks for sharing update with us, please let us know, once you get more update from customer on this. Thanks!

Jan 19 '24 10:01 v-sudkharat

Hi @Sudarshan Kharat (Tata Consultancy Services @.***>

Hope you doing well

Just got a response from customer. Everything is working fine except there is no timestamp this time (No TimeGenerated column). Can you check the parser again? Here is the screenshots from customer: [cid:7389d18d-085f-46d0-a6f5-0c2bc3d9738c]

Best Regards,  

Nelson Truong

Support Engineer

Azure - Security

Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)

Need help outside of my working hours?

Locate an engineer: @.@.>

Manager: Olivia Li/ @.***

[image]

From: v-sudkharat @.> Sent: Friday, January 19, 2024 5:04 PM To: Azure/Azure-Sentinel @.> Cc: Nelson Truong (WICLOUD CORPORATION) @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)

Hi @v-nguyentruonghttps://github.com/v-nguyentruong, thanks for sharing update with us, please let us know, once you get more update from customer on this. Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/9746#issuecomment-1900107278, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFGXNLUL2NVBWRLM7ZMZ7JDYPJALXAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBQGEYDOMRXHA. You are receiving this because you were mentioned.Message ID: @.***>

Jan 25 '24 13:01 v-nguyentruong

Hi @v-nguyentruong, your shared screenshot is not visible for me, could you please reshare it. Thanks!

Jan 29 '24 15:01 v-sudkharat

Hi @Sudarshan Kharat (Tata Consultancy Services @.***>

Here is the screenshot: [cid:accc5ade-4b7a-41a1-ba4e-116e5b4ce74e]

Best Regards,

Nelson Truong

Support Engineer

Azure - Security

Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)

Need help outside of my working hours?

Locate an engineer: @.@.>

Manager: Olivia Li/ @.***

[image]

From: v-sudkharat @.> Sent: Monday, January 29, 2024 10:54 PM To: Azure/Azure-Sentinel @.> Cc: Nelson Truong (WICLOUD CORPORATION) @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)

Hi @v-nguyentruonghttps://github.com/v-nguyentruong, your shared screenshot is not visible for me, could you please reshare it. Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/9746#issuecomment-1914998579, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFGXNLRY3Y3TMATOCQJQ64TYQ7A2LAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJUHE4TQNJXHE. You are receiving this because you were mentioned.Message ID: @.***>

Jan 29 '24 16:01 v-nguyentruong

Hi @v-nguyentruong, still not visible, Could you please sent it on below mail id - [email protected]

Thanks!

Jan 31 '24 08:01 v-sudkharat

Hi @Sudarshan Kharat (Tata Consultancy Services @.***>

I just sent the screenshot to your email. Can you check it if it is visible?

Best Regards,

Nelson Truong

Support Engineer

Azure - Security

Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)

Need help outside of my working hours?

Locate an engineer: @.@.>

Manager: Olivia Li/ @.***

[image]

From: v-sudkharat @.> Sent: Wednesday, January 31, 2024 3:13 PM To: Azure/Azure-Sentinel @.> Cc: Nelson Truong (WICLOUD CORPORATION) @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)

Hi @v-nguyentruonghttps://github.com/v-nguyentruong, still not visible, Could you please sent it on below mail id - @.@.> image.png (view on web)https://github.com/Azure/Azure-Sentinel/assets/132428394/432b654d-4515-47a0-8b69-031f87fd7722

Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/9746#issuecomment-1918595780, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFGXNLR4JURH3EKLPX4YKR3YRH4LLAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJYGU4TKNZYGA. You are receiving this because you were mentioned.Message ID: @.***>

Jan 31 '24 09:01 v-nguyentruong

Hi @v-nguyentruoy - ng, yes, it's visible now. We will check on it and get back to you by 07-01-2024. Thanks!

Jan 31 '24 09:01 v-sudkharat

Hi @v-nguyentruong, could you please ask customer to expand the one of the raw and check for the TimeGenerated Column.

And still it is not visible, could you please below with below updated parser file - CiscoISEParser_Updated1.txt

Please let us know if issue is still persists. Thanks!

Feb 01 '24 09:02 v-sudkharat

Hi @Sudarshan Kharat (Tata Consultancy Services @.***>

I checked from our end and the raw doesn't have any TimeGenerated Column. Here is the screenshots: [cid:b433c2c1-5e48-48aa-b347-ad1832b63c49] [cid:9bfa16f6-dd57-4612-8a11-34ebf2e23f7e]

Best Regards,

Nelson Truong

Support Engineer

Azure - Security

Working Hours: 3:00 PM - 12:00 AM (UTC+7, Monday to Friday)

Need help outside of my working hours?

Locate an engineer: @.@.>

Manager: Olivia Li/ @.***

[image]

From: v-sudkharat @.> Sent: Thursday, February 1, 2024 4:09 PM To: Azure/Azure-Sentinel @.> Cc: Nelson Truong (WICLOUD CORPORATION) @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Issue with parser for CISCO ISE in Sentinel (Issue #9746)

Hi @v-nguyentruonghttps://github.com/v-nguyentruong, could you please ask customer to expand the one of the raw and check for the TimeGenerated Column. image.png (view on web)https://github.com/Azure/Azure-Sentinel/assets/132428394/9c136c2d-7bb9-45f3-9d54-39c58111d444 Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/9746#issuecomment-1920843379, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFGXNLUUNYPLVY2OGZ2M6W3YRNLWLAVCNFSM6AAAAABBTCIR6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRQHA2DGMZXHE. You are receiving this because you were mentioned.Message ID: @.***>

Feb 01 '24 09:02 v-nguyentruong

Hi @v-nguyentruong, have you checked with updated parser? - https://github.com/Azure/Azure-Sentinel/files/14122744/CiscoISEParser_Updated1.txt

Feb 01 '24 09:02 v-sudkharat

Thanks for the update parser file. I just checked and seem like it will work. Let's me check this with customers. I will response if I have any update from them.

Feb 01 '24 10:02 v-nguyentruong

@v-nguyentruong, Sure. Please share update with us once it done. Thanks!

Feb 01 '24 10:02 v-sudkharat

Hi @v-sudkharat . Just got response from customer and the field TimeGenerated still not appear.

Feb 02 '24 12:02 v-nguyentruong

@v-nguyentruong, thanks for update. We will check on this and get back to you by - 08-02-2024. Thanks!

Feb 05 '24 08:02 v-sudkharat

Hi @v-nguyentruong, We have updated the parser and tested in our workspace with available data. Could you please check it in customer environment and let us know still TimeGenerated column is not visible. Thanks! Updated Paser File - CiscoParser.txt

Feb 05 '24 09:02 v-sudkharat

Thanks for the update parser file. Let's me check this with customers. I will response if I have any update from them.

Feb 05 '24 09:02 v-nguyentruong

@v-nguyentruong, please let us know once it gets completed. Thanks!

Feb 05 '24 09:02 v-sudkharat

Hi @v-nguyentruong, Any update from customer? Thanks!

Feb 07 '24 06:02 v-sudkharat

Hi @v-sudkharat . Customer wants to monitor for some more days and will update back.

Feb 08 '24 08:02 v-nguyentruong

@v-nguyentruong, noted, please let us know once you any update on this. Thanks!

Feb 09 '24 05:02 v-sudkharat

@v-sudkharat, Customers still not response yet, I'll update with you if I got any response from them.

Feb 12 '24 09:02 v-nguyentruong

@v-nguyentruong, Noted. Thanks!

Feb 12 '24 09:02 v-sudkharat