ASIM Authentication: New Parser for Cisco ISE Administrator Login Events

What Changed

Added new ASIM Authentication parsers for Cisco ISE administrator login events:

• ASimAuthenticationCiscoISEAdministrator (unifying parser)
• vimAuthenticationCiscoISEAdministrator (filtering parser)

Both parsers normalize Cisco ISE administrator authentication logs ingested via Syslog by AMA to the ASIM Authentication schema v0.1.4.

Parser Impact

The parsers target Cisco ISE Administrative and Operational Audit logs specifically filtering for “Administrator-Login” events. Key normalized fields include:

• EventResult based on presence of AdminName (Success/Failure)
• EventResultDetails for failure cases (Incorrect password, No such user, Other)
• TargetUsername, SrcIpAddr, and SrcDvcId from syslog components
• TargetPortNumber and AdminInterface from parsed key-value pairs

Parser integration adds ISE administrator authentication visibility to existing ASIM Authentication queries and detection content that reference the imAuthentication or ASimAuthentication functions.

Detection Surface Unlocked

Enables monitoring of privileged network device access patterns, failed administrator authentication attempts, and suspicious login behaviors on Cisco ISE infrastructure. Supports correlation with other ASIM-normalized authentication events for cross-system privilege escalation detection.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISEAdministrator/ASimAuthenticationCiscoISEAdministrator.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISEAdministrator/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISEAdministrator/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISEAdministrator/vimAuthenticationCiscoISEAdministrator.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoISEAdministrator.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoISEAdministrator.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISE.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISEAdministrator.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISE.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISEAdministrator.yaml