Cisco ISE ASIM Auth Parser: Regex Fix Restores EventOriginalType Extraction Across Log Format Variants

What Changed

Both the ASimAuthenticationCiscoISE and vimAuthenticationCiscoISE ASIM parsers received a regex fix for the parse kind = regex statement used to extract EventOriginalType from Cisco ISE syslog messages.

Parser Impact

• Schema: ASIM Authentication (v0.1.4)
• Data source table: Syslog (filtered on ProcessName has_any (CISE, CSCO))
• Change type: Logic fix - filter/extraction logic changed

The old pattern assumed syslog messages always begin with a 10-digit event sequence number followed by a single whitespace before EventOriginalType. Cisco ISE can emit an extended format that inserts additional fields (sequence counters, a full timestamp with timezone offset, and a second 10-digit ID) between the leading sequence number and the event message ID.

For any ISE node emitting the extended format, the old regex failed to match, leaving EventOriginalType as an empty string. Since the parser immediately filters on where EventOriginalType in (EventOriginalTypeList), all such rows were silently dropped - zero authentication events normalised for those log lines.

Impact scope: Deployments where Cisco ISE emits the extended syslog prefix format have had a complete normalisation failure for those messages since parser installation. The EventOriginalType-based lookup (which drives EventType, EventResult, EventSeverity, and EventResultDetails) was never populated for affected rows.

The fix anchors the regex at the start of the string, handles variable whitespace, and wraps the extended-format prefix fields in an optional non-capturing group - making both parsers resilient to both syslog format variants without breaking existing deployments.

No normalised field names changed - existing detections referencing other ASIM Authentication fields are unaffected. The fix only closes the extraction gap for EventOriginalType and all fields derived from it.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoISE.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoISE.md
Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoISE.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoISE.yaml