From c55e51d9c8cdc64e4e10ca9c176894a74855d5a4 Mon Sep 17 00:00:00 2001
From: Aleksandr Maus <aleksandr.maus@elastic.co>
Date: Wed, 13 Nov 2024 09:27:07 -0500
Subject: [PATCH] [cisco_ise] Fix multiple pipeline processing issues (#11619)

* Fix multiple pipeline processing issues
---
 packages/cisco_ise/changelog.yml              |   5 +
 ...st-pipeline-ad-connector.log-expected.json |   2 +-
 ...e-administrative-and-operational-audit.log |   1 +
 ...ve-and-operational-audit.log-expected.json |  92 +++-
 ...ication-flow-diagnostics.log-expected.json |   2 +-
 ...test-pipeline-cise-alarm.log-expected.json |   2 +-
 ...pipeline-failed-attempts.log-expected.json |   2 +-
 .../test-pipeline-guest.log-expected.json     |   2 +-
 ...ntity-stores-diagnostics.log-expected.json |   2 +-
 ...l-operations-diagnostics.log-expected.json |   2 +-
 ...t-pipeline-monitoring-data-purge-audit.log |   1 +
 ...itoring-data-purge-audit.log-expected.json |  49 ++
 ...test-pipeline-my-devices.log-expected.json |   2 +-
 .../test-pipeline-passed-authentications.log  |   1 +
 ...e-passed-authentications.log-expected.json | 438 +++++++++++++++++-
 ...eline-policy-diagnostics.log-expected.json |   2 +-
 ...lient-provisioning-audit.log-expected.json |   2 +-
 ...-pipeline-radius-accounting-identifier.log |   1 +
 ...us-accounting-identifier.log-expected.json | 184 ++++++++
 ...peline-radius-accounting.log-expected.json |   2 +-
 ...eline-radius-diagnostics.log-expected.json |   2 +-
 ...peline-system-statistics.log-expected.json |   2 +-
 ...peline-tacacs-accounting.log-expected.json |   2 +-
 ...eline-threat-centric-nac.log-expected.json |   2 +-
 .../elasticsearch/ingest_pipeline/default.yml |   6 +-
 ...e_administrative_and_operational_audit.yml |   8 +-
 .../pipeline_monitoring_data_purge_audit.yml  |  80 ++++
 .../pipeline_passed_authentications.yml       |  25 +-
 .../data_stream/log/fields/fields.yml         |  14 +-
 packages/cisco_ise/docs/README.md             |   6 +-
 packages/cisco_ise/manifest.yml               |   2 +-
 31 files changed, 890 insertions(+), 53 deletions(-)
 create mode 100644 packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log
 create mode 100644 packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log-expected.json
 create mode 100644 packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log
 create mode 100644 packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log-expected.json
 create mode 100644 packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_monitoring_data_purge_audit.yml

diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml
index 45cff6d55fe..ed3b1078684 100644
--- a/packages/cisco_ise/changelog.yml
+++ b/packages/cisco_ise/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.24.1"
+  changes:
+    - description: Fix multiple pipeline processing issues.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11619
 - version: "1.24.0"
   changes:
     - description: Improve ECS mappings by setting client.mac and event.outcome.
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
index f6b9f8dcb66..7a439ea4b9e 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
@@ -854,4 +854,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log
index d3760b1fd1d..335b9a86503 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log
@@ -33,3 +33,4 @@
 <181>Mar 14 09:43:33 isehost CISE_Administrative_and_Operational_Audit 0000000312 1 0 2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown,
 <149>Mar 20 12:13:30 isehost CISE_Administrative_and_Operational_Audit 0000002725 1 0 2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore,
 <181>Mar 29 05:53:36 isehost CISE_Administrative_and_Operational_Audit 0000000931 1 0 2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown,
+Oct 15 20:00:06 isehost CISE_Administrative_and_Operational_Audit 0000020943 1 0 2024-10-15 20:00:06.564 +00:00 0000047438 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=522, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=ProfilerSession, AdminName=internal-feed-user, ConfigChangeData=CONRAD CORP., ObjectType=OUI, ObjectName=00:01:C8,
\ No newline at end of file
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
index 74a7a9157a1..27a6f22e1ab 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
@@ -2831,6 +2831,96 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-10-15T20:00:06.564Z",
+            "cisco_ise": {
+                "log": {
+                    "admin": {
+                        "interface": "GUI",
+                        "session": "ProfilerSession"
+                    },
+                    "category": {
+                        "name": "CISE_Administrative_and_Operational_Audit"
+                    },
+                    "config_change": {
+                        "data": "CONRAD CORP."
+                    },
+                    "config_version": {
+                        "id": 522
+                    },
+                    "failure": {
+                        "flag": false
+                    },
+                    "message": {
+                        "code": "52001",
+                        "description": "Configuration-Changes: Changed configuration",
+                        "id": "0000020943"
+                    },
+                    "object": {
+                        "name": "00:01:C8",
+                        "type": "OUI"
+                    },
+                    "request_response": {
+                        "type": "initial"
+                    },
+                    "segment": {
+                        "number": 0,
+                        "total": 1
+                    }
+                }
+            },
+            "client": {
+                "ip": "81.2.69.143",
+                "user": {
+                    "name": "internal-feed-user"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "configuration-changes",
+                "category": [
+                    "iam",
+                    "configuration"
+                ],
+                "code": "52001",
+                "kind": "event",
+                "original": "Oct 15 20:00:06 isehost CISE_Administrative_and_Operational_Audit 0000020943 1 0 2024-10-15 20:00:06.564 +00:00 0000047438 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=522, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=ProfilerSession, AdminName=internal-feed-user, ConfigChangeData=CONRAD CORP., ObjectType=OUI, ObjectName=00:01:C8,",
+                "sequence": 47438,
+                "timezone": "+00:00",
+                "type": [
+                    "change",
+                    "info"
+                ]
+            },
+            "host": {
+                "hostname": "isehost"
+            },
+            "log": {
+                "level": "notice",
+                "syslog": {
+                    "severity": {
+                        "name": "notice"
+                    }
+                }
+            },
+            "message": "2024-10-15 20:00:06.564 +00:00 0000047438 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=522, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=ProfilerSession, AdminName=internal-feed-user, ConfigChangeData=CONRAD CORP., ObjectType=OUI, ObjectName=00:01:C8,",
+            "related": {
+                "hosts": [
+                    "isehost"
+                ],
+                "ip": [
+                    "81.2.69.143"
+                ],
+                "user": [
+                    "internal-feed-user"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
index 6a44d991278..3db84c6cba3 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
@@ -1027,4 +1027,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json
index 487b3adb08b..ffea3095a4a 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json
@@ -1044,4 +1044,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
index 4b8c6260101..dea3f3b786e 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
@@ -1238,4 +1238,4 @@
             }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
index ca149bc2263..e5d3ff26ed4 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
@@ -351,4 +351,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
index 7afb7e3da11..fb2203698c4 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
@@ -1366,4 +1366,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
index 2e8ff23fa4d..1bd2eb55eea 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
@@ -372,4 +372,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log
new file mode 100644
index 00000000000..7dd4a834388
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log
@@ -0,0 +1 @@
+Oct 16 05:56:08 isehost CISE_MONITORING_DATA_PURGE_AUDIT 2024-10-16 05:00:02.595 +0000 60198 INFO null: MnT purge event occurred, MESSAGE=Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB,
\ No newline at end of file
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log-expected.json
new file mode 100644
index 00000000000..ce2a263b9f0
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log-expected.json
@@ -0,0 +1,49 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-10-16T05:00:02.595Z",
+            "cisco_ise": {
+                "log": {
+                    "category": {
+                        "name": "CISE_MONITORING_DATA_PURGE_AUDIT"
+                    },
+                    "log_details": {
+                        "MESSAGE": "Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB"
+                    },
+                    "message": {
+                        "description": "null: MnT purge event occurred"
+                    }
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "null",
+                "kind": "event",
+                "original": "Oct 16 05:56:08 isehost CISE_MONITORING_DATA_PURGE_AUDIT 2024-10-16 05:00:02.595 +0000 60198 INFO null: MnT purge event occurred, MESSAGE=Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB,",
+                "sequence": 60198
+            },
+            "host": {
+                "hostname": "isehost"
+            },
+            "log": {
+                "level": "info",
+                "syslog": {
+                    "severity": {
+                        "name": "info"
+                    }
+                }
+            },
+            "message": "2024-10-16 05:00:02.595 +0000 60198 INFO null: MnT purge event occurred, MESSAGE=Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB,",
+            "related": {
+                "hosts": [
+                    "isehost"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
index 405a37b23e0..6a6397dfd72 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
@@ -691,4 +691,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log
index d934abbd0de..66125346a52 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log
@@ -7,3 +7,4 @@
 <181>Feb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5404 NOTICE Failed-Authentication: TrustSec Data Download Failed, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },
 <181>Feb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5434 NOTICE Failed-Authentication: TrustSec Data Download Failed, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },
 <181>Feb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5413 NOTICE Failed-Authentication: TrustSec Data Download Failed, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },
+Oct 16 18:59:53 dc1soezptac002 CISE_Passed_Authentications 0000289699 1 0 2024-10-16 18:59:53.062 +00:00 0007550091 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=71, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.145, DestinationPort=1812, UserName=todd34.foo.com, Protocol=Radius, NetworkDeviceName=sdsdssd.goo.com, User-Name=adfggg$@Meme.com, NAS-IP-Address=81.2.69.144, NAS-Port=50134, Service-Type=Framed, Framed-MTU=1468, State=37CPMSessionID=CB7D4E0A00000FE896B0CB97\\;41SessionID=dc1soezptac002/518158123/282648\\;, Called-Station-ID=AC-7A-56-53-A1-12, Calling-Station-ID=9C-EB-E8-F6-53-22, NAS-Port-Type=Ethernet, NAS-Port-Id=TwoGigabitEthernet1/0/32, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=CB7D4E0A00000FE896B0CB97, cisco-av-pair=method=dot1x, cisco-av-pair=client-iif-id=483760223, cisco-av-pair=dc-profile-name=Un-Classified Device, cisco-av-pair=dc-device-name=Unknown Device, cisco-av-pair=dc-device-class-tag=Un-Classified Device, cisco-av-pair=dc-certainty-metric=0, cisco-av-pair=64:63:2d:6f:70:61:71:75:65:3d:04:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, cisco-nas-port=TwoGigabitEthernet1/0/32, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf323, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, SSID=AC-7A-56-53-33-20, AcsSessionID=ssde4zptac002/518158123/282648, AuthenticationMethod=x509_PKI, SelectedAccessService=DISNEY_D1X_AUTHC_PROTOCOLS, SelectedAuthorizationProfiles=SAP_AUTHZ_D1X_VGT_WORKSTATION_QNT, RequestLatency=1859, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=61025, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12810, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12810, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12803, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=15041, Step=15048, Step=15048, Step=15048, Step=22072, Step=22070, Step=22037, Step=12506, Step=61026, Step=24715, Step=15036, Step=24209, Step=24211, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=SAP_AUTHC_D1X_CERT_PROFILE, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, NetworkDeviceGroups=Location#All Locations#PA Campus#2 West Liberty, NetworkDeviceGroups=Device Type#All Device Types#Switches#CAT9300, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=SAP_AUTHC_D1X_WORKSTATIONS, AuthorizationPolicyMatchedRule=SAP_AUTHZ_D1X_VGT_AMER_WORKSTATION_QNT, EapAuthentication=EAP-TLS, Serial Number=50 00 00 48 B2 40 C5 16 26 06 F1 2E 47 00 00 00 00 48 B2, Subject - Common Name=nope.west.com, Subject Alternative Name=557234$@Aaard.com, CPMSessionID=CB7D4E0A00000FE896B0CB97, EndPointMACAddress=9C-EB-E8-F6-11-87, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Microsoft-Workstation, ISEPolicySetName=SAP_AUTH_D1X_QUARANTINE, IdentitySelectionMatchedRule=SAP_AUTHC_D1X_WORKSTATIONS, StepLatency=1=0\\;2=0\\;3=0\\;4=1\\;5=0\\;6=0\\;7=0\\;8=1\\;9=0\\;10=24\\;11=0\\;12=0\\;13=0\\;14=1\\;15=0\\;16=0\\;17=0\\;18=27\\;19=0\\;20=0\\;21=0\\;22=0\\;23=16\\;24=0\\;25=0\\;26=0\\;27=0\\;28=16\\;29=0\\;30=1\\;31=0\\;32=0\\;33=15\\;34=0\\;35=1\\;36=0\\;37=0\\;38=16\\;39=0\\;40=0\\;41=0\\;42=1\\;43=16\\;44=0\\;45=1\\;46=0\\;47=0\\;48=16\\;49=0\\;50=1\\;51=0\\;52=0\\;53=43\\;54=0\\;55=0\\;56=0\\;57=0\\;58=17\\;59=0\\;60=0\\;61=0\\;62=0\\;63=19\\;64=0\\;65=1\\;66=0\\;67=0\\;68=16\\;69=0\\;70=0\\;71=0\\;72=0\\;73=16\\;74=0\\;75=0\\;76=0\\;77=1\\;78=0\\;79=0\\;80=4\\;81=0\\;82=0\\;83=0\\;84=0\\;85=0\\;86=0\\;87=0\\;88=0\\;89=0\\;90=16\\;91=0\\;92=1\\;93=0\\;94=0\\;95=1\\;96=0\\;97=0\\;98=0\\;99=0\\;100=0\\;101=0\\;102=1\\;103=0\\;104=1\\;105=1\\;106=0\\;112=697\\;118=584\\;124=527\\;125=0\\;126=0\\;127=0\\;128=0\\;129=0\\;130=1, MFCInfoHardwareManufacturer=BuzLink (Kunshan) Co.\\,Ltd, MFCInfoOperatingSystem=Windows, MFCInfoEndpointType=Workstation, StepData=4= Normalised Radius.RadiusFlowType, StepData=5= DEVICE.Quarantine_Status, StepData=77=certificate for sdfgf.fghghr.com, StepData=78=certificate for PCAS205, StepData=94= CERTIFICATE.Issuer - Common Name, StepData=95= DEVICE.Location, StepData=96= Network Access.AuthenticationMethod, StepData=97=SAP_AUTHC_D1X_LDAP_AMER_MACHINE, StepData=106= CERTIFICATE.Subject Alternative Name, StepData=0=APAC_Active_Directory_Machine, StepData=1=APAC_Active_Directory_Machine, StepData=2=APAC_Active_Directory_Machine, StepData=3=APAC_Active_Directory_Machine, StepData=4=APAC_Active_Directory_Machine, StepData=112= APAC_Active_Directory_Machine.primaryGroupID, StepData=0=EMEA_Active_Directory_Machine, StepData=1=EMEA_Active_Directory_Machine, StepData=2=EMEA_Active_Directory_Machine, StepData=3=EMEA_Active_Directory_Machine, StepData=4=EMEA_Active_Directory_Machine, StepData=118= EMEA_Active_Directory_Machine.primaryGroupID, StepData=0=AMER_Active_Directory_Machine, StepData=1=AMER_Active_Directory_Machine, StepData=2=AMER_Active_Directory_Machine, StepData=3=AMER_Active_Directory_Machine, StepData=4=AMER_Active_Directory_Machine, StepData=124= AMER_Active_Directory_Machine.primaryGroupID, TotalAuthenLatency=2102, ClientLatency=243, allowEasyWiredSession=false, TLSCipher=ECDHE-RSA-AES256-GCM-SHA384, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Subject=CN=we2334.foo.com, Subject Alternative Name - Other Name=234234$@Lard.com, Issuer=CN=OPSC205\\,DC=Lard\\,DC=com, Issuer - Common Name=OPSC205, Issuer - Domain Component=Lard, Issuer - Domain Component=com, Key Usage=0, Key Usage=2, Extended Key Usage - Name=130, Extended Key Usage - Name=129, Extended Key Usage - OID=1.3.6.1.5.5.7.3.2, Extended Key Usage - OID=1.3.6.1.5.5.7.3.1, Template Name=1.3.6.1.4.1.311.21.8.2481306.4190156.10634155.14203719.11861591.212.12390149.10934311, Days to Expiry=314, Issuer - Fingerprint SHA-256=8e82ca7124c758a29224328de52d25fedfcfa36cf09b0b69b3801ca1b5483892, AKI=d6:70:a6:83:9e:f2:87:e6:cd:d3:ac:a9:01:65:f0:ac:29:0b:cf:84, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, primaryGroupID=515, Untrust_Status=Untrust_Status#Untrust_Status, Quarantine_Status=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, Network Device Profile=Cisco, Location=Location#All Locations#PA Campus#2 West Liberty, Device Type=Device Type#All Device Types#Switches#CAT9300, IPSEC=IPSEC#Is IPSEC Device#No, Response={User-Name=2234344.doom.com; Class=CACS:CB7D4E0A00000FE896B0CB97:dc1soezptac002/518158123/282648; Tunnel-Type=(tag=1) VLAN; Tunnel-Medium-Type=(tag=1) 802; Tunnel-Private-Group-ID=(tag=1) VSD; EAP-Key-Name=0d:ec:f7:a8:73:ff:4d:07:46:92:1e:fe:51:7b:22:7f:21:b4:50:a2:df:e6:32:e5:7c:b5:6f:fa:ba:3f:82:91:8e:cc:cd:52:89:a4:83:0a:19:bf:32:c2:80:dd:a0:78:3f:0d:d8:ae:1f:a5:6b:e6:0f:5c:ee:a3:34:02:4d:ba:e7; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL_D_IN_WORKSTATION-61fb29bf; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; },
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json
index cd65cf6100c..24a48d5ea87 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json
@@ -1154,6 +1154,442 @@
                     "#CTSREQUEST#"
                 ]
             }
+        },
+        {
+            "@timestamp": "2024-10-16T18:59:53.062Z",
+            "cisco_ise": {
+                "log": {
+                    "acs": {
+                        "session": {
+                            "id": "ssde4zptac002/518158123/282648"
+                        }
+                    },
+                    "allow": {
+                        "easy": {
+                            "wired": {
+                                "session": "false"
+                            }
+                        }
+                    },
+                    "auth": {
+                        "policy": {
+                            "matched": {
+                                "rule": "SAP_AUTHZ_D1X_VGT_AMER_WORKSTATION_QNT"
+                            }
+                        }
+                    },
+                    "authentication": {
+                        "method": "x509_PKI",
+                        "status": "AuthenticationPassed"
+                    },
+                    "calling_station": {
+                        "id": "9C-EB-E8-F6-53-22"
+                    },
+                    "category": {
+                        "name": "CISE_Passed_Authentications"
+                    },
+                    "cisco_av_pair": {
+                        "audit-session-id": "CB7D4E0A00000FE896B0CB97",
+                        "client-iif-id": "483760223",
+                        "cts-pac-opaque": "****",
+                        "dc-certainty-metric": "0",
+                        "dc-device-class-tag": "Un-Classified Device",
+                        "dc-device-name": "Unknown Device",
+                        "dc-profile-name": "Un-Classified Device",
+                        "dc-protocol-map": "1",
+                        "method": "dot1x",
+                        "service-type": "Framed"
+                    },
+                    "client": {
+                        "latency": 243
+                    },
+                    "config_version": {
+                        "id": 71
+                    },
+                    "cpm": {
+                        "session": {
+                            "id": "CB7D4E0A00000FE896B0CB97"
+                        }
+                    },
+                    "device": {
+                        "type": "Device Type#All Device Types#Switches#CAT9300"
+                    },
+                    "dtls_support": "Unknown",
+                    "endpoint": {
+                        "mac": {
+                            "address": "9C-EB-E8-F6-11-87"
+                        }
+                    },
+                    "identity": {
+                        "group": "Endpoint Identity Groups:Profiled:Workstation",
+                        "policy": {
+                            "matched": {
+                                "rule": "SAP_AUTHC_D1X_WORKSTATIONS"
+                            }
+                        },
+                        "selection": {
+                            "matched": {
+                                "rule": "SAP_AUTHC_D1X_WORKSTATIONS"
+                            }
+                        }
+                    },
+                    "ipsec": "IPSEC#Is IPSEC Device#No",
+                    "is_third_party_device_flow": false,
+                    "ise": {
+                        "policy": {
+                            "set_name": "SAP_AUTH_D1X_QUARANTINE"
+                        }
+                    },
+                    "location": "Location#All Locations#PA Campus#2 West Liberty",
+                    "log_details": {
+                        "AKI": "d6:70:a6:83:9e:f2:87:e6:cd:d3:ac:a9:01:65:f0:ac:29:0b:cf:84",
+                        "Called-Station-ID": "AC-7A-56-53-A1-12",
+                        "Days to Expiry": "314",
+                        "EapAuthentication": "EAP-TLS",
+                        "EndPointMatchedProfile": "Microsoft-Workstation",
+                        "Extended Key Usage - Name": [
+                            "130",
+                            "129"
+                        ],
+                        "Extended Key Usage - OID": [
+                            "1.3.6.1.5.5.7.3.2",
+                            "1.3.6.1.5.5.7.3.1"
+                        ],
+                        "Framed-MTU": "1468",
+                        "HostIdentityGroup": "Endpoint Identity Groups:Profiled:Workstation",
+                        "Issuer": "CN=OPSC205\\\\,DC=Lard\\\\,DC=com",
+                        "Issuer - Common Name": "OPSC205",
+                        "Issuer - Domain Component": [
+                            "Lard",
+                            "com"
+                        ],
+                        "Issuer - Fingerprint SHA-256": "8e82ca7124c758a29224328de52d25fedfcfa36cf09b0b69b3801ca1b5483892",
+                        "Key Usage": [
+                            "0",
+                            "2"
+                        ],
+                        "MFCInfoEndpointType": "Workstation",
+                        "MFCInfoHardwareManufacturer": "BuzLink (Kunshan) Co.\\\\,Ltd",
+                        "MFCInfoOperatingSystem": "Windows",
+                        "Quarantine_Status": "Quarantine_Status#Quarantine_Status#Quarantine_Enabled",
+                        "SSID": "AC-7A-56-53-33-20",
+                        "Serial Number": "50 00 00 48 B2 40 C5 16 26 06 F1 2E 47 00 00 00 00 48 B2",
+                        "State": "37CPMSessionID=CB7D4E0A00000FE896B0CB97\\\\;41SessionID=dc1soezptac002/518158123/282648\\\\;",
+                        "StepLatency": "1=0\\\\;2=0\\\\;3=0\\\\;4=1\\\\;5=0\\\\;6=0\\\\;7=0\\\\;8=1\\\\;9=0\\\\;10=24\\\\;11=0\\\\;12=0\\\\;13=0\\\\;14=1\\\\;15=0\\\\;16=0\\\\;17=0\\\\;18=27\\\\;19=0\\\\;20=0\\\\;21=0\\\\;22=0\\\\;23=16\\\\;24=0\\\\;25=0\\\\;26=0\\\\;27=0\\\\;28=16\\\\;29=0\\\\;30=1\\\\;31=0\\\\;32=0\\\\;33=15\\\\;34=0\\\\;35=1\\\\;36=0\\\\;37=0\\\\;38=16\\\\;39=0\\\\;40=0\\\\;41=0\\\\;42=1\\\\;43=16\\\\;44=0\\\\;45=1\\\\;46=0\\\\;47=0\\\\;48=16\\\\;49=0\\\\;50=1\\\\;51=0\\\\;52=0\\\\;53=43\\\\;54=0\\\\;55=0\\\\;56=0\\\\;57=0\\\\;58=17\\\\;59=0\\\\;60=0\\\\;61=0\\\\;62=0\\\\;63=19\\\\;64=0\\\\;65=1\\\\;66=0\\\\;67=0\\\\;68=16\\\\;69=0\\\\;70=0\\\\;71=0\\\\;72=0\\\\;73=16\\\\;74=0\\\\;75=0\\\\;76=0\\\\;77=1\\\\;78=0\\\\;79=0\\\\;80=4\\\\;81=0\\\\;82=0\\\\;83=0\\\\;84=0\\\\;85=0\\\\;86=0\\\\;87=0\\\\;88=0\\\\;89=0\\\\;90=16\\\\;91=0\\\\;92=1\\\\;93=0\\\\;94=0\\\\;95=1\\\\;96=0\\\\;97=0\\\\;98=0\\\\;99=0\\\\;100=0\\\\;101=0\\\\;102=1\\\\;103=0\\\\;104=1\\\\;105=1\\\\;106=0\\\\;112=697\\\\;118=584\\\\;124=527\\\\;125=0\\\\;126=0\\\\;127=0\\\\;128=0\\\\;129=0\\\\;130=1",
+                        "Subject": "CN=we2334.foo.com",
+                        "Subject - Common Name": "nope.west.com",
+                        "Subject Alternative Name": "557234$@Aaard.com",
+                        "Subject Alternative Name - Other Name": "234234$@Lard.com",
+                        "TLSCipher": "ECDHE-RSA-AES256-GCM-SHA384",
+                        "TLSVersion": "TLSv1.2",
+                        "Template Name": "1.3.6.1.4.1.311.21.8.2481306.4190156.10634155.14203719.11861591.212.12390149.10934311",
+                        "Untrust_Status": "Untrust_Status#Untrust_Status",
+                        "cisco-nas-port": "TwoGigabitEthernet1/0/32",
+                        "primaryGroupID": "515"
+                    },
+                    "message": {
+                        "code": "5200",
+                        "description": "Passed-Authentication: Authentication succeeded",
+                        "id": "0000289699"
+                    },
+                    "nas": {
+                        "ip": "81.2.69.144",
+                        "port": {
+                            "id": "TwoGigabitEthernet1/0/32",
+                            "number": 50134,
+                            "type": "Ethernet"
+                        }
+                    },
+                    "network": {
+                        "device": {
+                            "groups": [
+                                "Quarantine_Status#Quarantine_Status#Quarantine_Enabled",
+                                "Location#All Locations#PA Campus#2 West Liberty",
+                                "Device Type#All Device Types#Switches#CAT9300",
+                                "IPSEC#Is IPSEC Device#No"
+                            ],
+                            "name": "sdsdssd.goo.com",
+                            "profile": "Cisco",
+                            "profile_id": "b0699505-3150-4215-a80e-6753d45bf323",
+                            "profile_name": "Cisco"
+                        }
+                    },
+                    "posture": {
+                        "assessment": {
+                            "status": "NotApplicable"
+                        }
+                    },
+                    "radius": {
+                        "flow": {
+                            "type": "Wired802_1x"
+                        }
+                    },
+                    "request": {
+                        "latency": 1859
+                    },
+                    "response": {
+                        "Class": "CACS:CB7D4E0A00000FE896B0CB97:dc1soezptac002/518158123/282648",
+                        "EAP-Key-Name": "0d:ec:f7:a8:73:ff:4d:07:46:92:1e:fe:51:7b:22:7f:21:b4:50:a2:df:e6:32:e5:7c:b5:6f:fa:ba:3f:82:91:8e:cc:cd:52:89:a4:83:0a:19:bf:32:c2:80:dd:a0:78:3f:0d:d8:ae:1f:a5:6b:e6:0f:5c:ee:a3:34:02:4d:ba:e7",
+                        "LicenseTypes": "1",
+                        "MS-MPPE-Recv-Key": "****",
+                        "MS-MPPE-Send-Key": "****",
+                        "Tunnel-Medium-Type": "(tag=1) 802",
+                        "Tunnel-Private-Group-ID": "(tag=1) VSD",
+                        "Tunnel-Type": "(tag=1) VLAN",
+                        "User-Name": "2234344.doom.com",
+                        "cisco-av-pair": "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL_D_IN_WORKSTATION-61fb29bf"
+                    },
+                    "segment": {
+                        "number": 0,
+                        "total": 1
+                    },
+                    "selected": {
+                        "access": {
+                            "service": "DISNEY_D1X_AUTHC_PROTOCOLS"
+                        },
+                        "authentication": {
+                            "identity_stores": "SAP_AUTHC_D1X_CERT_PROFILE"
+                        },
+                        "authorization": {
+                            "profiles": "SAP_AUTHZ_D1X_VGT_WORKSTATION_QNT"
+                        }
+                    },
+                    "service": {
+                        "type": "Framed"
+                    },
+                    "step": [
+                        "11001",
+                        "11017",
+                        "15049",
+                        "15008",
+                        "15048",
+                        "15048",
+                        "11507",
+                        "12500",
+                        "12625",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12502",
+                        "61025",
+                        "12800",
+                        "12805",
+                        "12806",
+                        "12807",
+                        "12808",
+                        "12809",
+                        "12810",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "12810",
+                        "12571",
+                        "12571",
+                        "12811",
+                        "12812",
+                        "12813",
+                        "12803",
+                        "12804",
+                        "12801",
+                        "12802",
+                        "12816",
+                        "12509",
+                        "12505",
+                        "11006",
+                        "11001",
+                        "11018",
+                        "12504",
+                        "15041",
+                        "15048",
+                        "15048",
+                        "15048",
+                        "22072",
+                        "22070",
+                        "22037",
+                        "12506",
+                        "61026",
+                        "24715",
+                        "15036",
+                        "24209",
+                        "24211",
+                        "15048",
+                        "24031",
+                        "24016",
+                        "24028",
+                        "24023",
+                        "24004",
+                        "15048",
+                        "24031",
+                        "24016",
+                        "24028",
+                        "24023",
+                        "24004",
+                        "15048",
+                        "24031",
+                        "24016",
+                        "24028",
+                        "24023",
+                        "24004",
+                        "15048",
+                        "15016",
+                        "11022",
+                        "22081",
+                        "22080",
+                        "11503",
+                        "11002"
+                    ],
+                    "step_data": [
+                        "4= Normalised Radius.RadiusFlowType",
+                        "5= DEVICE.Quarantine_Status",
+                        "77=certificate for sdfgf.fghghr.com",
+                        "78=certificate for PCAS205",
+                        "94= CERTIFICATE.Issuer - Common Name",
+                        "95= DEVICE.Location",
+                        "96= Network Access.AuthenticationMethod",
+                        "97=SAP_AUTHC_D1X_LDAP_AMER_MACHINE",
+                        "106= CERTIFICATE.Subject Alternative Name",
+                        "0=APAC_Active_Directory_Machine",
+                        "1=APAC_Active_Directory_Machine",
+                        "2=APAC_Active_Directory_Machine",
+                        "3=APAC_Active_Directory_Machine",
+                        "4=APAC_Active_Directory_Machine",
+                        "112= APAC_Active_Directory_Machine.primaryGroupID",
+                        "0=EMEA_Active_Directory_Machine",
+                        "1=EMEA_Active_Directory_Machine",
+                        "2=EMEA_Active_Directory_Machine",
+                        "3=EMEA_Active_Directory_Machine",
+                        "4=EMEA_Active_Directory_Machine",
+                        "118= EMEA_Active_Directory_Machine.primaryGroupID",
+                        "0=AMER_Active_Directory_Machine",
+                        "1=AMER_Active_Directory_Machine",
+                        "2=AMER_Active_Directory_Machine",
+                        "3=AMER_Active_Directory_Machine",
+                        "4=AMER_Active_Directory_Machine",
+                        "124= AMER_Active_Directory_Machine.primaryGroupID"
+                    ],
+                    "total": {
+                        "authen": {
+                            "latency": 2102
+                        }
+                    }
+                }
+            },
+            "client": {
+                "ip": "81.2.69.143",
+                "mac": "9C-EB-E8-F6-11-87"
+            },
+            "destination": {
+                "ip": "81.2.69.145",
+                "port": 1812
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "passed-authentication",
+                "category": [
+                    "authentication"
+                ],
+                "code": "5200",
+                "kind": "event",
+                "original": "Oct 16 18:59:53 dc1soezptac002 CISE_Passed_Authentications 0000289699 1 0 2024-10-16 18:59:53.062 +00:00 0007550091 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=71, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.145, DestinationPort=1812, UserName=todd34.foo.com, Protocol=Radius, NetworkDeviceName=sdsdssd.goo.com, User-Name=adfggg$@Meme.com, NAS-IP-Address=81.2.69.144, NAS-Port=50134, Service-Type=Framed, Framed-MTU=1468, State=37CPMSessionID=CB7D4E0A00000FE896B0CB97\\\\;41SessionID=dc1soezptac002/518158123/282648\\\\;, Called-Station-ID=AC-7A-56-53-A1-12, Calling-Station-ID=9C-EB-E8-F6-53-22, NAS-Port-Type=Ethernet, NAS-Port-Id=TwoGigabitEthernet1/0/32, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=CB7D4E0A00000FE896B0CB97, cisco-av-pair=method=dot1x, cisco-av-pair=client-iif-id=483760223, cisco-av-pair=dc-profile-name=Un-Classified Device, cisco-av-pair=dc-device-name=Unknown Device, cisco-av-pair=dc-device-class-tag=Un-Classified Device, cisco-av-pair=dc-certainty-metric=0, cisco-av-pair=64:63:2d:6f:70:61:71:75:65:3d:04:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, cisco-nas-port=TwoGigabitEthernet1/0/32, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf323, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, SSID=AC-7A-56-53-33-20, AcsSessionID=ssde4zptac002/518158123/282648, AuthenticationMethod=x509_PKI, SelectedAccessService=DISNEY_D1X_AUTHC_PROTOCOLS, SelectedAuthorizationProfiles=SAP_AUTHZ_D1X_VGT_WORKSTATION_QNT, RequestLatency=1859, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=61025, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12810, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12810, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12803, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=15041, Step=15048, Step=15048, Step=15048, Step=22072, Step=22070, Step=22037, Step=12506, Step=61026, Step=24715, Step=15036, Step=24209, Step=24211, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=SAP_AUTHC_D1X_CERT_PROFILE, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, NetworkDeviceGroups=Location#All Locations#PA Campus#2 West Liberty, NetworkDeviceGroups=Device Type#All Device Types#Switches#CAT9300, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=SAP_AUTHC_D1X_WORKSTATIONS, AuthorizationPolicyMatchedRule=SAP_AUTHZ_D1X_VGT_AMER_WORKSTATION_QNT, EapAuthentication=EAP-TLS, Serial Number=50 00 00 48 B2 40 C5 16 26 06 F1 2E 47 00 00 00 00 48 B2, Subject - Common Name=nope.west.com, Subject Alternative Name=557234$@Aaard.com, CPMSessionID=CB7D4E0A00000FE896B0CB97, EndPointMACAddress=9C-EB-E8-F6-11-87, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Microsoft-Workstation, ISEPolicySetName=SAP_AUTH_D1X_QUARANTINE, IdentitySelectionMatchedRule=SAP_AUTHC_D1X_WORKSTATIONS, StepLatency=1=0\\\\;2=0\\\\;3=0\\\\;4=1\\\\;5=0\\\\;6=0\\\\;7=0\\\\;8=1\\\\;9=0\\\\;10=24\\\\;11=0\\\\;12=0\\\\;13=0\\\\;14=1\\\\;15=0\\\\;16=0\\\\;17=0\\\\;18=27\\\\;19=0\\\\;20=0\\\\;21=0\\\\;22=0\\\\;23=16\\\\;24=0\\\\;25=0\\\\;26=0\\\\;27=0\\\\;28=16\\\\;29=0\\\\;30=1\\\\;31=0\\\\;32=0\\\\;33=15\\\\;34=0\\\\;35=1\\\\;36=0\\\\;37=0\\\\;38=16\\\\;39=0\\\\;40=0\\\\;41=0\\\\;42=1\\\\;43=16\\\\;44=0\\\\;45=1\\\\;46=0\\\\;47=0\\\\;48=16\\\\;49=0\\\\;50=1\\\\;51=0\\\\;52=0\\\\;53=43\\\\;54=0\\\\;55=0\\\\;56=0\\\\;57=0\\\\;58=17\\\\;59=0\\\\;60=0\\\\;61=0\\\\;62=0\\\\;63=19\\\\;64=0\\\\;65=1\\\\;66=0\\\\;67=0\\\\;68=16\\\\;69=0\\\\;70=0\\\\;71=0\\\\;72=0\\\\;73=16\\\\;74=0\\\\;75=0\\\\;76=0\\\\;77=1\\\\;78=0\\\\;79=0\\\\;80=4\\\\;81=0\\\\;82=0\\\\;83=0\\\\;84=0\\\\;85=0\\\\;86=0\\\\;87=0\\\\;88=0\\\\;89=0\\\\;90=16\\\\;91=0\\\\;92=1\\\\;93=0\\\\;94=0\\\\;95=1\\\\;96=0\\\\;97=0\\\\;98=0\\\\;99=0\\\\;100=0\\\\;101=0\\\\;102=1\\\\;103=0\\\\;104=1\\\\;105=1\\\\;106=0\\\\;112=697\\\\;118=584\\\\;124=527\\\\;125=0\\\\;126=0\\\\;127=0\\\\;128=0\\\\;129=0\\\\;130=1, MFCInfoHardwareManufacturer=BuzLink (Kunshan) Co.\\\\,Ltd, MFCInfoOperatingSystem=Windows, MFCInfoEndpointType=Workstation, StepData=4= Normalised Radius.RadiusFlowType, StepData=5= DEVICE.Quarantine_Status, StepData=77=certificate for sdfgf.fghghr.com, StepData=78=certificate for PCAS205, StepData=94= CERTIFICATE.Issuer - Common Name, StepData=95= DEVICE.Location, StepData=96= Network Access.AuthenticationMethod, StepData=97=SAP_AUTHC_D1X_LDAP_AMER_MACHINE, StepData=106= CERTIFICATE.Subject Alternative Name, StepData=0=APAC_Active_Directory_Machine, StepData=1=APAC_Active_Directory_Machine, StepData=2=APAC_Active_Directory_Machine, StepData=3=APAC_Active_Directory_Machine, StepData=4=APAC_Active_Directory_Machine, StepData=112= APAC_Active_Directory_Machine.primaryGroupID, StepData=0=EMEA_Active_Directory_Machine, StepData=1=EMEA_Active_Directory_Machine, StepData=2=EMEA_Active_Directory_Machine, StepData=3=EMEA_Active_Directory_Machine, StepData=4=EMEA_Active_Directory_Machine, StepData=118= EMEA_Active_Directory_Machine.primaryGroupID, StepData=0=AMER_Active_Directory_Machine, StepData=1=AMER_Active_Directory_Machine, StepData=2=AMER_Active_Directory_Machine, StepData=3=AMER_Active_Directory_Machine, StepData=4=AMER_Active_Directory_Machine, StepData=124= AMER_Active_Directory_Machine.primaryGroupID, TotalAuthenLatency=2102, ClientLatency=243, allowEasyWiredSession=false, TLSCipher=ECDHE-RSA-AES256-GCM-SHA384, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Subject=CN=we2334.foo.com, Subject Alternative Name - Other Name=234234$@Lard.com, Issuer=CN=OPSC205\\\\,DC=Lard\\\\,DC=com, Issuer - Common Name=OPSC205, Issuer - Domain Component=Lard, Issuer - Domain Component=com, Key Usage=0, Key Usage=2, Extended Key Usage - Name=130, Extended Key Usage - Name=129, Extended Key Usage - OID=1.3.6.1.5.5.7.3.2, Extended Key Usage - OID=1.3.6.1.5.5.7.3.1, Template Name=1.3.6.1.4.1.311.21.8.2481306.4190156.10634155.14203719.11861591.212.12390149.10934311, Days to Expiry=314, Issuer - Fingerprint SHA-256=8e82ca7124c758a29224328de52d25fedfcfa36cf09b0b69b3801ca1b5483892, AKI=d6:70:a6:83:9e:f2:87:e6:cd:d3:ac:a9:01:65:f0:ac:29:0b:cf:84, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, primaryGroupID=515, Untrust_Status=Untrust_Status#Untrust_Status, Quarantine_Status=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, Network Device Profile=Cisco, Location=Location#All Locations#PA Campus#2 West Liberty, Device Type=Device Type#All Device Types#Switches#CAT9300, IPSEC=IPSEC#Is IPSEC Device#No, Response={User-Name=2234344.doom.com; Class=CACS:CB7D4E0A00000FE896B0CB97:dc1soezptac002/518158123/282648; Tunnel-Type=(tag=1) VLAN; Tunnel-Medium-Type=(tag=1) 802; Tunnel-Private-Group-ID=(tag=1) VSD; EAP-Key-Name=0d:ec:f7:a8:73:ff:4d:07:46:92:1e:fe:51:7b:22:7f:21:b4:50:a2:df:e6:32:e5:7c:b5:6f:fa:ba:3f:82:91:8e:cc:cd:52:89:a4:83:0a:19:bf:32:c2:80:dd:a0:78:3f:0d:d8:ae:1f:a5:6b:e6:0f:5c:ee:a3:34:02:4d:ba:e7; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL_D_IN_WORKSTATION-61fb29bf; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; },",
+                "outcome": "success",
+                "sequence": 7550091,
+                "timezone": "+00:00",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "hostname": "dc1soezptac002"
+            },
+            "log": {
+                "level": "notice",
+                "syslog": {
+                    "severity": {
+                        "name": "notice"
+                    }
+                }
+            },
+            "message": "2024-10-16 18:59:53.062 +00:00 0007550091 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=71, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.145, DestinationPort=1812, UserName=todd34.foo.com, Protocol=Radius, NetworkDeviceName=sdsdssd.goo.com, User-Name=adfggg$@Meme.com, NAS-IP-Address=81.2.69.144, NAS-Port=50134, Service-Type=Framed, Framed-MTU=1468, State=37CPMSessionID=CB7D4E0A00000FE896B0CB97\\\\;41SessionID=dc1soezptac002/518158123/282648\\\\;, Called-Station-ID=AC-7A-56-53-A1-12, Calling-Station-ID=9C-EB-E8-F6-53-22, NAS-Port-Type=Ethernet, NAS-Port-Id=TwoGigabitEthernet1/0/32, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=CB7D4E0A00000FE896B0CB97, cisco-av-pair=method=dot1x, cisco-av-pair=client-iif-id=483760223, cisco-av-pair=dc-profile-name=Un-Classified Device, cisco-av-pair=dc-device-name=Unknown Device, cisco-av-pair=dc-device-class-tag=Un-Classified Device, cisco-av-pair=dc-certainty-metric=0, cisco-av-pair=64:63:2d:6f:70:61:71:75:65:3d:04:00:00:00:00:00:00:00:00:00:00:00, cisco-av-pair=dc-protocol-map=1, cisco-nas-port=TwoGigabitEthernet1/0/32, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf323, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, SSID=AC-7A-56-53-33-20, AcsSessionID=ssde4zptac002/518158123/282648, AuthenticationMethod=x509_PKI, SelectedAccessService=DISNEY_D1X_AUTHC_PROTOCOLS, SelectedAuthorizationProfiles=SAP_AUTHZ_D1X_VGT_WORKSTATION_QNT, RequestLatency=1859, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=61025, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12810, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12810, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12803, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=15041, Step=15048, Step=15048, Step=15048, Step=22072, Step=22070, Step=22037, Step=12506, Step=61026, Step=24715, Step=15036, Step=24209, Step=24211, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=24031, Step=24016, Step=24028, Step=24023, Step=24004, Step=15048, Step=15016, Step=11022, Step=22081, Step=22080, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=SAP_AUTHC_D1X_CERT_PROFILE, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, NetworkDeviceGroups=Location#All Locations#PA Campus#2 West Liberty, NetworkDeviceGroups=Device Type#All Device Types#Switches#CAT9300, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=SAP_AUTHC_D1X_WORKSTATIONS, AuthorizationPolicyMatchedRule=SAP_AUTHZ_D1X_VGT_AMER_WORKSTATION_QNT, EapAuthentication=EAP-TLS, Serial Number=50 00 00 48 B2 40 C5 16 26 06 F1 2E 47 00 00 00 00 48 B2, Subject - Common Name=nope.west.com, Subject Alternative Name=557234$@Aaard.com, CPMSessionID=CB7D4E0A00000FE896B0CB97, EndPointMACAddress=9C-EB-E8-F6-11-87, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Microsoft-Workstation, ISEPolicySetName=SAP_AUTH_D1X_QUARANTINE, IdentitySelectionMatchedRule=SAP_AUTHC_D1X_WORKSTATIONS, StepLatency=1=0\\\\;2=0\\\\;3=0\\\\;4=1\\\\;5=0\\\\;6=0\\\\;7=0\\\\;8=1\\\\;9=0\\\\;10=24\\\\;11=0\\\\;12=0\\\\;13=0\\\\;14=1\\\\;15=0\\\\;16=0\\\\;17=0\\\\;18=27\\\\;19=0\\\\;20=0\\\\;21=0\\\\;22=0\\\\;23=16\\\\;24=0\\\\;25=0\\\\;26=0\\\\;27=0\\\\;28=16\\\\;29=0\\\\;30=1\\\\;31=0\\\\;32=0\\\\;33=15\\\\;34=0\\\\;35=1\\\\;36=0\\\\;37=0\\\\;38=16\\\\;39=0\\\\;40=0\\\\;41=0\\\\;42=1\\\\;43=16\\\\;44=0\\\\;45=1\\\\;46=0\\\\;47=0\\\\;48=16\\\\;49=0\\\\;50=1\\\\;51=0\\\\;52=0\\\\;53=43\\\\;54=0\\\\;55=0\\\\;56=0\\\\;57=0\\\\;58=17\\\\;59=0\\\\;60=0\\\\;61=0\\\\;62=0\\\\;63=19\\\\;64=0\\\\;65=1\\\\;66=0\\\\;67=0\\\\;68=16\\\\;69=0\\\\;70=0\\\\;71=0\\\\;72=0\\\\;73=16\\\\;74=0\\\\;75=0\\\\;76=0\\\\;77=1\\\\;78=0\\\\;79=0\\\\;80=4\\\\;81=0\\\\;82=0\\\\;83=0\\\\;84=0\\\\;85=0\\\\;86=0\\\\;87=0\\\\;88=0\\\\;89=0\\\\;90=16\\\\;91=0\\\\;92=1\\\\;93=0\\\\;94=0\\\\;95=1\\\\;96=0\\\\;97=0\\\\;98=0\\\\;99=0\\\\;100=0\\\\;101=0\\\\;102=1\\\\;103=0\\\\;104=1\\\\;105=1\\\\;106=0\\\\;112=697\\\\;118=584\\\\;124=527\\\\;125=0\\\\;126=0\\\\;127=0\\\\;128=0\\\\;129=0\\\\;130=1, MFCInfoHardwareManufacturer=BuzLink (Kunshan) Co.\\\\,Ltd, MFCInfoOperatingSystem=Windows, MFCInfoEndpointType=Workstation, StepData=4= Normalised Radius.RadiusFlowType, StepData=5= DEVICE.Quarantine_Status, StepData=77=certificate for sdfgf.fghghr.com, StepData=78=certificate for PCAS205, StepData=94= CERTIFICATE.Issuer - Common Name, StepData=95= DEVICE.Location, StepData=96= Network Access.AuthenticationMethod, StepData=97=SAP_AUTHC_D1X_LDAP_AMER_MACHINE, StepData=106= CERTIFICATE.Subject Alternative Name, StepData=0=APAC_Active_Directory_Machine, StepData=1=APAC_Active_Directory_Machine, StepData=2=APAC_Active_Directory_Machine, StepData=3=APAC_Active_Directory_Machine, StepData=4=APAC_Active_Directory_Machine, StepData=112= APAC_Active_Directory_Machine.primaryGroupID, StepData=0=EMEA_Active_Directory_Machine, StepData=1=EMEA_Active_Directory_Machine, StepData=2=EMEA_Active_Directory_Machine, StepData=3=EMEA_Active_Directory_Machine, StepData=4=EMEA_Active_Directory_Machine, StepData=118= EMEA_Active_Directory_Machine.primaryGroupID, StepData=0=AMER_Active_Directory_Machine, StepData=1=AMER_Active_Directory_Machine, StepData=2=AMER_Active_Directory_Machine, StepData=3=AMER_Active_Directory_Machine, StepData=4=AMER_Active_Directory_Machine, StepData=124= AMER_Active_Directory_Machine.primaryGroupID, TotalAuthenLatency=2102, ClientLatency=243, allowEasyWiredSession=false, TLSCipher=ECDHE-RSA-AES256-GCM-SHA384, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Subject=CN=we2334.foo.com, Subject Alternative Name - Other Name=234234$@Lard.com, Issuer=CN=OPSC205\\\\,DC=Lard\\\\,DC=com, Issuer - Common Name=OPSC205, Issuer - Domain Component=Lard, Issuer - Domain Component=com, Key Usage=0, Key Usage=2, Extended Key Usage - Name=130, Extended Key Usage - Name=129, Extended Key Usage - OID=1.3.6.1.5.5.7.3.2, Extended Key Usage - OID=1.3.6.1.5.5.7.3.1, Template Name=1.3.6.1.4.1.311.21.8.2481306.4190156.10634155.14203719.11861591.212.12390149.10934311, Days to Expiry=314, Issuer - Fingerprint SHA-256=8e82ca7124c758a29224328de52d25fedfcfa36cf09b0b69b3801ca1b5483892, AKI=d6:70:a6:83:9e:f2:87:e6:cd:d3:ac:a9:01:65:f0:ac:29:0b:cf:84, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, primaryGroupID=515, Untrust_Status=Untrust_Status#Untrust_Status, Quarantine_Status=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, Network Device Profile=Cisco, Location=Location#All Locations#PA Campus#2 West Liberty, Device Type=Device Type#All Device Types#Switches#CAT9300, IPSEC=IPSEC#Is IPSEC Device#No, Response={User-Name=2234344.doom.com; Class=CACS:CB7D4E0A00000FE896B0CB97:dc1soezptac002/518158123/282648; Tunnel-Type=(tag=1) VLAN; Tunnel-Medium-Type=(tag=1) 802; Tunnel-Private-Group-ID=(tag=1) VSD; EAP-Key-Name=0d:ec:f7:a8:73:ff:4d:07:46:92:1e:fe:51:7b:22:7f:21:b4:50:a2:df:e6:32:e5:7c:b5:6f:fa:ba:3f:82:91:8e:cc:cd:52:89:a4:83:0a:19:bf:32:c2:80:dd:a0:78:3f:0d:d8:ae:1f:a5:6b:e6:0f:5c:ee:a3:34:02:4d:ba:e7; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL_D_IN_WORKSTATION-61fb29bf; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; },",
+            "network": {
+                "protocol": "radius"
+            },
+            "related": {
+                "hosts": [
+                    "dc1soezptac002"
+                ],
+                "ip": [
+                    "81.2.69.144",
+                    "81.2.69.145",
+                    "81.2.69.143"
+                ],
+                "user": [
+                    "todd34.foo.com",
+                    "adfggg$@Meme.com"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": [
+                    "todd34.foo.com",
+                    "adfggg$@Meme.com"
+                ]
+            }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json
index 5cd9e6685a1..4b7e5ff8419 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json
@@ -782,4 +782,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json
index 942bd0f28c3..a2bb520a61c 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json
@@ -137,4 +137,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log
new file mode 100644
index 00000000000..896c542b428
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log
@@ -0,0 +1 @@
+Oct 10 14:23:15 isehost CISE_RADIUS_Accounting 0005569825 1 0 2024-10-10 14:23:15.609 +00:00 0127988851 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=312, Device IP Address=81.2.69.143, UserName=AB-A4-4F-C0-3D-21, NetworkDeviceName=fs3sfd3.disweasewwd.com, User-Name=AB-A4-4F-C0-3D-21, NAS-IP-Address=81.2.69.143, NAS-Port=50442, Framed-IP-Address=81.2.69.143, Class=CACS:C9FD170A00266A2D0A47D57B:dc1soezptac002/517154769/4236118, Called-Station-ID=55-88-16-BD-27-AA, Calling-Station-ID=AB-A4-4F-C0-3D-21, NAS-Identifier=xsdfffpcca1a1, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=3541994791, Acct-Output-Octets=0, Acct-Session-Id=0002e349, Acct-Authentic=Remote, Acct-Session-Time=60, Acct-Input-Packets=81249309, Acct-Output-Packets=0, Acct-Terminate-Cause=0, Event-Timestamp=1728570001, NAS-Port-Type=Ethernet, NAS-Port-Id=TenGigabitEthernet4/0/42, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=cdp-tlv=cdpCacheDeviceId=uxis-b8a44fc03d21, cisco-av-pair=cdp-tlv=cdpCacheAddressType=00:00:00:01:01:01:cc:00:04:0a:17:40:74, cisco-av-pair=cdp-tlv=cdpCacheCapabilities=00:00:00:10, cisco-av-pair=cdp-tlv=cdpCacheVersion=AXIS P4707-PLVE Panoramic Camera 11.10.61, cisco-av-pair=cdp-tlv=cdpCachePlatform=Linux, cisco-av-pair=lldp-tlv=lldpSystemName=axis-b8a44fc03d21, cisco-av-pair=lldp-tlv=lldpSystemDescription=AXIS P4707-PLVE Panoramic Camera 11.10.61, cisco-av-pair=lldp-tlv=lldpSystemCapabilitiesMap=00:9c:00:80, cisco-av-pair=audit-session-id=C9FD170A00266A2D0A47D57B, cisco-av-pair=vlan-id=201, cisco-av-pair=method=mab, cisco-av-pair=SkipSessionRemoval=true, cisco-nas-port=TenGigabitEthernet4/0/42, AcsSessionID=dc1soezptac002/517154769/4236501, SelectedAccessService=VANGUARD_MAB_AUTHC_PROTOCOLS, RequestLatency=5, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=22094, Step=11005, NetworkDeviceGroups=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, NetworkDeviceGroups=Location#All Locations#PA Campus#Quarry Ridge, NetworkDeviceGroups=Device Type#All Device Types#Switches#CAT9300, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=C9FD170A00266A2D0A47D57B, TotalAuthenLatency=5, ClientLatency=0, Untrust_Status=Untrust_Status#Untrust_Status, Quarantine_Status=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, Network Device Profile=Cisco, Location=Location#All Locations#PA Campus#Quarry Ridge, Device Type=Device Type#All Device Types#Switches#CAT9300, IPSEC=IPSEC#Is IPSEC Device#No,
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log-expected.json
new file mode 100644
index 00000000000..d66ae4d0933
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting-identifier.log-expected.json
@@ -0,0 +1,184 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-10-10T14:23:15.609Z",
+            "cisco_ise": {
+                "log": {
+                    "acct": {
+                        "authentic": "Remote",
+                        "delay_time": 0,
+                        "input": {
+                            "octets": 3541994791,
+                            "packets": 81249309
+                        },
+                        "output": {
+                            "octets": 0,
+                            "packets": 0
+                        },
+                        "session": {
+                            "id": "0002e349",
+                            "time": 60
+                        },
+                        "status": {
+                            "type": "Stop"
+                        },
+                        "terminate_cause": "0"
+                    },
+                    "acs": {
+                        "session": {
+                            "id": "dc1soezptac002/517154769/4236501"
+                        }
+                    },
+                    "called_station": {
+                        "id": "55-88-16-BD-27-AA"
+                    },
+                    "calling_station": {
+                        "id": "AB-A4-4F-C0-3D-21"
+                    },
+                    "category": {
+                        "name": "CISE_RADIUS_Accounting"
+                    },
+                    "class": "CACS:C9FD170A00266A2D0A47D57B:dc1soezptac002/517154769/4236118",
+                    "config_version": {
+                        "id": 312
+                    },
+                    "cpm": {
+                        "session": {
+                            "id": "C9FD170A00266A2D0A47D57B"
+                        }
+                    },
+                    "device": {
+                        "type": "Device Type#All Device Types#Switches#CAT9300"
+                    },
+                    "event": {
+                        "timestamp": "2024-10-10T14:20:01.000Z"
+                    },
+                    "framed": {
+                        "ip": "81.2.69.143"
+                    },
+                    "location": "Location#All Locations#PA Campus#Quarry Ridge",
+                    "log_details": {
+                        "ClientLatency": "0",
+                        "IPSEC": "IPSEC#Is IPSEC Device#No",
+                        "NAS-Port-Id": "TenGigabitEthernet4/0/42",
+                        "Network Device Profile": "Cisco",
+                        "Quarantine_Status": "Quarantine_Status#Quarantine_Status#Quarantine_Enabled",
+                        "TotalAuthenLatency": "5",
+                        "Untrust_Status": "Untrust_Status#Untrust_Status",
+                        "UserName": "AB-A4-4F-C0-3D-21",
+                        "cisco-av-pair": [
+                            "cts-pac-opaque=****",
+                            "cdp-tlv=cdpCacheDeviceId=uxis-b8a44fc03d21",
+                            "cdp-tlv=cdpCacheAddressType=00:00:00:01:01:01:cc:00:04:0a:17:40:74",
+                            "cdp-tlv=cdpCacheCapabilities=00:00:00:10",
+                            "cdp-tlv=cdpCacheVersion=AXIS P4707-PLVE Panoramic Camera 11.10.61",
+                            "cdp-tlv=cdpCachePlatform=Linux",
+                            "lldp-tlv=lldpSystemName=axis-b8a44fc03d21",
+                            "lldp-tlv=lldpSystemDescription=AXIS P4707-PLVE Panoramic Camera 11.10.61",
+                            "lldp-tlv=lldpSystemCapabilitiesMap=00:9c:00:80",
+                            "audit-session-id=C9FD170A00266A2D0A47D57B",
+                            "vlan-id=201",
+                            "method=mab",
+                            "SkipSessionRemoval=true"
+                        ],
+                        "cisco-nas-port": "TenGigabitEthernet4/0/42"
+                    },
+                    "message": {
+                        "code": "3001",
+                        "description": "Radius-Accounting: RADIUS Accounting stop request",
+                        "id": "0005569825"
+                    },
+                    "nas": {
+                        "identifier": "xsdfffpcca1a1",
+                        "ip": "81.2.69.143",
+                        "port": {
+                            "number": 50442,
+                            "type": "Ethernet"
+                        }
+                    },
+                    "network": {
+                        "device": {
+                            "groups": [
+                                "Quarantine_Status#Quarantine_Status#Quarantine_Enabled",
+                                "Location#All Locations#PA Campus#Quarry Ridge",
+                                "Device Type#All Device Types#Switches#CAT9300",
+                                "IPSEC#Is IPSEC Device#No"
+                            ],
+                            "name": "fs3sfd3.disweasewwd.com"
+                        }
+                    },
+                    "request": {
+                        "latency": 5
+                    },
+                    "segment": {
+                        "number": 0,
+                        "total": 1
+                    },
+                    "selected": {
+                        "access": {
+                            "service": "VANGUARD_MAB_AUTHC_PROTOCOLS"
+                        }
+                    },
+                    "step": [
+                        "11004",
+                        "11017",
+                        "15049",
+                        "15008",
+                        "15048",
+                        "22094",
+                        "11005"
+                    ]
+                }
+            },
+            "client": {
+                "ip": "81.2.69.143"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "radius-accounting",
+                "category": [
+                    "configuration"
+                ],
+                "code": "3001",
+                "kind": "event",
+                "original": "Oct 10 14:23:15 isehost CISE_RADIUS_Accounting 0005569825 1 0 2024-10-10 14:23:15.609 +00:00 0127988851 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=312, Device IP Address=81.2.69.143, UserName=AB-A4-4F-C0-3D-21, NetworkDeviceName=fs3sfd3.disweasewwd.com, User-Name=AB-A4-4F-C0-3D-21, NAS-IP-Address=81.2.69.143, NAS-Port=50442, Framed-IP-Address=81.2.69.143, Class=CACS:C9FD170A00266A2D0A47D57B:dc1soezptac002/517154769/4236118, Called-Station-ID=55-88-16-BD-27-AA, Calling-Station-ID=AB-A4-4F-C0-3D-21, NAS-Identifier=xsdfffpcca1a1, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=3541994791, Acct-Output-Octets=0, Acct-Session-Id=0002e349, Acct-Authentic=Remote, Acct-Session-Time=60, Acct-Input-Packets=81249309, Acct-Output-Packets=0, Acct-Terminate-Cause=0, Event-Timestamp=1728570001, NAS-Port-Type=Ethernet, NAS-Port-Id=TenGigabitEthernet4/0/42, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=cdp-tlv=cdpCacheDeviceId=uxis-b8a44fc03d21, cisco-av-pair=cdp-tlv=cdpCacheAddressType=00:00:00:01:01:01:cc:00:04:0a:17:40:74, cisco-av-pair=cdp-tlv=cdpCacheCapabilities=00:00:00:10, cisco-av-pair=cdp-tlv=cdpCacheVersion=AXIS P4707-PLVE Panoramic Camera 11.10.61, cisco-av-pair=cdp-tlv=cdpCachePlatform=Linux, cisco-av-pair=lldp-tlv=lldpSystemName=axis-b8a44fc03d21, cisco-av-pair=lldp-tlv=lldpSystemDescription=AXIS P4707-PLVE Panoramic Camera 11.10.61, cisco-av-pair=lldp-tlv=lldpSystemCapabilitiesMap=00:9c:00:80, cisco-av-pair=audit-session-id=C9FD170A00266A2D0A47D57B, cisco-av-pair=vlan-id=201, cisco-av-pair=method=mab, cisco-av-pair=SkipSessionRemoval=true, cisco-nas-port=TenGigabitEthernet4/0/42, AcsSessionID=dc1soezptac002/517154769/4236501, SelectedAccessService=VANGUARD_MAB_AUTHC_PROTOCOLS, RequestLatency=5, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=22094, Step=11005, NetworkDeviceGroups=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, NetworkDeviceGroups=Location#All Locations#PA Campus#Quarry Ridge, NetworkDeviceGroups=Device Type#All Device Types#Switches#CAT9300, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=C9FD170A00266A2D0A47D57B, TotalAuthenLatency=5, ClientLatency=0, Untrust_Status=Untrust_Status#Untrust_Status, Quarantine_Status=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, Network Device Profile=Cisco, Location=Location#All Locations#PA Campus#Quarry Ridge, Device Type=Device Type#All Device Types#Switches#CAT9300, IPSEC=IPSEC#Is IPSEC Device#No,",
+                "sequence": 127988851,
+                "timezone": "+00:00",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "hostname": "isehost"
+            },
+            "log": {
+                "level": "notice",
+                "syslog": {
+                    "severity": {
+                        "name": "notice"
+                    }
+                }
+            },
+            "message": "2024-10-10 14:23:15.609 +00:00 0127988851 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=312, Device IP Address=81.2.69.143, UserName=AB-A4-4F-C0-3D-21, NetworkDeviceName=fs3sfd3.disweasewwd.com, User-Name=AB-A4-4F-C0-3D-21, NAS-IP-Address=81.2.69.143, NAS-Port=50442, Framed-IP-Address=81.2.69.143, Class=CACS:C9FD170A00266A2D0A47D57B:dc1soezptac002/517154769/4236118, Called-Station-ID=55-88-16-BD-27-AA, Calling-Station-ID=AB-A4-4F-C0-3D-21, NAS-Identifier=xsdfffpcca1a1, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=3541994791, Acct-Output-Octets=0, Acct-Session-Id=0002e349, Acct-Authentic=Remote, Acct-Session-Time=60, Acct-Input-Packets=81249309, Acct-Output-Packets=0, Acct-Terminate-Cause=0, Event-Timestamp=1728570001, NAS-Port-Type=Ethernet, NAS-Port-Id=TenGigabitEthernet4/0/42, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=cdp-tlv=cdpCacheDeviceId=uxis-b8a44fc03d21, cisco-av-pair=cdp-tlv=cdpCacheAddressType=00:00:00:01:01:01:cc:00:04:0a:17:40:74, cisco-av-pair=cdp-tlv=cdpCacheCapabilities=00:00:00:10, cisco-av-pair=cdp-tlv=cdpCacheVersion=AXIS P4707-PLVE Panoramic Camera 11.10.61, cisco-av-pair=cdp-tlv=cdpCachePlatform=Linux, cisco-av-pair=lldp-tlv=lldpSystemName=axis-b8a44fc03d21, cisco-av-pair=lldp-tlv=lldpSystemDescription=AXIS P4707-PLVE Panoramic Camera 11.10.61, cisco-av-pair=lldp-tlv=lldpSystemCapabilitiesMap=00:9c:00:80, cisco-av-pair=audit-session-id=C9FD170A00266A2D0A47D57B, cisco-av-pair=vlan-id=201, cisco-av-pair=method=mab, cisco-av-pair=SkipSessionRemoval=true, cisco-nas-port=TenGigabitEthernet4/0/42, AcsSessionID=dc1soezptac002/517154769/4236501, SelectedAccessService=VANGUARD_MAB_AUTHC_PROTOCOLS, RequestLatency=5, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=22094, Step=11005, NetworkDeviceGroups=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, NetworkDeviceGroups=Location#All Locations#PA Campus#Quarry Ridge, NetworkDeviceGroups=Device Type#All Device Types#Switches#CAT9300, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=C9FD170A00266A2D0A47D57B, TotalAuthenLatency=5, ClientLatency=0, Untrust_Status=Untrust_Status#Untrust_Status, Quarantine_Status=Quarantine_Status#Quarantine_Status#Quarantine_Enabled, Network Device Profile=Cisco, Location=Location#All Locations#PA Campus#Quarry Ridge, Device Type=Device Type#All Device Types#Switches#CAT9300, IPSEC=IPSEC#Is IPSEC Device#No,",
+            "related": {
+                "hosts": [
+                    "isehost"
+                ],
+                "ip": [
+                    "81.2.69.143"
+                ],
+                "user": [
+                    "AB-A4-4F-C0-3D-21"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "AB-A4-4F-C0-3D-21"
+            }
+        }
+    ]
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json
index c34e495fa05..040eefd491a 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json
@@ -390,4 +390,4 @@
             }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json
index 02d0f8e9b5a..700ec666cb7 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json
@@ -3028,4 +3028,4 @@
             }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json
index e3a263b6f0a..f22d939f1af 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json
@@ -686,4 +686,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json
index 92d3017244c..7763722cb58 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json
@@ -756,4 +756,4 @@
             }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json
index 70ec7002a63..9bf9cedc3ab 100644
--- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json
+++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json
@@ -241,4 +241,4 @@
             ]
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index a75b0d97c56..40481869bdf 100644
--- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -29,7 +29,8 @@ processors:
       if: ctx._tmp?.message != null
       patterns:
         - '^%{NOTCOLON:cisco_ise.log.log_severity_level}%{SPACE}: %{NOTCOLON:event.action}%{SPACE}: %{GREEDYDATA:message}$'
-        - '^%{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$'
+        - ^%{NUMBER:cisco_ise.log.message.id} %{NUMBER:cisco_ise.log.segment.total:long} %{NUMBER:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$
+        - ^%{GREEDYDATA:message}$
       pattern_definitions:
         NOTCOLON: '[^:]*?'
       on_failure:
@@ -146,6 +147,9 @@ processors:
   - pipeline:
       name: '{{ IngestPipeline "pipeline_alarm" }}'
       if: ctx.cisco_ise?.log?.category?.name == "CISE_Alarm"
+  - pipeline:
+      name: '{{ IngestPipeline "pipeline_monitoring_data_purge_audit" }}'
+      if: ctx.cisco_ise?.log?.category?.name?.toUpperCase() == 'CISE_MONITORING_DATA_PURGE_AUDIT'
   - set:
       field: host.ip
       value: ['{{{host.ip}}}']
diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml
index db7878fc279..f379be6bac1 100644
--- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml
+++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml
@@ -30,12 +30,12 @@ processors:
             target_field: cisco_ise.log.log_details
             field_split: ', '
             value_split: =
-  - grok:
+  - kv:
       field: cisco_ise.log.log_details_raw
       if: ctx.cisco_ise?.log?.message?.code == "52001"
-      ignore_failure: true
-      patterns:
-        - "ConfigVersionId=%{DATA:cisco_ise.log.log_details.ConfigVersionId}, FailureFlag=%{DATA:cisco_ise.log.log_details.FailureFlag}, RequestResponseType=%{DATA:cisco_ise.log.log_details.RequestResponseType}, AdminInterface=%{DATA:cisco_ise.log.log_details.AdminInterface}, AdminIPAddress=%{DATA:cisco_ise.log.log_details.AdminIPAddress}, AdminName=%{DATA:cisco_ise.log.log_details.AdminName}, %{GREEDYDATA:cisco_ise.log.log_details.log_detail}"
+      target_field: cisco_ise.log.log_details
+      field_split: '(?<!\\), '
+      value_split: =
   - grok:
       field: cisco_ise.log.log_details.log_detail
       if: ctx.cisco_ise?.log?.message?.code == "52001"
diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_monitoring_data_purge_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_monitoring_data_purge_audit.yml
new file mode 100644
index 00000000000..1b5445f6937
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_monitoring_data_purge_audit.yml
@@ -0,0 +1,80 @@
+---
+processors:
+  - set:
+      field: event.kind
+      value: event
+  - grok:
+      field: message
+      patterns:
+        - '%{TIMEONLYSTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:event.sequence:long} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details_raw},'
+      pattern_definitions:
+        TIMEONLYSTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[ ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?' 
+  - trim:
+      field: cisco_ise.log.log_details_raw
+      ignore_failure: true
+  - grok:
+      field: cisco_ise.log.message.description
+      if: ctx.cisco_ise?.log?.message?.description != null && ctx.cisco_ise.log.message.description != ''
+      patterns:
+        - "^%{DATA:event.action}:"
+      ignore_failure: true
+  - lowercase:
+      field: event.action
+      ignore_missing: true
+  - gsub:
+      field: cisco_ise.log.log_details_raw
+      pattern: \\,
+      replacement: ''
+  - script:
+      tag: cisco_ise_log_log_details_raw_split
+      source: |-
+        def m = ctx.cisco_ise.log["log_details"];
+        if (!(m instanceof Map)) {
+          m = new HashMap();
+        }
+        int pos = ctx.cisco_ise.log.log_details_raw.indexOf("=");
+        if (pos == -1) {
+            m[ctx.cisco_ise.log.log_details_raw] = null;
+        } else {
+            m[ctx.cisco_ise.log.log_details_raw.substring(0,pos)] = ctx.cisco_ise.log.log_details_raw.substring(pos+1);
+        }
+        ctx.cisco_ise.log["log_details"] = m;
+  - date:
+      field: _tmp.timestamp
+      formats:
+        - yyyy-MM-dd HH:mm:ss.SSS
+        - yyyy-MM-dd HH:mm:ss.SSSSSS
+        - MMM  d HH:mm:ss
+        - MMM dd HH:mm:ss
+        - MMM d HH:mm:ss
+      on_failure:
+        - remove:
+            field: _tmp.timestamp
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
+  - date:
+      if: ctx.event?.timezone != null && ctx.event.timezone != ''
+      field: _tmp.timestamp
+      formats:
+        - yyyy-MM-dd HH:mm:ss.SSS
+        - yyyy-MM-dd HH:mm:ss.SSSSSS
+        - MMM  d HH:mm:ss
+        - MMM dd HH:mm:ss
+        - MMM d HH:mm:ss
+      timezone: '{{{event.timezone}}}'
+      on_failure:
+        - remove:
+            field: _tmp.timestamp
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
index 3330a0b883a..d0af8fa735c 100644
--- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
+++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml
@@ -140,21 +140,20 @@ processors:
       field: cisco_ise.log.log_details.Calling-Station-ID
       target_field: cisco_ise.log.calling_station.id
       ignore_missing: true
-  - foreach:
+  - script:
       tag: foreach_av_pair
       if: ctx.cisco_ise?.log?.log_details != null && ctx.cisco_ise.log.log_details['cisco-av-pair'] instanceof List
-      field: cisco_ise.log.log_details.cisco-av-pair
-      processor:
-        kv:
-          field : _ingest._value
-          target_field: cisco_ise.log.cisco_av_pair
-          field_split: ', '
-          value_split: =
-          on_failure:
-            - append:
-                field: error.message
-                value: '{{{_ingest.on_failure_message}}}'
-      ignore_missing: true
+      source: |-
+        def m = new HashMap();
+        for (val in ctx.cisco_ise.log.log_details['cisco-av-pair']) {
+          int pos = val.indexOf("=");
+          if (pos == -1) {
+            m[val] = null;
+          } else {
+            m[val.substring(0,pos)] = val.substring(pos+1);
+          }
+        }
+        ctx.cisco_ise.log["cisco_av_pair"] = m;
   - kv:
       tag: kv_av_pair
       if: ctx.cisco_ise?.log?.log_details != null && ctx.cisco_ise.log.log_details['cisco-av-pair'] instanceof String
diff --git a/packages/cisco_ise/data_stream/log/fields/fields.yml b/packages/cisco_ise/data_stream/log/fields/fields.yml
index 68138b1b199..aad74a86aab 100644
--- a/packages/cisco_ise/data_stream/log/fields/fields.yml
+++ b/packages/cisco_ise/data_stream/log/fields/fields.yml
@@ -225,18 +225,8 @@
         - name: name
           type: keyword
     - name: cisco_av_pair
-      type: group
-      fields:
-        - name: coa-push
-          type: boolean
-        - name: cts-device-capability
-          type: keyword
-        - name: cts-environment-data
-          type: keyword
-        - name: cts-environment-version
-          type: keyword
-        - name: cts-pac-opaque
-          type: keyword
+      type: object
+      enabled: false
     - name: class
       type: keyword
     - name: client
diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md
index d537084af19..d76c48ca8a4 100644
--- a/packages/cisco_ise/docs/README.md
+++ b/packages/cisco_ise/docs/README.md
@@ -288,11 +288,7 @@ An example event for `log` looks as following:
 | cisco_ise.log.calling_station_id |  | keyword |
 | cisco_ise.log.category.name |  | keyword |
 | cisco_ise.log.cause |  | keyword |
-| cisco_ise.log.cisco_av_pair.coa-push |  | boolean |
-| cisco_ise.log.cisco_av_pair.cts-device-capability |  | keyword |
-| cisco_ise.log.cisco_av_pair.cts-environment-data |  | keyword |
-| cisco_ise.log.cisco_av_pair.cts-environment-version |  | keyword |
-| cisco_ise.log.cisco_av_pair.cts-pac-opaque |  | keyword |
+| cisco_ise.log.cisco_av_pair |  | object |
 | cisco_ise.log.class |  | keyword |
 | cisco_ise.log.client.latency |  | long |
 | cisco_ise.log.cmdset |  | keyword |
diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml
index a725d083405..93f33ce61fd 100644
--- a/packages/cisco_ise/manifest.yml
+++ b/packages/cisco_ise/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ise
 title: Cisco ISE
-version: "1.24.0"
+version: "1.24.1"
 description: Collect logs from Cisco ISE with Elastic Agent.
 type: integration
 categories: