Parsers and Generated Fields
Tag Fields Created by Parser cisco-ise
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-ise
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| event.created, @timestamp | @timestamp | Event timestamp with timezone support | Parsed from timestamp fields using multiple format patterns |
| Vendor.IpAddress, Vendor.AdminIPAddress, Vendor.DestinationIPAddress, Vendor.Remote-Address, Vendor.Framed-IP-Address | client.address | Client address | Copied from multiple IP address fields |
| Vendor.NetworkDeviceName, Vendor.AD-Host-DNS-Domain | client.domain | Client domain | Copied from network device name or AD domain |
| client.address | client.ip | Client IP address | Extracted from client.address if valid IP |
| Vendor.EndPointMACAddress, Vendor.EPMacAddress | client.mac | Client MAC address | Copied from MAC address fields |
| Vendor.DestinationPort, client.address | client.port | Client port number | Copied from destination port or extracted from address |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.category, Vendor.log.message.description, Vendor.Action | event.action | Action performed | Extracted from category or message description, converted to lowercase |
| Vendor.category, Vendor.code | event.category[] | Event categorization | Array populated based on event codes and categories |
| syslog timestamp | event.created | Syslog message creation time | Parsed from syslog header timestamp |
| Vendor.category | event.dataset | Dataset identifier based on ISE category | Extracted from category and converted to lowercase |
| event.id | event.id | Event identifier from ISE | Extracted from syslog message |
| None | event.kind | Event classification | Static value: event |
| None | event.module | Module identifier | Static value: ise |
| Vendor.AuthenticationStatus, Vendor.log.message.description, Vendor.FailureReason, Vendor.Response.AcctReply-Status | event.outcome | Success, failure, or unknown outcome | Determined by authentication status and message content |
| Vendor.AD-Error-Details, Vendor.FailureReason, Vendor.Detail, Vendor.Failure Reason | event.reason | Reason for event or failure | Copied from failure reason or error details |
| Vendor.log.segment.number | event.sequence | Event sequence number | Copied from log segment number |
| Vendor.category, Vendor.code | event.type[] | Event type classification | Array populated based on event codes and categories |
| syslog hostname | log.syslog.hostname | Hostname from syslog | Extracted from syslog header |
| syslog priority | log.syslog.priority | Syslog priority value | Extracted from syslog priority field |
| Vendor.log.syslog.severity.name | log.syslog.severity.name | Severity level name | Extracted from ISE message |
| Vendor.Protocol | network.protocol | Network protocol | Copied from protocol field, converted to lowercase |
| log.syslog.hostname | observer.name | Observer name | Copied from syslog hostname |
| None | observer.type | Observer type identifier | Static value: nac |
| Vendor.CmdSet | process.command_line | Command line from TACACS logs | Parsed from command set with filtering and formatting |
| Vendor.EndpointNADAddress, Vendor.PsnHostName, Vendor.Device IP Address | server.address | Server address | Copied from endpoint or device address fields |
| server.address | server.domain | Server domain | Extracted from server.address if not IP |
| server.address | server.ip | Server IP address | Extracted from server.address if valid IP |
| Vendor.Device Port | server.port | Server port number | Copied from device port |
| Vendor.ISEServiceName, Vendor.Service-Argument | service.name | Service name | Copied from ISE service name or service argument |
| Vendor.TLSCipher | tls.cipher | TLS cipher suite | Copied from TLS cipher field |
| Vendor.Issuer - Country | tls.client.x509.issuer.country[] | Certificate issuer country | Array populated from issuer country |
| Vendor.Issuer - Location | tls.client.x509.issuer.locality[] | Certificate issuer locality | Array populated from issuer location |
| Vendor.Issuer - Organization | tls.client.x509.issuer.organization[] | Certificate issuer organization | Array populated from issuer organization |
| Vendor.Issuer - Organization Unit | tls.client.x509.issuer.organizational_unit[] | Certificate issuer organizational unit | Array populated from issuer organizational unit |
| Vendor.Issuer - State or Province | tls.client.x509.issuer.state_or_province[] | Certificate issuer state or province | Array populated from issuer state or province |
| Vendor.Subject - Common Name | tls.client.x509.subject.common_name[] | Certificate subject common name | Array populated from subject common name |
| Vendor.Subject - Organization Unit | tls.client.x509.subject.organizational_unit[] | Certificate subject organizational unit | Array populated from subject organizational unit |
| Vendor.TLSVersion | tls.version | TLS protocol version | Copied from TLS version field |
| user.name, Vendor.AD-User-DNS-Domain | user.domain | User domain | Extracted from user.name or AD domain field |
| Vendor.EmailAddress | user.email | User email address | Copied from email address field |
| Vendor.Firstname, Vendor.Lastname | user.full_name | Full user name | Concatenated from first and last name |
| Vendor.AD-Groups-Names | user.group.name | User group name | Copied from AD groups field |
| Vendor.UserName, Vendor.OriginalUserName, Vendor.User, Vendor.AdminName, Vendor.User-Name, Vendor.AD-User-SamAccount-Name, Vendor.AD-User-Qualified-Name | user.name | Username | Copied from various user fields, converted to lowercase with domain extraction |