Collect Cisco Meraki logs

Supported in:

Google SecOps SIEM

This document describes how you can collect Cisco Meraki logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CISCO_MERAKI ingestion label.

Configure Cisco Meraki

Sign in to the Cisco Meraki dashboard.
In the Cisco Meraki dashboard, select Configure > Alerts & administration.
In the Logging section, do the following:
1. In Server IP field, specify the Google Security Operations forwarder IP address.
2. In the Port field, specify the port value, such as 514.
3. In the Roles field, select the four available options to get all the logs or select any combination as per your requirement.
Click Save changes.

Configure Google Security Operations forwarder and syslog to ingest Cisco Meraki logs

Go to SIEM Settings > Forwarders.
Click Add new forwarder.
In the Forwarder Name field, enter a unique name for the forwarder.
Click Submit. The forwarder is added and the Add collector configuration window appears.
In the Collector name field, type a name.
Select Cisco Meraki as the Log type.
Select Syslog as the Collector type.
Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles Cisco Meraki (identified as Cisco/Meraki) logs in either SYSLOG or JSON format, normalizing them into UDM. It uses grok patterns to parse syslog messages and conditional logic based on the eventType field to extract relevant information, handling various event types like network flows, URL requests, firewall events, and generic events, mapping them to appropriate UDM fields and enriching the data with additional context. If the input isn't syslog, it attempts to parse it as JSON and maps the relevant fields to UDM.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`action`	`security_result.action`	Value is converted to uppercase. If the value is "deny", it's replaced with "BLOCK". If `sc_action` contains "allow", the value is replaced with "ALLOW". Otherwise, if `decision` contains "block", the value is replaced with "BLOCK". Otherwise, if `authorization` is "success", it's set to "ALLOW", and if "failure", it's set to "BLOCK". Otherwise, if `pattern` is "1 all", "deny all", or "Group Policy Deny", it's set to "BLOCK". If `pattern` is "allow all", "Group Policy Allow", or "0 all", it's set to "ALLOW". Otherwise, it's set to "UNKNOWN_ACTION". If `decision` contains "block", it's set to "BLOCK".
`adId`	`principal.user.user_display_name`	Directly mapped from the `adId` field in JSON logs.
`agent`	`network.http.user_agent`	Apostrophes are removed. Directly mapped from the `agent` field. Also converted to `network.http.parsed_user_agent` using the `parseduseragent` filter.
`aid`	`network.session_id`	Directly mapped from the `aid` field.
`appProtocol`	`network.application_protocol`	Converted to uppercase. Directly mapped from the `appProtocol` field.
`attr`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "attr".
`authorization`	`security_result.action_details`	Directly mapped from the `authorization` field in JSON logs.
`band`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "band".
`bssids.bssid`	`principal.mac`	Converted to lowercase. Merged into the `principal.mac` array.
`bssids.detectedBy.device`	`intermediary.asset.asset_id`	Formatted as "Device id: ".
`bssids.detectedBy.rssi`	`intermediary.asset.product_object_id`	Converted to a string.
`Channel`	`about.resource.attribute.labels`	Added as a key-value pair to the `about.resource.attribute.labels` array with the key "Channel".
`clientDescription`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "clientDescription".
`clientId`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "clientId".
`clientIp`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `clientIp` field.
`clientMac`	`principal.mac`	Converted to lowercase. Directly mapped from the `clientMac` field in JSON logs.
`client_ip`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `client_ip` field.
`client_mac`	`principal.mac`	Converted to lowercase. Directly mapped from the `client_mac` field.
`code`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "code".
`collection_time`	`metadata.event_timestamp`	The seconds and nanos fields are combined to create a timestamp.
`Conditions`	`security_result.about.resource.attribute.labels`	Carriage returns, newlines, and tabs are replaced with spaces and specific values are substituted. The modified value is added as a key-value pair to the `security_result.about.resource.attribute.labels` array with the key "Conditions".
`decision`	`security_result.action`	If the value is "blocked", it's set to "BLOCK".
`desc`	`metadata.description`	Directly mapped from the `desc` field.
`description`	`security_result.description`	Directly mapped from the `description` field in JSON logs.
`DestAddress`	`target.ip`, `target.asset.ip`	Directly mapped from the `DestAddress` field.
`DestPort`	`target.port`	Converted to an integer. Directly mapped from the `DestPort` field.
`deviceIp`	`target.ip`	Directly mapped from the `deviceIp` field.
`deviceMac`	`target.mac`	Converted to lowercase. Directly mapped from the `deviceMac` field.
`deviceName`	`target.hostname`, `target.asset.hostname`	Directly mapped from the `deviceName` field in JSON logs.
`deviceSerial`	`target.asset.hardware.serial_number`	Directly mapped from the `deviceSerial` field in JSON logs.
`Direction`	`network.direction`	Special characters are removed, and the value is mapped to `network.direction`.
`DisabledPrivilegeList`	`target.user.attribute`	Carriage returns, newlines, and tabs are replaced, and the modified value is parsed as JSON and merged into the `target.user.attribute` object.
`dport`	`target.port`	Converted to an integer. Directly mapped from the `dport` field.
`dst`	`target.ip`, `target.asset.ip`	Directly mapped from the `dst` field.
`dstIp`	`target.ip`, `target.asset.ip`	Directly mapped from the `dstIp` field.
`dstPort`	`target.port`	Converted to an integer. Directly mapped from the `dstPort` field.
`dvc`	`intermediary.hostname`	Directly mapped from the `dvc` field.
`EnabledPrivilegeList`	`target.user.attribute`	Carriage returns, newlines, and tabs are replaced, and the modified value is parsed as JSON and merged into the `target.user.attribute` object.
`eventData.aid`	`principal.asset_id`	Formatted as "ASSET_ID:".
`eventData.client_ip`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `eventData.client_ip` field in JSON logs.
`eventData.client_mac`	`principal.mac`	Converted to lowercase. Directly mapped from the `eventData.client_mac` field in JSON logs.
`eventData.group`	`principal.group.group_display_name`	Directly mapped from the `eventData.group` field in JSON logs.
`eventData.identity`	`principal.hostname`	Directly mapped from the `eventData.identity` field in JSON logs.
`eventData.ip`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `eventData.ip` field in JSON logs.
`EventID`	`metadata.product_event_type`, `security_result.rule_name`	Converted to a string. Mapped to `metadata.product_event_type`. Also used to create `security_result.rule_name` in the format "EventID: ". Used to determine `event_type` and `sec_action`.
`eventSummary`	`security_result.summary`, `metadata.description`	Directly mapped from the `eventSummary` field. Also used in `security_result.description` for some events.
`eventType`	`metadata.product_event_type`	Directly mapped from the `eventType` field. Used to determine which parsing logic to apply.
`filename`	`principal.process.file.full_path`	Directly mapped from the `filename` field.
`FilterId`	`target.resource.product_object_id`	Directly mapped from the `FilterId` field for EventID 5447.
`FilterName`	`target.resource.name`	Directly mapped from the `FilterName` field for EventID 5447.
`FilterRTID`	`security_result.detection_fields`	Added as a key-value pair to the `security_result.detection_fields` array with the key "FilterRTID".
`firstSeen`	`security_result.detection_fields`	Converted to a string. Added as a key-value pair to the `security_result.detection_fields` array with the key "firstSeen".
`gatewayDeviceMac`	`target.mac`	Converted to lowercase. Merged into the `target.mac` array.
`group`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "group".
`GroupMembership`	`target.user`	Carriage returns, newlines, tabs, and special characters are removed. The modified value is parsed as JSON and merged into the `target.user` object.
`Hostname`	`principal.hostname`, `principal.asset.hostname`	Directly mapped from the `Hostname` field.
`identity`	`target.user.userid`	Directly mapped from the `identity` field.
`instigator`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "instigator".
`int_ip`	`intermediary.ip`	Directly mapped from the `int_ip` field.
`ip_msg`	`principal.resource.attribute.labels`	Added as a key-value pair to the `principal.resource.attribute.labels` array with the key "IPs".
`is_8021x`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "is_8021x".
`KeyName`	`target.resource.name`	Directly mapped from the `KeyName` field.
`KeyFilePath`	`target.file.full_path`	Directly mapped from the `KeyFilePath` field.
`lastSeen`	`security_result.detection_fields`	Converted to a string. Added as a key-value pair to the `security_result.detection_fields` array with the key "lastSeen".
`last_known_client_ip`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `last_known_client_ip` field.
`LayerName`	`security_result.detection_fields`	Added as a key-value pair to the `security_result.detection_fields` array with the key "Layer Name".
`LayerRTID`	`security_result.detection_fields`	Added as a key-value pair to the `security_result.detection_fields` array with the key "LayerRTID".
`localIp`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `localIp` field.
`login`	`principal.user.email_addresses`	Directly mapped from the `login` field in JSON logs if it matches an email address format.
`LogonGuid`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "LogonGuid".
`LogonType`	`extensions.auth.mechanism`	Mapped to a specific authentication mechanism based on its value. If `PreAuthType` is present, it overrides `LogonType`. Values are mapped as follows: 2 -> USERNAME_PASSWORD, 3 -> NETWORK, 4 -> BATCH, 5 -> SERVICE, 7 -> UNLOCK, 8 -> NETWORK_CLEAR_TEXT, 9 -> NEW_CREDENTIALS, 10 -> REMOTE_INTERACTIVE, 11 -> CACHED_INTERACTIVE, 12 -> CACHED_REMOTE_INTERACTIVE, 13 -> CACHED_UNLOCK, other -> MECHANISM_UNSPECIFIED.
`mac`	`principal.mac`	Converted to lowercase. Merged into the `principal.mac` array.
`MandatoryLabel`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "MandatoryLabel".
`Message`	`security_result.description`, `security_result.summary`	If `AccessReason` is present, `Message` is mapped to `security_result.summary` and `AccessReason` is mapped to `security_result.description`. Otherwise, `Message` is mapped to `security_result.description`.
`method`	`network.http.method`	Directly mapped from the `method` field.
`msg`	`security_result.description`	Directly mapped from the `msg` field.
`name`	`principal.user.user_display_name`	Directly mapped from the `name` field in JSON logs.
`natsrcIp`	`principal.nat_ip`	Directly mapped from the `natsrcIp` field.
`natsrcport`	`principal.nat_port`	Converted to an integer. Directly mapped from the `natsrcport` field.
`network_id`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "Network ID".
`NewProcessId`	`target.process.pid`	Directly mapped from the `NewProcessId` field.
`NewProcessName`	`target.process.file.full_path`	Directly mapped from the `NewProcessName` field.
`NewSd`	`target.resource.attribute.labels`	Added as a key-value pair to the `target.resource.attribute.labels` array with the key "New Security Descriptor".
`occurredAt`	`metadata.event_timestamp`	Parsed as a timestamp using the ISO8601 format.
`ObjectName`	`target.file.full_path`, `target.registry.registry_key`, `target.process.file.full_path`, `additional.fields`	If `EventID` is 4663 and `ObjectType` is "Process", it's mapped to `target.process.file.full_path`. If `ObjectType` is "Key", it's mapped to `target.registry.registry_key`. Otherwise, it's mapped to `target.file.full_path`. For other events, it's added as a key-value pair to the `additional.fields` array with the key "ObjectName".
`ObjectType`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "ObjectType". Used to determine `event_type`.
`OldSd`	`target.resource.attribute.labels`	Added as a key-value pair to the `target.resource.attribute.labels` array with the key "Original Security Descriptor".
`organizationId`	`principal.resource.id`	Directly mapped from the `organizationId` field in JSON logs.
`ParentProcessName`	`target.process.parent_process.file.full_path`	Directly mapped from the `ParentProcessName` field.
`pattern`	`security_result.description`	Directly mapped to `security_result.description`. Used to determine `security_result.action`.
`peer_ident`	`target.user.userid`	Directly mapped from the `peer_ident` field.
`PreAuthType`	`extensions.auth.mechanism`	Used to determine the authentication mechanism if present. Overrides `LogonType`.
`principalIp`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `principalIp` field.
`principalMac`	`principal.mac`	Converted to lowercase. Merged into the `principal.mac` array.
`principalPort`	`principal.port`	Converted to an integer. Directly mapped from the `principalPort` field.
`prin_ip2`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `prin_ip2` field.
`prin_url`	`principal.url`	Directly mapped from the `prin_url` field.
`priority`	`security_result.priority`	Mapped to a priority level based on its value: 1 -> HIGH_PRIORITY, 2 -> MEDIUM_PRIORITY, 3 -> LOW_PRIORITY, other -> UNKNOWN_PRIORITY.
`ProcessID`	`principal.process.pid`	Converted to a string. Directly mapped from the `ProcessID` field.
`ProcessName`	`principal.process.file.full_path`, `target.process.file.full_path`	If `EventID` is 4689, it's mapped to `target.process.file.full_path`. Otherwise, it's mapped to `principal.process.file.full_path`.
`prod_log_id`	`metadata.product_log_id`	Directly mapped from the `prod_log_id` field.
`protocol`	`network.ip_protocol`	Converted to uppercase. If it's a number, it's converted to its corresponding IP protocol name. If it's "ICMP6", it's replaced with "ICMP". Directly mapped from the `protocol` field.
`ProviderGuid`	`metadata.product_deployment_id`	Directly mapped from the `ProviderGuid` field.
`query`	`network.dns.questions.name`	Directly mapped from the `query` field.
`query_type`	`network.dns.questions.type`	Renamed to `question.type` and merged into the `network.dns.questions` array. Mapped to a numerical value based on the DHCP query type.
`radio`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "radio".
`reason`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "reason".
`rec_bytes`	`network.received_bytes`	Converted to an unsigned integer. Directly mapped from the `rec_bytes` field.
`RecordNumber`	`metadata.product_log_id`	Converted to a string. Directly mapped from the `RecordNumber` field.
`RelativeTargetName`	`target.process.file.full_path`	Directly mapped from the `RelativeTargetName` field.
`response_ip`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `response_ip` field.
`rssi`	`intermediary.asset.product_object_id`	Directly mapped from the `rssi` field.
`sc_action`	`security_result.action_details`	Directly mapped from the `sc_action` field.
`sec_action`	`security_result.action`	Merged into the `security_result.action` array.
`server_ip`	`client_ip`	Directly mapped to the `client_ip` field.
`Severity`	`security_result.severity`	Mapped to a severity level based on its value: "Info" -> INFORMATIONAL, "Error" -> ERROR, "Warning" -> MEDIUM, other -> UNKNOWN_SEVERITY.
`sha256`	`target.file.sha256`	Directly mapped from the `sha256` field.
`signature`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "signature".
`SourceAddress`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `SourceAddress` field.
`SourceHandleId`	`src.resource.id`	Directly mapped from the `SourceHandleId` field.
`SourceModuleName`	`observer.labels`	Added as a key-value pair to the `observer.labels` array with the key "SourceModuleName".
`SourceModuleType`	`observer.application`	Directly mapped from the `SourceModuleType` field.
`SourcePort`	`principal.port`	Converted to an integer. Directly mapped from the `SourcePort` field.
`SourceProcessId`	`src.process.pid`	Directly mapped from the `SourceProcessId` field.
`source_client_ip`	`client_ip`	Directly mapped to the `client_ip` field.
`sport`	`principal.port`	Converted to an integer. Directly mapped from the `sport` field.
`src`	`principal.ip`, `principal.asset.ip`	Directly mapped from the `src` field.
`ssid`	`network.session_id`	Directly mapped from the `ssid` field in JSON logs.
`ssidName`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "ssidName".
`state`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "state".
`Status`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "Status".
`status_code`	`network.http.response_code`	Converted to an integer. Directly mapped from the `status_code` field.
`SubjectDomainName`	`principal.administrative_domain`	Directly mapped from the `SubjectDomainName` field.
`SubjectLogonId`	`principal.resource.attribute.labels`	Added as a key-value pair to the `principal.resource.attribute.labels` array with the key "SubjectLogonId".
`SubjectUserName`	`principal.user.userid`	Directly mapped from the `SubjectUserName` field.
`SubjectUserSid`	`principal.user.windows_sid`	Directly mapped from the `SubjectUserSid` field.
`targetHost`	`target.hostname`, `target.asset.hostname`	Converted to an IP address if possible. Otherwise, parsed to extract the hostname and mapped to `target.hostname` and `target.asset.hostname`.
`TargetHandleId`	`target.resource.id`	Directly mapped from the `TargetHandleId` field.
`TargetLogonId`	`principal.resource.attribute.labels`	Added as a key-value pair to the `principal.resource.attribute.labels` array with the key "TargetLogonId" if it's different from `SubjectLogonId`.
`TargetProcessId`	`target.process.pid`	Directly mapped from the `TargetProcessId` field.
`TargetUserName`	`target.user.userid`	Directly mapped from the `TargetUserName` field.
`TargetUserSid`	`target.user.windows_sid`	Directly mapped from the `TargetUserSid` field.
`Task`	`additional.fields`	Converted to a string. Added as a key-value pair to the `additional.fields` array with the key "Task".
`timestamp`	`metadata.event_timestamp`	The seconds field is used to create a timestamp.
`ts`	`metadata.event_timestamp`	If `ts` is empty, it's created by combining `tsDate`, `tsTime`, and `tsTZ`. If it contains "", it's parsed to extract the integer value. Then, it's parsed as a timestamp using various formats.
`type`	`security_result.summary`, `metadata.product_event_type`	Directly mapped from the `type` field in JSON logs. Also used as `eventSummary` and `metadata.product_event_type` in some cases.
`url`	`target.url`, `principal.url`	Directly mapped from the `url` field.
`url1`	`target.url`	Directly mapped from the `url1` field.
`user`	`target.user.group_identifiers`	Merged into the `target.user.group_identifiers` array.
`user_id`	`target.user.userid`	Directly mapped from the `user_id` field.
`UserID`	`principal.user.windows_sid`	Directly mapped from the `UserID` field.
`UserName`	`principal.user.userid`	Directly mapped from the `UserName` field.
`user_agent`	`network.http.user_agent`	Directly mapped from the `user_agent` field.
`userId`	`target.user.userid`	Directly mapped from the `userId` field.
`vap`	`additional.fields`	Added as a key-value pair to the `additional.fields` array with the key "vap".
`VirtualAccount`	`security_result.about.labels`	Added as a key-value pair to the `security_result.about.labels` array with the key "VirtualAccount".
`wiredLastSeen`	`security_result.detection_fields`	Converted to a string. Added as a key-value pair to the `security_result.detection_fields` array with the key "wiredLastSeen".
`wiredMacs`	`intermediary.mac`	Converted to lowercase. Merged into the `intermediary.mac` array.
`WorkstationName`	`principal.hostname`, `principal.asset.hostname`	Directly mapped from the `WorkstationName` field.

Changes

2024-03-19

Added a Grok pattern to map the sending device IP address to "intermediary.ip".

2024-02-06

Parsed logs where "eventSummary" is "cli_set_rad_parms" or "cli_set_rad_pmksa_parms".
Mapped "group" and "attr" to "additional.fields".

2023-12-26

Parsed logs containing "eventSummary" as "status changed" and "changed STP role".

2023-10-09

Set "sec_res.action" to "BLOCK" when "pattern" is in "1 all", "deny all", or "Group Policy Deny".
Set "sec_res.action" to "ALLOW" when "pattern" is in "0 all", "allow all", or "Group Policy Allow".

2023-07-19

Bug-Fix -
Parsed unparsed syslog logs of type "firewall".

2023-07-14

Enhancement -
for type "splash_auth" mapped "event_type" to "USER_LOGIN".
for type "device_packet_flood", "packet_flood" mapped "event_type" to "GENERIC_EVENT".
for type "vpn_connectivity_change", "wpa_deauth", "wpa_auth" mapped "event_type" to "STATUS_UPDATE".
Mapped "agent" to "network.http.parsed_user_agent".
If "protocol" == "47" then mapped "network.ip_protocol" to "GRE".
If "protocol" == "103" then mapped "network.ip_protocol" to "PIM".

2023-07-04

Enhancement -
Used key-value filters, instead of a Grok pattern, to parse the logs of type "urls", "firewall", "vpn_firewall".

2023-06-16

Enhancement -
Mapped "src" to "principal.ip"
Mapped "dst" to "target.ip"
Mapped "protocol" to "network.ip_protocol"
Mapped "sport" to "principal.port"
Mapped "dport" to "target.port"
Mapped "mac" to "principal.mac".
Mapped "pattern" to "security_result.description".

2023-06-09

Enhancement -
Mapped 'metadata.event_type' to 'USER_LOGOUT' when 'type' = '8021x_deauth'.
Mapped 'radio','vap','reason','is_8021x','instigator','band' to 'additional.fields' for 'type' = 'disassociation'.

2023-05-26

Enhancement -
For type "security_filtering_file_scanned" modified "metadata.event_type" from "STATUS_UPDATE" to "SCAN_FILE".
Added Grok pattern to parse syslog logs.
Mapped "ip" to "principal.ip"
Mapped "mac" to "principal.mac".

2023-03-03

Enhancement -
Added Grok pattern to parse logs which have the field "ip_flow_end".
Mapped "natsrcIp" mapped "principal.nat_ip".
Mapped "natsrcport" mapped "principal.nat_port".

2022-11-25

Enhancement -
Added support for unparsed JSON logs, network_dns query logs and failing syslog+kv_data logs.
Mapped "metadata.eventType" to RESOURCE_CREATION, FILE_UNCATEGORIZED, SETTING_MODIFICATION, NETWORK_UNCATEGORIZED,
GROUP_UNCATEGORIZED, PROCESS_LAUNCH, PROCESS_TERMINATION, STATUS_UNCATEGORIZED, SYSTEM_AUDIT_LOG_UNCATEGORIZED,
USER_LOGOUT, USER_LOGIN, RESOURCE_PERMISSIONS_CHANGE, USER_RESOURCE_ACCESS based on "EventID" for json logs.
Mapped "DisabledPrivilegeList", "EnabledPrivilegeList" to "target.user.attribute.permissions".
Mapped "GroupMembership" to "target.user.group_identifiers".
Mapped "AccessList" to "target.resource.attribute".
Mapped "auth_mechanism" to "extensions.auth.mechanism".
Mapped "question" to "network.dns.questions".
Set "security_result.priority" based on "priority" value.
Mapped "RecordNumber" to "metadata.product_log_id".

2022-10-06

Enhancement -
Mapped "dvc" to "intermediary.hostname".
Mapped "eventType" to "metadata.product_event_type".
Mapped "pattren" to "security_result.action_details".
Mapped "principalMac" to "principal.mac".
Mapped "principalIp" to "principal.ip".
Added null check for "dstIp" prior mapping to udm.

2022-07-04

Enhancement -
When "protocol" is equal to "47" then set "protocol" to "GRE".
When "protocol" is equal to "50" then set "protocol" to "ESP".
Added kv block when "eventType" is equal to "events".
Mapped "identity" to "target.user.userid".
Mapped "last_known_client_ip" to "principal.ip".
When "eventSummary" is equal to "association".
Mapped "client_ip" to "principal.ip";
Mapped "client_mac" to "principal.mac".
Mapped "rssi" to "intermediary.asset.product_object_id".
Mapped "channel" to "security_result.detection_fields".
Mapped "aid" to "network.session_id".

2022-06-15

Enhancement -
Mapped "lastSeen", "firstSeen", "wiredLastSeen" to "security_result.detection_fields".
Mapped "wiredMacs" to "intermediary.mac".
Mapped "type" to "security_result.summary".
Mapped "description" to "security_result.description".
Mapped "deviceSerial" to "_target_hardware.serial_number".
Mapped "deviceName" to "target.hostname".
Mapped "ssidName", "clientId", "clientDescription" to "additional.fields".
Mapped "eventData.client_mac" to "principal.mac".
Mapped "eventData.identity" to "principal.hostname".
Mapped "eventData.aid" to "principal.asset_id".
Mapped "organizationId" to "principal.resource.id".
Mapped "eventData.group" to "principal.group.group_display_name".
Mapped "eventData.client_ip" to "principal.ip".
Mapped "occurredAt" to "metadata.event_timestamp".

2022-05-04

Enhancement - Added mapping for hostname.

2022-04-13

Enhancement - Added parsing of logs of JSON type.