Cisco ISE ASIM Parser: Correcting IP Address Field Mappings

What Changed

Version bump from 0.1.0 to 0.1.1 for both ASimAuthentication and vimAuthentication Cisco ISE Administrator parsers with critical field mapping corrections.

Parser Impact

Field mapping corrections resolve significant data fidelity gaps in the ASIM Authentication schema normalization:

• IP address mapping fix: HostIP now correctly maps to TargetIpAddr (ISE server) and AdminIPAddress maps to SrcIpAddr (admin client) — previous mapping was reversed
• EventSeverity enhancement: Added proper severity mapping via _ASIM_LookupSyslogSeverityLevel(EventOriginalSeverity) — replaces hardcoded “Informational” value
• User alias mapping: Added User field mapped to TargetUsername for improved query compatibility
• Filtering optimization: Moved srcipaddr_has_any_prefix filtering to apply against AdminIPAddress after parsing — improves query performance and accuracy

Additional improvements in the filtering parser (vim):

• Corrected filter target: srcipaddr_has_any_prefix now filters against AdminIPAddress instead of HostIP — matches corrected field semantics

Security Impact (Visibility & Fidelity)

These are critical data fidelity fixes affecting network forensics capability. Deployments using the previous parser version had:

• Reversed IP semantics: SrcIpAddr contained ISE server IP instead of admin source IP — network correlation queries returned incorrect results
• Missing severity context: EventSeverity was always “Informational” regardless of actual log severity — severity-based alerting was ineffective
• Incomplete field coverage: Missing User alias reduced query compatibility with detection rules expecting normalized user fields

The parser normalizes Cisco ISE Administrator-Login events from Syslog table into the ASIM Authentication schema, covering ISE administrative console authentication events.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISEAdministrator/ASimAuthenticationCiscoISEAdministrator.json
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISEAdministrator/vimAuthenticationCiscoISEAdministrator.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoISEAdministrator.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoISEAdministrator.md
Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISEAdministrator.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISEAdministrator.yaml