cisco_meraki: fix ECS mapping for translated IP and port

Previously these were conditionally mapped to the {source,destination}.{ip,port} fields. Instead, map them to {source,destination}.nat.{ip,port}.

Author: efd6

packages/cisco_meraki/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.2"
+ changes:
+ - description: Map translated source and destination IP and port to correct ECS fields.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/14389
 - version: "1.29.1"
  changes:
  - description: Fix the parsing of connecting and reconnecting events for `anyconnect_vpn_connect` and `client_vpn_connect`.

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log

@@ -8,3 +8,4 @@
 <134>1 1647479325.755292025 MX100 ip_flow_end src=10.0.0.234 dst=81.2.69.144 protocol=tcp sport=36498 dport=80 translated_src_ip=1.128.3.4 translated_port=36498
 <134>1 1647479325.755292025 MX100 ip_flow_start src=10.0.0.234 dst=81.2.69.145 protocol=icmp translated_src_ip=1.128.3.4
 <134>1 1647479325.755292025 MX100 ip_flow_end src=10.0.2.99 dst=10.0.0.1 protocol=icmp translated_dst_ip=89.160.20.112
+<134>1 1751379284.245040794 FW_01 ip_flow_start src=10.140.40.72 dst=81.2.69.144 protocol=udp sport=18212 dport=53 translated_src_ip=1.128.3.4 translated_port=13710

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log-expected.json

@@ -19,6 +19,9 @@
  "region_name": "England"
  },
  "ip": "81.2.69.145",
+ "nat": {
+ "port": 34294
+ },
  "port": 80
  },
  "ecs": {
@@ -41,13 +44,11 @@
  "hostname": "MX100"
  },
  "source": {
- "as": {
- "number": 1221,
- "organization": {
- "name": "Telstra Pty Ltd"
- }
+ "ip": "10.0.0.234",
+ "nat": {
+ "ip": "1.128.3.4",
+ "port": 34294
  },
- "ip": "1.128.3.4",
  "port": 34294
  },
  "tags": [
@@ -74,6 +75,9 @@
  "region_name": "England"
  },
  "ip": "81.2.69.143",
+ "nat": {
+ "port": 45061
+ },
  "port": 53
  },
  "ecs": {
@@ -96,13 +100,11 @@
  "hostname": "MX100"
  },
  "source": {
- "as": {
- "number": 1221,
- "organization": {
- "name": "Telstra Pty Ltd"
- }
+ "ip": "10.0.0.234",
+ "nat": {
+ "ip": "1.128.3.4",
+ "port": 45061
  },
- "ip": "1.128.3.4",
  "port": 45061
  },
  "tags": [
@@ -129,6 +131,9 @@
  "region_name": "England"
  },
  "ip": "81.2.69.143",
+ "nat": {
+ "port": 37401
+ },
  "port": 53
  },
  "ecs": {
@@ -151,13 +156,11 @@
  "hostname": "MX100"
  },
  "source": {
- "as": {
- "number": 1221,
- "organization": {
- "name": "Telstra Pty Ltd"
- }
+ "ip": "10.0.0.234",
+ "nat": {
+ "ip": "1.128.3.4",
+ "port": 37401
  },
- "ip": "1.128.3.4",
  "port": 37401
  },
  "tags": [
@@ -190,6 +193,9 @@
  "region_name": "Östergötland County"
  },
  "ip": "89.160.20.156",
+ "nat": {
+ "port": 61272
+ },
  "port": 443
  },
  "ecs": {
@@ -212,22 +218,11 @@
  "hostname": "MX84"
  },
  "source": {
- "as": {
- "number": 209
+ "ip": "10.0.3.138",
+ "nat": {
+ "ip": "216.160.83.61",
+ "port": 61272
  },
- "geo": {
- "city_name": "Milton",
- "continent_name": "North America",
- "country_iso_code": "US",
- "country_name": "United States",
- "location": {
- "lat": 47.2513,
- "lon": -122.3149
- },
- "region_iso_code": "US-WA",
- "region_name": "Washington"
- },
- "ip": "216.160.83.61",
  "port": 61272
  },
  "tags": [
@@ -241,25 +236,11 @@
  "event_type": "ip_flow_end"
  },
  "destination": {
- "as": {
- "number": 29518,
- "organization": {
- "name": "Bredband2 AB"
- }
- },
- "geo": {
- "city_name": "Linköping",
- "continent_name": "Europe",
- "country_iso_code": "SE",
- "country_name": "Sweden",
- "location": {
- "lat": 58.4167,
- "lon": 15.6167
- },
- "region_iso_code": "SE-E",
- "region_name": "Östergötland County"
+ "ip": "10.0.0.1",
+ "nat": {
+ "ip": "89.160.20.112",
+ "port": 53
  },
- "ip": "89.160.20.112",
  "port": 53
  },
  "ecs": {
@@ -283,6 +264,9 @@
  },
  "source": {
  "ip": "10.0.2.249",
+ "nat": {
+ "port": 53
+ },
  "port": 7421
  },
  "tags": [
@@ -309,6 +293,9 @@
  }
  },
  "ip": "67.43.156.14",
+ "nat": {
+ "port": 38422
+ },
  "port": 443
  },
  "ecs": {
@@ -331,22 +318,11 @@
  "hostname": "MX84"
  },
  "source": {
- "as": {
- "number": 209
- },
- "geo": {
- "city_name": "Milton",
- "continent_name": "North America",
- "country_iso_code": "US",
- "country_name": "United States",
- "location": {
- "lat": 47.2513,
- "lon": -122.3149
- },
- "region_iso_code": "US-WA",
- "region_name": "Washington"
+ "ip": "10.0.3.116",
+ "nat": {
+ "ip": "216.160.83.61",
+ "port": 38422
  },
- "ip": "216.160.83.61",
  "port": 38422
  },
  "tags": [
@@ -360,25 +336,11 @@
  "event_type": "ip_flow_end"
  },
  "destination": {
- "as": {
- "number": 29518,
- "organization": {
- "name": "Bredband2 AB"
- }
+ "ip": "10.0.0.1",
+ "nat": {
+ "ip": "89.160.20.112",
+ "port": 53
  },
- "geo": {
- "city_name": "Linköping",
- "continent_name": "Europe",
- "country_iso_code": "SE",
- "country_name": "Sweden",
- "location": {
- "lat": 58.4167,
- "lon": 15.6167
- },
- "region_iso_code": "SE-E",
- "region_name": "Östergötland County"
- },
- "ip": "89.160.20.112",
  "port": 53
  },
  "ecs": {
@@ -402,6 +364,9 @@
  },
  "source": {
  "ip": "10.0.2.99",
+ "nat": {
+ "port": 53
+ },
  "port": 29534
  },
  "tags": [
@@ -428,6 +393,9 @@
  "region_name": "England"
  },
  "ip": "81.2.69.144",
+ "nat": {
+ "port": 36498
+ },
  "port": 80
  },
  "ecs": {
@@ -450,13 +418,11 @@
  "hostname": "MX100"
  },
  "source": {
- "as": {
- "number": 1221,
- "organization": {
- "name": "Telstra Pty Ltd"
- }
+ "ip": "10.0.0.234",
+ "nat": {
+ "ip": "1.128.3.4",
+ "port": 36498
  },
- "ip": "1.128.3.4",
  "port": 36498
  },
  "tags": [
@@ -504,13 +470,10 @@
  "hostname": "MX100"
  },
  "source": {
- "as": {
- "number": 1221,
- "organization": {
- "name": "Telstra Pty Ltd"
- }
- },
- "ip": "1.128.3.4"
+ "ip": "10.0.0.234",
+ "nat": {
+ "ip": "1.128.3.4"
+ }
  },
  "tags": [
  "forwarded",
@@ -523,25 +486,10 @@
  "event_type": "ip_flow_end"
  },
  "destination": {
- "as": {
- "number": 29518,
- "organization": {
- "name": "Bredband2 AB"
- }
- },
- "geo": {
- "city_name": "Linköping",
- "continent_name": "Europe",
- "country_iso_code": "SE",
- "country_name": "Sweden",
- "location": {
- "lat": 58.4167,
- "lon": 15.6167
- },
- "region_iso_code": "SE-E",
- "region_name": "Östergötland County"
- },
- "ip": "89.160.20.112"
+ "ip": "10.0.0.1",
+ "nat": {
+ "ip": "89.160.20.112"
+ }
  },
  "ecs": {
  "version": "8.11.0"
@@ -569,6 +517,62 @@
  "forwarded",
  "preserve_original_event"
  ]
+ },
+ {
+ "@timestamp": "2025-07-01T14:14:44.245Z",
+ "cisco_meraki": {
+ "event_type": "ip_flow_start"
+ },
+ "destination": {
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "nat": {
+ "port": 13710
+ },
+ "port": 53
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "original": "<134>1 1751379284.245040794 FW_01 ip_flow_start src=10.140.40.72 dst=81.2.69.144 protocol=udp sport=18212 dport=53 translated_src_ip=1.128.3.4 translated_port=13710",
+ "type": [
+ "info"
+ ]
+ },
+ "message": "src=10.140.40.72 dst=81.2.69.144 protocol=udp sport=18212 dport=53 translated_src_ip=1.128.3.4 translated_port=13710",
+ "network": {
+ "protocol": "udp"
+ },
+ "observer": {
+ "hostname": "FW_01"
+ },
+ "source": {
+ "ip": "10.140.40.72",
+ "nat": {
+ "ip": "1.128.3.4",
+ "port": 13710
+ },
+ "port": 18212
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ]
  }
  ]
 }