[cisco_meraki] Add event.action and message to specific events (#7791)

Add event.action value when cisco_meraki.event_subtype is multiple_dhcp_servers_detected Keep important information in message field for cisco_meraki.event_subtype: * dhcp * client_vpn_connect * blocked * port

Author: LaZyDK

packages/cisco_meraki/changelog.yml

@@ -1,5 +1,10 @@
 # newer versions go on top
-- version: 1.14.0
+- version: "1.15.0"
+ changes:
+ - description: Add event.action and message to specific events.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7791
+- version: "1.14.0"
  changes:
  - description: ECS version updated to 8.10.0.
  type: enhancement

packages/cisco_meraki/data_stream/events/sample_event.json

@@ -1,11 +1,11 @@
 {
  "@timestamp": "2018-02-11T00:00:00.123Z",
  "agent": {
- "ephemeral_id": "077a2d93-4b1d-4908-b2d5-7c3a0218df3a",
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "cisco_meraki": {
  "event": {
@@ -40,9 +40,9 @@
  "version": "8.10.0"
  },
  "elastic_agent": {
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "snapshot": false,
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "event": {
  "action": "Cellular came up",
@@ -51,7 +51,7 @@
  "network"
  ],
  "dataset": "cisco_meraki.events",
- "ingested": "2023-06-01T20:29:21Z",
+ "ingested": "2023-09-20T09:09:47Z",
  "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}",
  "type": [
  "info",

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json

@@ -362,6 +362,7 @@
  "allowed"
  ]
  },
+ "message": "lease of ip 10.0.2.213 from mx mac 68:3A:1E:42:60:59 for client mac E0:CB:BC:02:4F:80 from router 10.0.0.1 on subnet 255.255.252.0 with dns 10.0.0.1",
  "network": {
  "protocol": "dhcp"
  },
@@ -400,6 +401,7 @@
  "denied"
  ]
  },
+ "message": "no offers for mac A4:83:E7:02:A2:F1 host = 192.168.10.1",
  "network": {
  "protocol": "dhcp"
  },
@@ -449,6 +451,7 @@
  "start"
  ]
  },
+ "message": "user id 'jwick@wwvpn.net' local ip 172.16.0.145 connected from 81.2.69.193",
  "network": {
  "forwarded_ip": "172.16.0.145"
  },
@@ -667,6 +670,9 @@
  "version": "8.10.0"
  },
  "event": {
+ "action": [
+ "multiple_dhcp_servers_detected"
+ ],
  "category": [
  "network"
  ],
@@ -718,6 +724,9 @@
  "version": "8.10.0"
  },
  "event": {
+ "action": [
+ "multiple_dhcp_servers_detected"
+ ],
  "category": [
  "network"
  ],
@@ -1073,6 +1082,7 @@
  "priority": 134
  }
  },
+ "message": "Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123",
  "observer": {
  "hostname": "TCP9001",
  "ingress": {
@@ -1126,6 +1136,7 @@
  "priority": 134
  }
  },
+ "message": "Port 4 changed STP role from designated to disabled",
  "observer": {
  "hostname": "TCP9001"
  },
@@ -1158,6 +1169,7 @@
  "priority": 134
  }
  },
+ "message": "port 4 status changed from 100fdx to down",
  "observer": {
  "hostname": "TCP9001"
  },
@@ -1190,6 +1202,7 @@
  "priority": 134
  }
  },
+ "message": "Port 1 changed STP role from disabled to designated",
  "observer": {
  "hostname": "TCP9001"
  },
@@ -1222,6 +1235,7 @@
  "priority": 134
  }
  },
+ "message": "port 1 status changed from down to 100fdx",
  "observer": {
  "hostname": "TCP9001"
  },

packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -213,6 +213,8 @@ processors:
  "multiple_dhcp_servers_detected":
  type:
  - protocol
+ action: 
+ - multiple_dhcp_servers_detected
  "dfs_event":
  action: dynamic-frequency-selection-detected
  "aps_association_reject":

packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml

@@ -70,6 +70,11 @@ processors:
  field: cisco_meraki.event_subtype
  value: dhcp_no_offer
  if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers'
+- grok:
+ field: event.original
+ patterns: 
+ - "events dhcp %{GREEDYDATA:message}$"
+ if: ctx?.msgtype.toLowerCase() == "dhcp"
 ####################################################
 # Handle Site-to-Site VPN message
 ####################################################
@@ -91,7 +96,7 @@ processors:
 - grok:
  field: event.original
  patterns: 
- - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id}$'
+ - '^%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?<message>%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id})$'
  pattern_definitions:
  SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
  SYSLOGVER: '\b(?:\d{1,2})\b'
@@ -118,7 +123,7 @@ processors:
 - grok:
  field: event.original
  patterns: 
- - '(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}port %{NOTSPACE} %{PORTACTION:_temp.port_action}'
+ - '^(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?<message>port %{NOTSPACE} %{PORTACTION:_temp.port_action}.*)$'
  pattern_definitions:
  SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
  SYSLOGVER: '\b(?:\d{1,2})\b'
@@ -233,6 +238,11 @@ processors:
  field: event.original
  pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}"
  if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect"
+- grok:
+ field: event.original
+ patterns: 
+ - "events client_vpn_connect %{GREEDYDATA:message}$"
+ if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect"
 
 ####################################################
 # parse dissected IP values and convert to IP type

packages/cisco_meraki/data_stream/log/sample_event.json

@@ -1,11 +1,11 @@
 {
  "@timestamp": "2021-11-23T18:13:18.348Z",
  "agent": {
- "ephemeral_id": "eedc7205-9a4a-44e7-8574-3c9450a28434",
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "ephemeral_id": "6a7dac67-b13a-40d5-a45a-7df6ac73e739",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "cisco_meraki": {
  "event_subtype": "ids_alerted",
@@ -30,9 +30,9 @@
  "version": "8.10.0"
  },
  "elastic_agent": {
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "snapshot": false,
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "event": {
  "action": "ids-signature-matched",
@@ -42,7 +42,7 @@
  "threat"
  ],
  "dataset": "cisco_meraki.log",
- "ingested": "2023-06-01T20:31:15Z",
+ "ingested": "2023-09-20T09:12:35Z",
  "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected",
  "type": [
  "info",
@@ -54,7 +54,7 @@
  },
  "log": {
  "source": {
- "address": "192.168.224.4:50508"
+ "address": "172.20.0.4:40170"
  }
  },
  "network": {

packages/cisco_meraki/docs/README.md

@@ -298,11 +298,11 @@ An example event for `log` looks as following:
 {
  "@timestamp": "2021-11-23T18:13:18.348Z",
  "agent": {
- "ephemeral_id": "eedc7205-9a4a-44e7-8574-3c9450a28434",
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "ephemeral_id": "6a7dac67-b13a-40d5-a45a-7df6ac73e739",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "cisco_meraki": {
  "event_subtype": "ids_alerted",
@@ -327,9 +327,9 @@ An example event for `log` looks as following:
  "version": "8.10.0"
  },
  "elastic_agent": {
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "snapshot": false,
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "event": {
  "action": "ids-signature-matched",
@@ -339,7 +339,7 @@ An example event for `log` looks as following:
  "threat"
  ],
  "dataset": "cisco_meraki.log",
- "ingested": "2023-06-01T20:31:15Z",
+ "ingested": "2023-09-20T09:12:35Z",
  "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected",
  "type": [
  "info",
@@ -351,7 +351,7 @@ An example event for `log` looks as following:
  },
  "log": {
  "source": {
- "address": "192.168.224.4:50508"
+ "address": "172.20.0.4:40170"
  }
  },
  "network": {
@@ -623,11 +623,11 @@ An example event for `events` looks as following:
 {
  "@timestamp": "2018-02-11T00:00:00.123Z",
  "agent": {
- "ephemeral_id": "077a2d93-4b1d-4908-b2d5-7c3a0218df3a",
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "cisco_meraki": {
  "event": {
@@ -662,9 +662,9 @@ An example event for `events` looks as following:
  "version": "8.10.0"
  },
  "elastic_agent": {
- "id": "878982e9-a174-4ed8-abe3-19378c1473de",
+ "id": "29d48081-6d4f-4236-b959-925451410f6f",
  "snapshot": false,
- "version": "8.8.0"
+ "version": "8.0.0"
  },
  "event": {
  "action": "Cellular came up",
@@ -673,7 +673,7 @@ An example event for `events` looks as following:
  "network"
  ],
  "dataset": "cisco_meraki.events",
- "ingested": "2023-06-01T20:29:21Z",
+ "ingested": "2023-09-20T09:09:47Z",
  "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}",
  "type": [
  "info",

packages/cisco_meraki/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 2.11.0
 name: cisco_meraki
 title: Cisco Meraki
-version: "1.14.0"
+version: "1.15.0"
 description: Collect logs from Cisco Meraki with Elastic Agent.
 type: integration
 categories: