Skip to content

[cisco_ise] Fix sub pipeline ecs mapping problems and improve mappings for other types#18903

Open
vinit-chauhan wants to merge 3 commits into
elastic:mainfrom
vinit-chauhan:fix-18253-sub-pipeline-ecs-mapping-problem
Open

[cisco_ise] Fix sub pipeline ecs mapping problems and improve mappings for other types#18903
vinit-chauhan wants to merge 3 commits into
elastic:mainfrom
vinit-chauhan:fix-18253-sub-pipeline-ecs-mapping-problem

Conversation

@vinit-chauhan
Copy link
Copy Markdown
Contributor

@vinit-chauhan vinit-chauhan commented May 8, 2026

Proposed commit message

[cisco_ise] Fix missing ECS event categorisation for CISE_Failed_Attempts (5401–5452) and CISE_Passed_Authentications (5201–5241) message codes.

  • Populate event.category, event.type, and event.outcome for previously-uncategorised codes in both pipeline_failed_attempts.yml and pipeline_passed_authentications.yml.
  • Set event.outcome=failure unconditionally for all CISE_Failed_Attempts events.
  • Fix ECS allowed-values violations: event.type=denied is invalid under event.category=authentication (codes 5434, 5449, 5451 moved to end/info); event.type=change is invalid under event.category=network (code 5205 moved to info).
  • Add pipeline test fixtures covering every newly mapped code.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices (N/A — no dashboard changes)

Author's Checklist

  • Confirm event.category / event.type combinations are valid per the ECS allowed-values matrix for every newly mapped code.
  • Confirm event.outcome=failure is now set for every event handled by pipeline_failed_attempts.yml, regardless of message code.
  • Confirm pipeline tests pass for both sub-pipelines (elastic-package test pipeline for the log data stream).
  • Confirm no regression in the previously-mapped codes (5200, 5231, 5233, 5239, 5400, 5405, 5411, 5418, 5435, 5440).

How to test this PR locally

cd packages/cisco_ise

# Run the pipeline tests for the log data stream — exercises both
# pipeline_failed_attempts.yml and pipeline_passed_authentications.yml
elastic-package test pipeline --data-streams log -v

# Optionally, run the full system tests
elastic-package test -v

To spot-check specific codes manually, look at:

  • data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log (and its -expected.json) — covers codes 5400, 5401, 5402, 5403, 5405, 5406, 5407, 5408, 5409, 5410, 5411, 5412, 5413, 5414, 5415, 5416, 5417, 5418, 5419, 5420, 5421, 5422, 5423, 5434, 5435, 5436, 5437, 5438, 5439, 5440, 5441, 5442, 5443, 5448, 5449, 5450, 5451, 5452.
  • data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log (and its -expected.json) — covers codes 5200, 5201, 5202, 5203, 5204, 5205, 5206, 5231, 5232, 5233, 5234, 5235, 5236, 5237, 5238, 5239, 5240, 5241.

For each event, verify event.category, event.type, and event.outcome are set as described in the proposed commit message.

Related issues

Screenshots

vinit-chauhan and others added 2 commits May 7, 2026 15:37
@vinit-chauhan @claude
fix: elastic#18153 — [cisco_ise]: fix missing event.category/type/out…
2e12264 
…come for CISE_Failed_Attempts 5401-5452 and CISE_Passed_Authentications 5201-5241

- Add event.category, event.type, and event.outcome mappings for
  CISE_Failed_Attempts codes 5401-5452 and CISE_Passed_Authentications
  codes 5201-5241 that previously had no ECS categorisation.
- Set event.outcome=failure unconditionally on all CISE_Failed_Attempts
  events, regardless of message code.
- Fix ECS violations: event.type=denied is not valid under
  event.category=authentication (codes 5434, 5449, 5451 → changed to
  event.type=end); event.type=change is not valid under
  event.category=network (code 5205 → changed to event.type=info).
- Add pipeline test fixtures (sample logs + regenerated expected JSON)
  for every newly mapped message code.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vinit-chauhan
minor fixes to mapping for a couple of message codes.
5b0158b
@vinit-chauhan vinit-chauhan self-assigned this May 8, 2026
@vinit-chauhan vinit-chauhan requested a review from a team as a code owner May 8, 2026 19:38
@vinit-chauhan vinit-chauhan added enhancement New feature or request Integration:cisco_ise Cisco ISE Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels May 8, 2026
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 8, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 8, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 8, 2026

💚 Build Succeeded

History

cc @vinit-chauhan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vinit-chauhan vinit-chauhan

Labels

enhancement New feature or request Integration:cisco_ise Cisco ISE Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[cisco.ise]: Pipeline failed to set event.category

2 participants

@vinit-chauhan @elasticmachine