Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-10 21:31:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
12fec66d9af01119eaee6d7ec741b49d83cdb13e
marcredhat-siem-toolkit-pat…/parsers/cisco_ise_logs-latest
T
marc a9dcf48e65 Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
2026-05-22 14:11:56 +02:00

77 lines
3.2 KiB
Plaintext
Raw Blame History

{
attributes: {
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"metadata.version": "1.0.0"
},
patterns: {
timestamp: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?[+-]\\d{2}:\\d{2}|\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2}",
ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}",
macaddr: "([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}"
},
formats: [
{
attributes: {
class_uid: "3002",
category_uid: "3",
severity_id: "1",
class_name: "Authentication",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_System_Alarms $log_id$,$log_id2$,$severity$,$category$,$message$,$user$,$ip=ipv4$,$mac=macaddr$,$endpoint_id$,$auth_method$,$auth_protocol$"
},
{
attributes: {
class_uid: "3002",
category_uid: "3",
severity_id: "2",
class_name: "Authentication",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_Passed_Authentications $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Framed-IP-Address=$ip=ipv4$,Authentication passed"
},
{
attributes: {
class_uid: "3002",
category_uid: "3",
severity_id: "4",
class_name: "Authentication",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_Failed_Attempts $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Authentication failed,$failure_reason$"
},
{
attributes: {
class_uid: "3001",
category_uid: "3",
severity_id: "2",
class_name: "Account Change",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_Administrator $log_id$,$log_id2$,$severity$,$category$,Admin-Name=$admin_user$,Admin-Session-Id=$session_id$,Object-Name=$object_name$,Change-Type=$change_type$,Object-Type=$object_type$"
}
]
}
Reference in New Issue View Git Blame Copy Permalink