Skip to content

[cisco_meraki] Replace rsa2elk pipeline and add webhook input#2897

Merged
r00tu53r merged 69 commits intoelastic:mainfrom
r00tu53r:feat/replace-cisco-meraki
Apr 27, 2022
Merged

[cisco_meraki] Replace rsa2elk pipeline and add webhook input#2897
r00tu53r merged 69 commits intoelastic:mainfrom
r00tu53r:feat/replace-cisco-meraki

Conversation

@r00tu53r
Copy link
Contributor

@r00tu53r r00tu53r commented Mar 28, 2022
edited
Loading

What does this PR do?

The PR

  • Replaces the current rsa2elk implementation
  • Adds support for Cisco Meraki syslog data reporting (for MX and MR devices only)
  • Adds experimental support for webhook integration

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • Add dashboards

How to test this PR locally

There are pipeline and system tests available for both the data streams.

Run pipeline tests -
elastic-package test pipeline -v

Run system tests -
elastic-package test system -v

Related issues

Screenshots

cisco-meraki-dashboard-1

cisco-meraki-dashboard-2

cisco-meraki-dashboard-3

r00tu53r added 21 commits March 10, 2022 13:23
@r00tu53r
Update data stream and pipeline for webhook based integration
e721129
@r00tu53r
fix title desc
080ce7b
@r00tu53r
Add support for syslog and webhook
9d18070
@r00tu53r
Add pipeline tests for syslog flow, ipflow logs; Add sample_events fo…
a2ec877 
…r webhook system tests
@r00tu53r
Fix ip_flow_end pipeline for tsi or tdi case
8c0c54a
@r00tu53r
Add support for airmarshal events
b0fbf8b
@r00tu53r
Add support for security_event ids_alerted
059cc9d
@r00tu53r
Add support for security_event security_filtering_file_scanned type
5cc4249
@r00tu53r
Add support for security_event security_filtering_disposition_change
f5ad6e6
@r00tu53r
Refactor
686d7f3 
- refactor fields to use flattened
- refactor pipelines to use kv
- have field groups for certain categories where src and dst ips are
  available
@r00tu53r
Add support for site-to-site vpn event type
07bc059 
Anonymise test data
@r00tu53r
Add support for vpn_connectivity_change and refactor field groups
6cdee00
@r00tu53r
Add support for dhcp lease and no offers
36b8a6d 
Comment and rearrange events pipeline
@r00tu53r
Add support for client_vpn_connect log messages
c3f9a38
@r00tu53r
Add support for urls type
30d5bfd
@r00tu53r
Add pipeline for ids-alerts
f90f099
@r00tu53r
Update ECS version; add sub types for MR events
68d96c1
@r00tu53r
Add system tests
094d2ba
@r00tu53r
set meraki device type for flows log messages
293fe35
@r00tu53r
Update README; Disable webhook events by default; only enable syslog …
f5184d1 
…UDP by default
@r00tu53r
script to create event.category, type and action
db5cdb2
@r00tu53r r00tu53r self-assigned this Mar 28, 2022
@r00tu53r r00tu53r requested a review from a team as a code owner March 28, 2022 10:19
@elasticmachine
Copy link

elasticmachine commented Mar 28, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented Mar 28, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-04-26T08:01:34.312+0000

  • Duration: 16 min 39 sec

Test stats 🧪

Test Results
Failed 0
Passed 19
Skipped 0
Total 19

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@r00tu53r
Copy link
Contributor Author

r00tu53r commented Apr 23, 2022

Thanks @andrewkroh for all the comments. I have made the changes.

@r00tu53r r00tu53r requested a review from andrewkroh April 23, 2022 14:25
andrewkroh
andrewkroh reviewed Apr 25, 2022
View reviewed changes
packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml Outdated
pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}"
if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true
# source field IP:port handling
- set:
Copy link
Member

@andrewkroh andrewkroh Apr 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you switch these over to converts.

packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/security.yml Outdated
# fields common to more than one event type
- dissect:
field: src
pattern: "%{source.ip}:%{sport}"
Copy link
Member

@andrewkroh andrewkroh Apr 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a convert to validate the source/destination ip.

Do these logs also contain IPv6 addresses? I doubt this dissect works in that case. Unless you know the exact format or that it does not need to handle ipv6 addresses, then you might need a generic parser that handles most formats like https://github.com/elastic/integrations/blob/main/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml#L50-L60.

Copy link
Contributor Author

@r00tu53r r00tu53r Apr 26, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the logs I have received and the docs only used IPv4. But I suppose nothing stops someone from using IPv6. I have added IP v4+v6 handling and converts across all pipelines where applicable. Thanks!

efd6
efd6 reviewed Apr 26, 2022
View reviewed changes
packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml Outdated
Comment on lines +140 to +141
pattern_definitions:
IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}'
Copy link
Contributor

@efd6 efd6 Apr 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is no port associated with the IPv6, this pattern is not required (see #3117 (comment)).

@r00tu53r r00tu53r merged commit 018b39e into elastic:main Apr 27, 2022
@dainperkins
Copy link

dainperkins commented Apr 27, 2022

Apologies if I'm jumping the gun in terms of planned improvements but I pulled all the expected json docs into a cluster and have some comments:

  • theres no event.kind, event.outcome
  • ids-alerts are not classified as event.kind alert, nor as category intrusion_detection, and should have an event.action & event.outcome
  • dhcp no-acks aren't really an ECS accsss event, and definitely not a denial from an access control perspective - more an out of IPs perspective (which should probably also be an alert) could also use yo have event.outcome
  • all user based authentication events (wpa, eap, 802.1x) should be category authentication with event.outcome populated to work with the SIEM app
  • the http-access-error does not match up to the log - its actually indicative of a tls connection that the Meraki cannot see beyond the host portion of the URL
  • rogue ssid & ssid-spoofing detected events should likely be an alert
  • the client-vpn-connect event is mis-classified as site to site (event.action)
  • client_vpn_connections should use "connected from" as source.ip, "local ip" as source.net.ip
  • wifi association and disassociation events need to have the same type/category, etc. - based on current docs I would say event.category: network, session and event.type: access, (start | end), (allowed, denied) ,as appropriate. based on the ecs docs I wouldn't use connection for the actual association type events
  • I am pretty sure a wpa-deauth is a connection end, not a deny
  • vpn-connectivity-change should be event.type change
  • ip flows with translated addresses should populate source.nat/ destination.nat ip and port fields and need start and end populated
  • dhcp events should not be allowed/denied if missing information indicating a denial has occurred
  • all flow type events should use the same sets of ecs categorization - type: (start | end), (allowed | denied) connection. category: network, and should use 2-3 event.action

@bmorelli25 bmorelli25 mentioned this pull request Apr 27, 2022
Closed
4 tasks
@andrewkroh andrewkroh mentioned this pull request May 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@P1llus P1llus Awaiting requested review from P1llus

@efd6 efd6 Awaiting requested review from efd6

@dainperkins dainperkins Awaiting requested review from dainperkins

Assignees

@r00tu53r r00tu53r

Labels

8.2 candidate enhancement New feature or request Integration:cisco_meraki Cisco Meraki v8.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cisco Meraki Integration

7 participants

@r00tu53r @elasticmachine @dainperkins @andrewkroh @P1llus @efd6 @MikePaquette