[Cisco_Meraki] Add ECS Mappings and Grok Pattern to parse DHCP events

packages/cisco_meraki/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.28.1"
+ changes:
+ - description: Extend the event pipeline with some ECS fields and a Grok pattern to improve DHCP event parsing.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/13358
 - version: "1.28.0"
  changes:
  - description: Update Kibana constraint to support 9.0.0.

packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json

@@ -172,4 +172,4 @@
  },
  null
  ]
-}
+}

packages/cisco_meraki/data_stream/events/sample_event.json

@@ -1,11 +1,11 @@
 {
  "@timestamp": "2018-02-11T00:00:00.123Z",
  "agent": {
- "ephemeral_id": "9a78410b-655d-4ff4-9fd6-5c47d2b1e28b",
- "id": "29d48081-6d4f-4236-b959-925451410f6f",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "6cd48951-0fb4-46b5-b6b0-0fde65471d4e",
+ "id": "9e41b562-675f-4880-85b6-03569b372c67",
+ "name": "elastic-agent-46314",
  "type": "filebeat",
- "version": "8.0.0"
+ "version": "8.18.0"
  },
  "cisco_meraki": {
  "event": {
@@ -27,22 +27,22 @@
  "networkUrl": "https://n1.meraki.com//n//manage/nodes/list",
  "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview",
  "sentAt": "2021-10-07T08:42:00.926325Z",
- "sharedSecret": "secret",
+ "sharedSecret": "abc123",
  "version": "0.1"
  }
  },
  "data_stream": {
  "dataset": "cisco_meraki.events",
- "namespace": "ep",
+ "namespace": "12458",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "29d48081-6d4f-4236-b959-925451410f6f",
- "snapshot": false,
- "version": "8.0.0"
+ "id": "9e41b562-675f-4880-85b6-03569b372c67",
+ "snapshot": true,
+ "version": "8.18.0"
  },
  "event": {
  "action": "Cellular came up",
@@ -51,8 +51,8 @@
  "network"
  ],
  "dataset": "cisco_meraki.events",
- "ingested": "2023-09-20T09:09:47Z",
- "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}",
+ "ingested": "2025-03-28T12:15:23Z",
+ "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"abc123\",\"version\":\"0.1\"}",
  "type": [
  "info",
  "start"
@@ -85,4 +85,4 @@
  "forwarded",
  "meraki-events"
  ]
-}
+}

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-airmarshal-events.log-expected.json

@@ -8023,4 +8023,4 @@
  ]
  }
  ]
-}
+}

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log

@@ -46,3 +46,6 @@
 <134>1 1639132851.416656563 TCP9001 events type=anyconnect_vpn_session_manager msg= 'Sess-ID[420] Peer IP=3.3.3.3 User[user.name3]: Session disconnected. Session Type: SSL, Duration: 0d:00h:23m:03s, Bytes xmt: 135325, Bytes rcv: 74821, Reason: User Requested '
 <134>1 1639132851.416656563 TCP9001 events type=anyconnect_vpn_session_manager msg= 'Sess-ID[420] Peer IP=3.3.3.3 User[user3.name]: Deleted TLS tunnel[420.3] from DB. Reason: User Requested '
 <134>1 1639132851.416656563 TCP9001 events type=anyconnect_vpn_auth_success msg= 'RADIUS[511] Server IP=172.25.30.12 Server port=1812 Peer IP=4.4.4.4 Peer port=56193 User=user.name4: Authentication request accepted. '
+<134>1 1701190648.579444476 AB_123__Lyon_MX01 events dhcp no offers for mac 14:A7:8B:A7:F9:CA
+<134>1 1736917251.802993170 game_Office_DMC_47_Floor events type=disassociation radio='1' vap='0' client_mac='E4-F4-18-79-1F-E1' band='5' channel='161' reason='1' da_vendor='none' duration='1869.922025769' auth_neg_dur='0.142860677' last_auth_ago='1869.779207384' is_8021x='1' full_conn='0.317524167' ip_resp='0.317524167' ip_src='89.160.20.112' http_resp='56.027654771' arp_resp='0.179391823' arp_src='20.22.20.157' dns_server='20.142.20.250' dns_req_rtt='0.002535260' dns_resp='0.289948906' identity='xxxx_xxx' aid='401480346'
+<134>1 1736917275.649842796 game_Office_DMC_47_Floor events type=disassociation radio='1' vap='0' client_mac='E4-F4-18-79-1F-E1' band='5' channel='161' reason='1' da_vendor='none' duration='31.22725353' auth_neg_dur='0.012057865' last_auth_ago='31.152091238' is_8021x='1' full_conn='12.115982391' ip_resp='12.115982391' ip_src='89.160.20.112' arp_resp='0.241727656' arp_src='20.22.20.39' identity='xxxx_xxx' aid='1607913618'