Skip to content

[Cisco ISE] Keep cisco-av-pair values with embedded 'equals' as keywords#18964

Merged
haetamoudi merged 4 commits into
elastic:mainfrom
haetamoudi:7173-ingest-pipeline-cisco-ise-broken-after-integration-update-to-1323
May 13, 2026
Merged

[Cisco ISE] Keep cisco-av-pair values with embedded 'equals' as keywords#18964
haetamoudi merged 4 commits into
elastic:mainfrom
haetamoudi:7173-ingest-pipeline-cisco-ise-broken-after-integration-update-to-1323

Conversation

@haetamoudi
Copy link
Copy Markdown
Contributor

@haetamoudi haetamoudi commented May 12, 2026
edited
Loading

Proposed commit message

Keep cisco-av-pair values with embedded 'equals' as keywords

Changes:
Fixes the Cisco ISE passed authentications ingest pipeline so cisco-av-pair values that contain extra = characters are parsed correctly (kept as full keyword strings). Adds pipeline tests, field/docs updates, changelog entry, and a package version bump.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@haetamoudi haetamoudi requested a review from a team as a code owner May 12, 2026 15:38
@haetamoudi haetamoudi added Integration:cisco_ise Cisco ISE bugfix Pull request that fixes a bug issue Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels May 12, 2026
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 12, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026
edited
Loading

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label May 12, 2026
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 12, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

Niceplace
Niceplace approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Niceplace Niceplace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given we paired on this I feel comfortable giving my 👍 LGTM and all tests are green so that's a good sign. I have one question and one nitpick, but nothing blocking.

Comment thread packages/cisco_ise/changelog.yml Outdated
Comment thread .../cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
def rest = v.substring(firstEq + 1);

// Only mdm-tlv uses nested subkeys (device-platform=win, ...). Other pairs
// (e.g. FQSubjectName=...cn=...,ou=...) may contain '=' in the value and must stay scalar.
Copy link
Copy Markdown
Contributor

@Niceplace Niceplace May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Would it make sense to link to official cisco docs or spec that would justify what top-level keys may contain = in the value and which ones may not ? This could help with future similar issues and possibly allow us to pre-emptively fix other fields that would be in the same situation.

@haetamoudi @Niceplace
Update packages/cisco_ise/changelog.yml
f64629f 
Co-authored-by: Simon Beaulieu <Niceplace@users.noreply.github.com>
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 13, 2026

💚 Build Succeeded

History

@github-actions github-actions Bot mentioned this pull request May 13, 2026
Open
7 tasks
@haetamoudi haetamoudi merged commit 66cc667 into elastic:main May 13, 2026
10 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 13, 2026

Package cisco_ise - 1.32.4 containing this change is available at https://epr.elastic.co/package/cisco_ise/1.32.4/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Niceplace Niceplace Niceplace approved these changes

@vinit-chauhan vinit-chauhan vinit-chauhan approved these changes

Assignees

No one assigned

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:cisco_ise Cisco ISE Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@haetamoudi @elasticmachine @Niceplace @vinit-chauhan @andrewkroh