elastic · ShourieG · Jan 24, 2023 · Dec 20, 2022 · Dec 20, 2022 · Dec 20, 2022
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.5.1"
+ changes:
+ - description: Handle user-agent when present in urls logs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/4873
 - version: "1.5.0"
  changes:
  - description: Update package to ECS 8.6.0.

@@ -1,2 +1,3 @@
 <134>1 1647479503.348215340 MX84 urls src=10.0.1.29:60336 dst=89.160.20.156:80 mac=78:7B:8A:CC:05:18 request: UNKNOWN https://bitbucket.org/...
 <134>1 1647479503.676404537 MX84 urls src=10.0.0.234:56424 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 request: GET https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024
+<134>1 1647479503.676404537 MX84 urls src=10.0.0.234:56424 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0' request: GET https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024
@@ -131,6 +131,85 @@
  "url": {
  "original": "https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024"
  }
+ },
+ {
+ "@timestamp": "2022-03-17T01:11:43.676Z",
+ "cisco_meraki": {
+ "event_subtype": "http_access",
+ "event_type": "urls",
+ "urls": {
+ "mac": "64-1C-AE-68-2A-01"
+ }
+ },
+ "destination": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.112",
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.6.0"
+ },
+ "event": {
+ "action": "http-access",
+ "category": [
+ "network",
+ "web"
+ ],
+ "original": "\u003c134\u003e1 1647479503.676404537 MX84 urls src=10.0.0.234:56424 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0' request: GET https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024",
+ "type": [
+ "info",
+ "access"
+ ]
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ }
+ },
+ "observer": {
+ "hostname": "MX84"
+ },
+ "source": {
+ "ip": "10.0.0.234",
+ "port": 56424
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "url": {
+ "original": "https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Firefox",
+ "original": "'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0'",
+ "os": {
+ "full": "Windows 10",
+ "name": "Windows",
+ "version": "10"
+ },
+ "version": "108.0."
+ }
  }
  ]
 }
@@ -5,6 +5,13 @@ processors:
  description: Determine the security event type
  field: event.original
  pattern: "%{} urls %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} request: %{http.request.method} %{url.original}"
+# extract user-agent if present (it will be following the mac field)
+- dissect:
+ description: Extract the user-agent that can be embedded into the mac field due to the previous extaction
+ field: mac
+ ignore_missing: true
+ ignore_failure: true
+ pattern: "%{mac} agent=%{user_agent.original}"
 # src processing
 - grok:
  field: src
@@ -62,3 +69,7 @@ processors:
  field: cisco_meraki.event_subtype
  value: 'http_access_error'
  if: ctx?.http?.request?.method.toLowerCase() == 'unknown'
+# user_agent processing
+- user_agent:
+ field: user_agent.original
+ ignore_missing: true
@@ -244,6 +244,20 @@
  name: user.name
 - external: ecs
  name: user_agent.original
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.version
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.os.name
+- external: ecs
+ name: user_agent.os.version
+- external: ecs
+ name: user_agent.os.full
 - external: ecs
  name: observer.hostname
 - external: ecs

@@ -276,8 +276,16 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server
 | user.id | Unique identifier of the user. | keyword |
 | user.name | Short name or login of the user. | keyword |
 | user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
 | user_agent.original | Unparsed user_agent string. | keyword |
 | user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
 
 
 An example event for `log` looks as following:

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_meraki
 title: Cisco Meraki
-version: "1.5.0"
+version: "1.5.1"
 license: basic
 description: Collect logs from Cisco Meraki with Elastic Agent.
 type: integration