elastic · efd6 · Sep 24, 2023 · Sep 13, 2023 · Sep 13, 2023 · Sep 20, 2023
@@ -1,5 +1,10 @@
 # newer versions go on top
-- version: 1.14.0
+- version: "1.15.0"
+  changes:
+    - description: Add event.action and message to specific events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7791
+- version: "1.14.0"
   changes:
     - description: ECS version updated to 8.10.0.
       type: enhancement

@@ -1,11 +1,11 @@
 {
     "@timestamp": "2018-02-11T00:00:00.123Z",
     "agent": {
-        "ephemeral_id": "077a2d93-4b1d-4908-b2d5-7c3a0218df3a",
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "cisco_meraki": {
         "event": {
@@ -40,9 +40,9 @@
         "version": "8.10.0"
     },
     "elastic_agent": {
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "snapshot": false,
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "event": {
         "action": "Cellular came up",
@@ -51,7 +51,7 @@
             "network"
         ],
         "dataset": "cisco_meraki.events",
-        "ingested": "2023-06-01T20:29:21Z",
+        "ingested": "2023-09-20T09:09:47Z",
         "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}",
         "type": [
             "info",

@@ -362,6 +362,7 @@
                     "allowed"
                 ]
             },
+            "message": "lease of ip 10.0.2.213 from mx mac 68:3A:1E:42:60:59 for client mac E0:CB:BC:02:4F:80 from router 10.0.0.1 on subnet 255.255.252.0 with dns 10.0.0.1",
             "network": {
                 "protocol": "dhcp"
             },
@@ -400,6 +401,7 @@
                     "denied"
                 ]
             },
+            "message": "no offers for mac A4:83:E7:02:A2:F1 host = 192.168.10.1",
             "network": {
                 "protocol": "dhcp"
             },
@@ -449,6 +451,7 @@
                     "start"
                 ]
             },
+            "message": "user id 'jwick@wwvpn.net' local ip 172.16.0.145 connected from 81.2.69.193",
             "network": {
                 "forwarded_ip": "172.16.0.145"
             },
@@ -667,6 +670,9 @@
                 "version": "8.10.0"
             },
             "event": {
+                "action": [
+                    "multiple_dhcp_servers_detected"
+                ],
                 "category": [
                     "network"
                 ],
@@ -718,6 +724,9 @@
                 "version": "8.10.0"
             },
             "event": {
+                "action": [
+                    "multiple_dhcp_servers_detected"
+                ],
                 "category": [
                     "network"
                 ],
@@ -1073,6 +1082,7 @@
                     "priority": 134
                 }
             },
+            "message": "Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123",
             "observer": {
                 "hostname": "TCP9001",
                 "ingress": {
@@ -1126,6 +1136,7 @@
                     "priority": 134
                 }
             },
+            "message": "Port 4 changed STP role from designated to disabled",
             "observer": {
                 "hostname": "TCP9001"
             },
@@ -1158,6 +1169,7 @@
                     "priority": 134
                 }
             },
+            "message": "port 4 status changed from 100fdx to down",
             "observer": {
                 "hostname": "TCP9001"
             },
@@ -1190,6 +1202,7 @@
                     "priority": 134
                 }
             },
+            "message": "Port 1 changed STP role from disabled to designated",
             "observer": {
                 "hostname": "TCP9001"
             },
@@ -1222,6 +1235,7 @@
                     "priority": 134
                 }
             },
+            "message": "port 1 status changed from down to 100fdx",
             "observer": {
                 "hostname": "TCP9001"
             },

@@ -213,6 +213,8 @@ processors:
         "multiple_dhcp_servers_detected":
           type:
             - protocol
+          action: 
+            - multiple_dhcp_servers_detected
         "dfs_event":
           action: dynamic-frequency-selection-detected
         "aps_association_reject":

@@ -70,6 +70,11 @@ processors:
     field: cisco_meraki.event_subtype
     value: dhcp_no_offer
     if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers'
+- grok:
+    field: event.original
+    patterns: 
+      - "events dhcp %{GREEDYDATA:message}$"
+    if: ctx?.msgtype.toLowerCase() == "dhcp"
 ####################################################
 # Handle Site-to-Site VPN message
 ####################################################
@@ -91,7 +96,7 @@ processors:
 - grok:
     field: event.original
     patterns: 
-      - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id}$'
+      - '^%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?<message>%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id})$'
     pattern_definitions:
       SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
       SYSLOGVER: '\b(?:\d{1,2})\b'
@@ -118,7 +123,7 @@ processors:
 - grok:
     field: event.original
     patterns: 
-      - '(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}port %{NOTSPACE} %{PORTACTION:_temp.port_action}'
+      - '^(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?<message>port %{NOTSPACE} %{PORTACTION:_temp.port_action}.*)$'
     pattern_definitions:
       SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
       SYSLOGVER: '\b(?:\d{1,2})\b'
@@ -233,6 +238,11 @@ processors:
     field: event.original
     pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}"
     if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect"
+- grok:
+    field: event.original
+    patterns: 
+      - "events client_vpn_connect %{GREEDYDATA:message}$"
+    if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect"
 
 ####################################################
 # parse dissected IP values and convert to IP type

@@ -1,11 +1,11 @@
 {
     "@timestamp": "2021-11-23T18:13:18.348Z",
     "agent": {
-        "ephemeral_id": "eedc7205-9a4a-44e7-8574-3c9450a28434",
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "ephemeral_id": "6a7dac67-b13a-40d5-a45a-7df6ac73e739",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "cisco_meraki": {
         "event_subtype": "ids_alerted",
@@ -30,9 +30,9 @@
         "version": "8.10.0"
     },
     "elastic_agent": {
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "snapshot": false,
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "event": {
         "action": "ids-signature-matched",
@@ -42,7 +42,7 @@
             "threat"
         ],
         "dataset": "cisco_meraki.log",
-        "ingested": "2023-06-01T20:31:15Z",
+        "ingested": "2023-09-20T09:12:35Z",
         "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected",
         "type": [
             "info",
@@ -54,7 +54,7 @@
     },
     "log": {
         "source": {
-            "address": "192.168.224.4:50508"
+            "address": "172.20.0.4:40170"
         }
     },
     "network": {

@@ -298,11 +298,11 @@ An example event for `log` looks as following:
 {
     "@timestamp": "2021-11-23T18:13:18.348Z",
     "agent": {
-        "ephemeral_id": "eedc7205-9a4a-44e7-8574-3c9450a28434",
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "ephemeral_id": "6a7dac67-b13a-40d5-a45a-7df6ac73e739",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "cisco_meraki": {
         "event_subtype": "ids_alerted",
@@ -327,9 +327,9 @@ An example event for `log` looks as following:
         "version": "8.10.0"
     },
     "elastic_agent": {
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "snapshot": false,
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "event": {
         "action": "ids-signature-matched",
@@ -339,7 +339,7 @@ An example event for `log` looks as following:
             "threat"
         ],
         "dataset": "cisco_meraki.log",
-        "ingested": "2023-06-01T20:31:15Z",
+        "ingested": "2023-09-20T09:12:35Z",
         "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected",
         "type": [
             "info",
@@ -351,7 +351,7 @@ An example event for `log` looks as following:
     },
     "log": {
         "source": {
-            "address": "192.168.224.4:50508"
+            "address": "172.20.0.4:40170"
         }
     },
     "network": {
@@ -623,11 +623,11 @@ An example event for `events` looks as following:
 {
     "@timestamp": "2018-02-11T00:00:00.123Z",
     "agent": {
-        "ephemeral_id": "077a2d93-4b1d-4908-b2d5-7c3a0218df3a",
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "cisco_meraki": {
         "event": {
@@ -662,9 +662,9 @@ An example event for `events` looks as following:
         "version": "8.10.0"
     },
     "elastic_agent": {
-        "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+        "id": "29d48081-6d4f-4236-b959-925451410f6f",
         "snapshot": false,
-        "version": "8.8.0"
+        "version": "8.0.0"
     },
     "event": {
         "action": "Cellular came up",
@@ -673,7 +673,7 @@ An example event for `events` looks as following:
             "network"
         ],
         "dataset": "cisco_meraki.events",
-        "ingested": "2023-06-01T20:29:21Z",
+        "ingested": "2023-09-20T09:09:47Z",
         "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}",
         "type": [
             "info",

@@ -1,7 +1,7 @@
 format_version: 2.11.0
 name: cisco_meraki
 title: Cisco Meraki
-version: "1.14.0"
+version: "1.15.0"
 description: Collect logs from Cisco Meraki with Elastic Agent.
 type: integration
 categories: