Refactor cisco_ise integration

[Bernhard-Fluehmann]

• No kv parsing to root level anymore (user log_details_object flattened field instead
• More sophisticated parsing of av-pairs
• Enhanced error handling
• Bug-fixes

What does this PR do?

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[cla-checker-service]

💚 CLA has been signed

[Bernhard-Fluehmann]

@efd6 Next try. Now with changed author email address. CLA check still failing. What's the problem now?

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-11-18T08:04:34.017+0000

• Duration: 16 min 15 sec

Test stats 🧪

Test	Results
Failed	0
Passed	90
Skipped	0
Total	90

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[efd6]

@Bernhard-Fluehmann Are you able to jump onto the community slack to work through this? Alternatively, can you post the commit details for the change, output from git log fix_cisco_ise~1..fix_cisco_ise should be enough (GitHub unfortunately doesn't make this available through the UI and I can't look at your branch until the CLA checker is happy).

[Bernhard-Fluehmann]

@efd6 Now?

[efd6]

Yay! That is working. Thanks for being patient and persistent.

[efd6]

/test

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (17/17)	💚 2.534
Classes	100.0% (17/17)	💚 2.534
Methods	100.0% (179/179)	💚 9.134
Lines	98.792% (3845/3892)	👍 7.086
Conditionals	100.0% (0/0)	💚

[efd6]

I like this, the processing is a lot cleaner. I have some suggestions for improvement.

Please re-run elastic-package test -g; some of the pipline test expectations are not correctly formatted.

Also, this will need to have a changelog entry in changelog.yml and a version bump in manifest.yml. Since this includes enhancements, it should be bumped to "1.3.0".

[efd6]

Please delete this.

[efd6]

This should not be needed since it is only being used temporarily.

[efd6]

If cisco_ise.log.log_details is being deleted as it now is, this does not need to be in the fields definitions.

I think though that it would be better to leave it here and change it to a flattened and rename the current cisco_ise.log.log_details_object to cisco_ise.log.log_details in the pipeline sources and this field to cisco_ise.log.log_details_raw as the temporary string to work from. Then if there are any fields that come up in new versions those fields will become clearly visible in this object since they won't have been deleted in the sub-pipelines.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[Bernhard-Fluehmann]

@efd6 Recommended changes implemented. Please review

[efd6]

/test

[efd6]

The README.md will need to be regenerated to incorporate the new sample_event.json. Please run elastic-package build.

[Bernhard-Fluehmann]

@efd6 Done

[efd6]

/test

[efd6]

Thanks

[Bernhard-Fluehmann]

@efd6 Thanks for your fast response and assistance.