Issue with parser for CISCO ISE in Sentinel

[sandeep5234]

Cisco ISE Parser in Sentinel not parsing the Values correctly in Log analytics workspace.

#9746 In this issue there was a parser provided but that doesn't work for the data we have from Cisco ISE devices.

For Example, see this image.

[v-sudkharat]

Hi @sandeep5234, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 08-03-2024. Please share the sample data with us. it helps us to check on it. Thanks!

[v-sudkharat]

Hi @sandeep5234, Could you please provide the sample data to us. Thanks!

[v-sudkharat]

Hi @sandeep5234, We are waiting for your response, And also could you please check on the configuration which done at Cisco ISE GUI portal which done correctly.

Thanks!

[v-sudkharat]

Hi @sandeep5234, We are waiting for your response. Thanks!

[sandeep5234]

@v-sudkharat sorry for late reply, Customer is still getting back to me with data. I will update soon.

[sandeep5234]

Hi @v-sudkharat where should I share the sample data?

[v-sudkharat]

Hi @sandeep5234, you can share with us on - [email protected] mail id. Thanks!

[sandeep5234]

@v-sudkharat Data sample shared on provided email. Thank you.

[v-sudkharat]

@sandeep5234, Received. Thanks!

[v-sudkharat]

Hi @sandeep5234, We have checked your shared sample data. The SyslogMessage is not in correct format, and due to that the Parser is not parsing the data correctly. So, Could you please check the configuration which is done at Cisco ISE GUI portal is done correctly. You make check the logging categories with below shared steps-

And if you are not receiving logs then needed to configure the Logging Category with below shared path in Cisco portal- Administration >System >Logging >Logging Categories

Thanks!

[v-sudkharat]

Hii @sandeep5234, Could you please check on above comment and let us know your feedback. Thanks!

[sandeep5234]

@v-sudkharat I will check with customer

[v-sudkharat]

@sandeep5234, Sure. Please let us know once it done. Thanks!

[v-sudkharat]

Hey @sandeep5234, Any update on CIsco side configuration. Thanks!

[v-muuppugund]

Hi @sandeep5234, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 26-03-2024 date, we will be closing this issue. Thanks!

[sandeep5234]

Hi @v-muuppugund we are still waiting for customer response. As soon as I receive the response I will update here

[v-sudkharat]

@sandeep5234, Ok. Please let us know once you get update from customer. Thanks!

[v-sudkharat]

Hey @sandeep5234, Any response from customer about configuration?

[v-sudkharat]

Hi @sandeep5234, We are waiting for your response on above comment, could you please check with the customer and let us know. Thanks!

[sandeep5234]

@v-sudkharat apologies for late reply. Customer had made changes. Most of the Field are mapped but below fields are still not mapped correctly.

[v-sudkharat]

@sandeep5234, Could you please share the updated parser result with us, so we can check the on this. Thanks!

[sandeep5234]

@v-sudkharat will the updated Parser be available in Azure Sentinel Repo? Or where should I grab it from?

[sandeep5234]

@v-sudkharat I have found the updated parser and the results looked better with it. For now it looks ok.

[v-sudkharat]

@v-sudkharat I have found the updated parser and the results looked better with it. For now it looks ok.

@sandeep5234, Noted, so if your issue get resolve, can you please confirm with us so we can close it from GitHub.

Thanks!

[sandeep5234]

Hi yes, please close it. Thank you.

[v-sudkharat]

@sandeep5234, Thanks for the confirmation. closing this issue. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.