search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 418 forks source link

[Cisco ISE] Improve ECS mappings #10538

Open jamiehynds opened 1 month ago

jamiehynds commented 1 month ago

Some of the fields in our Cisco ISE integration are not-complaint with ECS and can be improved upon. Below are the fields which require improvements, based on customer request:

event.category: authentication and event.outcome: success needs to be set for events where cisco_ise.log.category.name: CISE_Passed_Authentications (currently this is missing) event.category: authentication and event.outcome: failure is missing for events where event.code is [5404, 5434,5413] event.kind: event is not being being set for any events Rename cisco_ise.log.endpoint.mac.address to client.mac

Can request sample data if required.

elasticmachine commented 1 month ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)