diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index e92cfba9957..df5d4e26e09 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top -- version: 1.14.0 +- version: "1.15.0" + changes: + - description: Add event.action and message to specific events. + type: enhancement + link: https://github.com/elastic/integrations/pull/7791 +- version: "1.14.0" changes: - description: ECS version updated to 8.10.0. type: enhancement diff --git a/packages/cisco_meraki/data_stream/events/sample_event.json b/packages/cisco_meraki/data_stream/events/sample_event.json index d2b647506a2..63a06027b55 100644 --- a/packages/cisco_meraki/data_stream/events/sample_event.json +++ b/packages/cisco_meraki/data_stream/events/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2018-02-11T00:00:00.123Z", "agent": { - "ephemeral_id": "077a2d93-4b1d-4908-b2d5-7c3a0218df3a", - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.0" + "version": "8.0.0" }, "cisco_meraki": { "event": { @@ -40,9 +40,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "snapshot": false, - "version": "8.8.0" + "version": "8.0.0" }, "event": { "action": "Cellular came up", @@ -51,7 +51,7 @@ "network" ], "dataset": "cisco_meraki.events", - "ingested": "2023-06-01T20:29:21Z", + "ingested": "2023-09-20T09:09:47Z", "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", "type": [ "info", diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json index 41a55655a1d..d4f798db8df 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json @@ -362,6 +362,7 @@ "allowed" ] }, + "message": "lease of ip 10.0.2.213 from mx mac 68:3A:1E:42:60:59 for client mac E0:CB:BC:02:4F:80 from router 10.0.0.1 on subnet 255.255.252.0 with dns 10.0.0.1", "network": { "protocol": "dhcp" }, @@ -400,6 +401,7 @@ "denied" ] }, + "message": "no offers for mac A4:83:E7:02:A2:F1 host = 192.168.10.1", "network": { "protocol": "dhcp" }, @@ -449,6 +451,7 @@ "start" ] }, + "message": "user id 'jwick@wwvpn.net' local ip 172.16.0.145 connected from 81.2.69.193", "network": { "forwarded_ip": "172.16.0.145" }, @@ -667,6 +670,9 @@ "version": "8.10.0" }, "event": { + "action": [ + "multiple_dhcp_servers_detected" + ], "category": [ "network" ], @@ -718,6 +724,9 @@ "version": "8.10.0" }, "event": { + "action": [ + "multiple_dhcp_servers_detected" + ], "category": [ "network" ], @@ -1073,6 +1082,7 @@ "priority": 134 } }, + "message": "Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123", "observer": { "hostname": "TCP9001", "ingress": { @@ -1126,6 +1136,7 @@ "priority": 134 } }, + "message": "Port 4 changed STP role from designated to disabled", "observer": { "hostname": "TCP9001" }, @@ -1158,6 +1169,7 @@ "priority": 134 } }, + "message": "port 4 status changed from 100fdx to down", "observer": { "hostname": "TCP9001" }, @@ -1190,6 +1202,7 @@ "priority": 134 } }, + "message": "Port 1 changed STP role from disabled to designated", "observer": { "hostname": "TCP9001" }, @@ -1222,6 +1235,7 @@ "priority": 134 } }, + "message": "port 1 status changed from down to 100fdx", "observer": { "hostname": "TCP9001" }, diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml index e464eee97a9..f4fb21980db 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -213,6 +213,8 @@ processors: "multiple_dhcp_servers_detected": type: - protocol + action: + - multiple_dhcp_servers_detected "dfs_event": action: dynamic-frequency-selection-detected "aps_association_reject": diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml index afd2e407494..bc3677ef736 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml @@ -70,6 +70,11 @@ processors: field: cisco_meraki.event_subtype value: dhcp_no_offer if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' +- grok: + field: event.original + patterns: + - "events dhcp %{GREEDYDATA:message}$" + if: ctx?.msgtype.toLowerCase() == "dhcp" #################################################### # Handle Site-to-Site VPN message #################################################### @@ -91,7 +96,7 @@ processors: - grok: field: event.original patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id}$' + - '^%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id})$' pattern_definitions: SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' SYSLOGVER: '\b(?:\d{1,2})\b' @@ -118,7 +123,7 @@ processors: - grok: field: event.original patterns: - - '(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}port %{NOTSPACE} %{PORTACTION:_temp.port_action}' + - '^(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?port %{NOTSPACE} %{PORTACTION:_temp.port_action}.*)$' pattern_definitions: SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' SYSLOGVER: '\b(?:\d{1,2})\b' @@ -233,6 +238,11 @@ processors: field: event.original pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}" if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" +- grok: + field: event.original + patterns: + - "events client_vpn_connect %{GREEDYDATA:message}$" + if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" #################################################### # parse dissected IP values and convert to IP type diff --git a/packages/cisco_meraki/data_stream/log/sample_event.json b/packages/cisco_meraki/data_stream/log/sample_event.json index fbd816b25dc..09eb984b926 100644 --- a/packages/cisco_meraki/data_stream/log/sample_event.json +++ b/packages/cisco_meraki/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-11-23T18:13:18.348Z", "agent": { - "ephemeral_id": "eedc7205-9a4a-44e7-8574-3c9450a28434", - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "ephemeral_id": "6a7dac67-b13a-40d5-a45a-7df6ac73e739", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.0" + "version": "8.0.0" }, "cisco_meraki": { "event_subtype": "ids_alerted", @@ -30,9 +30,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "snapshot": false, - "version": "8.8.0" + "version": "8.0.0" }, "event": { "action": "ids-signature-matched", @@ -42,7 +42,7 @@ "threat" ], "dataset": "cisco_meraki.log", - "ingested": "2023-06-01T20:31:15Z", + "ingested": "2023-09-20T09:12:35Z", "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "type": [ "info", @@ -54,7 +54,7 @@ }, "log": { "source": { - "address": "192.168.224.4:50508" + "address": "172.20.0.4:40170" } }, "network": { diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 748ce18c6ab..ddf7c36573e 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -298,11 +298,11 @@ An example event for `log` looks as following: { "@timestamp": "2021-11-23T18:13:18.348Z", "agent": { - "ephemeral_id": "eedc7205-9a4a-44e7-8574-3c9450a28434", - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "ephemeral_id": "6a7dac67-b13a-40d5-a45a-7df6ac73e739", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.0" + "version": "8.0.0" }, "cisco_meraki": { "event_subtype": "ids_alerted", @@ -327,9 +327,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "snapshot": false, - "version": "8.8.0" + "version": "8.0.0" }, "event": { "action": "ids-signature-matched", @@ -339,7 +339,7 @@ An example event for `log` looks as following: "threat" ], "dataset": "cisco_meraki.log", - "ingested": "2023-06-01T20:31:15Z", + "ingested": "2023-09-20T09:12:35Z", "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "type": [ "info", @@ -351,7 +351,7 @@ An example event for `log` looks as following: }, "log": { "source": { - "address": "192.168.224.4:50508" + "address": "172.20.0.4:40170" } }, "network": { @@ -623,11 +623,11 @@ An example event for `events` looks as following: { "@timestamp": "2018-02-11T00:00:00.123Z", "agent": { - "ephemeral_id": "077a2d93-4b1d-4908-b2d5-7c3a0218df3a", - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.0" + "version": "8.0.0" }, "cisco_meraki": { "event": { @@ -662,9 +662,9 @@ An example event for `events` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "878982e9-a174-4ed8-abe3-19378c1473de", + "id": "29d48081-6d4f-4236-b959-925451410f6f", "snapshot": false, - "version": "8.8.0" + "version": "8.0.0" }, "event": { "action": "Cellular came up", @@ -673,7 +673,7 @@ An example event for `events` looks as following: "network" ], "dataset": "cisco_meraki.events", - "ingested": "2023-06-01T20:29:21Z", + "ingested": "2023-09-20T09:09:47Z", "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", "type": [ "info", diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 229068ffc4c..43f9ec46094 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: cisco_meraki title: Cisco Meraki -version: "1.14.0" +version: "1.15.0" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: