elastic · btrieger · Dec 2, 2025 · Dec 2, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.28.2"
+  changes:
+    - description: Fix key value split for file names with commas in AMP logs.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16208
 - version: "1.28.1"
   changes:
     - description: Fix grok pattern for Email Message ID in text_mail logs.

@@ -9,3 +9,4 @@
 <166>Mar 17 18:24:37 amp: Info: File not uploaded for analysis. MID = 0, File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82], File mime[text/plain], Reason: No active/dynamic contents exists
 <166>Mar 17 18:24:37 amp: Info: Response received for file reputation query from Cache. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2
 <166>Mar 17 18:24:37 amp: Info: Response received for file reputation query from Cloud. File Name = 'Test,File,With,Commas.pdf', MID = 17, Disposition = LOWRISK, Malware = None, Analysis Score = 0, sha256 = 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, upload_action = Recommended to send the file for analysis, verdict_source = CLAMAV
+<166>Mar 17 18:24:37 amp: Info: Response received for file reputation query from Cache. File Name = Test,December 1, 2025 at 01:47:02 AM.svg, MID = 17, Disposition = LOWRISK, Malware = None, Analysis Score = 0, sha256 = 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, upload_action = Recommended to send the file for analysis, verdict_source = CLAMAV
@@ -525,6 +525,57 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-03-17T18:24:37.000Z",
+            "cisco_secure_email_gateway": {
+                "log": {
+                    "category": {
+                        "name": "amp"
+                    },
+                    "disposition": "LOWRISK",
+                    "malware": "None",
+                    "message": "Response received for file reputation query from Cache. File Name = Test,December 1, 2025 at 01:47:02 AM.svg, MID = 17, Disposition = LOWRISK, Malware = None, Analysis Score = 0, sha256 = 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, upload_action = Recommended to send the file for analysis, verdict_source = CLAMAV",
+                    "score": 0,
+                    "upload": {
+                        "action": "Recommended to send the file for analysis"
+                    },
+                    "verdict_source": "CLAMAV"
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "email": {
+                "attachments": {
+                    "file": {
+                        "hash": {
+                            "sha256": "16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc"
+                        },
+                        "name": "Test,December 1, 2025 at 01:47:02 AM.svg"
+                    }
+                },
+                "message_id": "17"
+            },
+            "event": {
+                "kind": "event",
+                "original": "<166>Mar 17 18:24:37 amp: Info: Response received for file reputation query from Cache. File Name = Test,December 1, 2025 at 01:47:02 AM.svg, MID = 17, Disposition = LOWRISK, Malware = None, Analysis Score = 0, sha256 = 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, upload_action = Recommended to send the file for analysis, verdict_source = CLAMAV",
+                "timezone": "UTC"
+            },
+            "log": {
+                "level": "info",
+                "syslog": {
+                    "priority": 166
+                }
+            },
+            "related": {
+                "hash": [
+                    "16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }
@@ -7,6 +7,7 @@ processors:
   - grok:
       tag: grok_cisco_secure_email_gateway_log_message_4f15232d
       field: cisco_secure_email_gateway.log.message
+      trace_match: true
       patterns:
         - '^File reputation query initiating. %{GREEDYDATA:_tmp.new_message}$'
         - '^Response received for file reputation query from (Cloud|Cache). %{GREEDYDATA:_tmp.new_message}$'
@@ -16,12 +17,22 @@ processors:
         - '^SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\[%{GREEDYDATA:_tmp.submit.timestamp}\] details\[%{GREEDYDATA:cisco_secure_email_gateway.log.server_error_details}\]$'
         - '^Retrospective verdict received. %{GREEDYDATA:_tmp.new_message}$'
         - '^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$'
+  - set:
+        tag: set_grok_match_index
+        field: _tmp.grok_match_index
+        value: '{{{_ingest._grok_match_index}}}'
   - kv:
       tag: kv__tmp_new_message_0bb63133
       field: _tmp.new_message
-      if: ctx._tmp.new_message != null
+      if: ctx._tmp.new_message != null && ctx._tmp.grok_match_index != "1"
       field_split: ",\\s*(?=[^',]*[=:][^',]*)"
       value_split: '\s*=\s*|:\s*'
+  - kv:
+      tag: kv__tmp_new_message_grok_1_0bb63133
+      field: _tmp.new_message
+      if: ctx._tmp.new_message != null && ctx._tmp.grok_match_index == "1"
+      field_split: ",\\s*(?=[^',]*[=][^',]*)"
+      value_split: '\s*=\s*'
   - grok:
       tag: grok__tmp_cisco_secure_email_gateway_log_remaining_details_7273cf72
       field: _tmp.cisco_secure_email_gateway.log.remaining_details

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_secure_email_gateway
 title: Cisco Secure Email Gateway
-version: "1.28.1"
+version: "1.28.2"
 description: Collect logs from Cisco Secure Email Gateway with Elastic Agent.
 type: integration
 categories: