Collect Cisco Meraki logs
This document describes how you can collect Cisco Meraki logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the CISCO_MERAKI
ingestion label.
Configure Cisco Meraki
- Sign in to the Cisco Meraki dashboard.
- In the Cisco Meraki dashboard, select Configure > Alerts & administration.
- In the Logging section, do the following:
- In Server IP field, specify the Google Security Operations forwarder IP address.
- In the Port field, specify the port value, such as 514.
- In the Roles field, select the four available options to get all the logs or select any combination as per your requirement.
- Click Save changes.
Configure Google Security Operations forwarder and syslog to ingest Cisco Meraki logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Name field, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select Cisco Meraki as the Log type.
- Select Syslog as the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation.
For information about requirements for each forwarder type, see Forwarder configuration by type.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser handles Cisco Meraki (identified as Cisco/Meraki) logs in either SYSLOG or JSON format, normalizing them into UDM. It uses grok patterns to parse syslog messages and conditional logic based on the eventType
field to extract relevant information, handling various event types like network flows, URL requests, firewall events, and generic events, mapping them to appropriate UDM fields and enriching the data with additional context. If the input isn't syslog, it attempts to parse it as JSON and maps the relevant fields to UDM.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
action |
security_result.action |
Value is converted to uppercase. If the value is "deny", it's replaced with "BLOCK". If sc_action contains "allow", the value is replaced with "ALLOW". Otherwise, if decision contains "block", the value is replaced with "BLOCK". Otherwise, if authorization is "success", it's set to "ALLOW", and if "failure", it's set to "BLOCK". Otherwise, if pattern is "1 all", "deny all", or "Group Policy Deny", it's set to "BLOCK". If pattern is "allow all", "Group Policy Allow", or "0 all", it's set to "ALLOW". Otherwise, it's set to "UNKNOWN_ACTION". If decision contains "block", it's set to "BLOCK". |
adId |
principal.user.user_display_name |
Directly mapped from the adId field in JSON logs. |
agent |
network.http.user_agent |
Apostrophes are removed. Directly mapped from the agent field. Also converted to network.http.parsed_user_agent using the parseduseragent filter. |
aid |
network.session_id |
Directly mapped from the aid field. |
appProtocol |
network.application_protocol |
Converted to uppercase. Directly mapped from the appProtocol field. |
attr |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "attr". |
authorization |
security_result.action_details |
Directly mapped from the authorization field in JSON logs. |
band |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "band". |
bssids.bssid |
principal.mac |
Converted to lowercase. Merged into the principal.mac array. |
bssids.detectedBy.device |
intermediary.asset.asset_id |
Formatted as "Device id: |
bssids.detectedBy.rssi |
intermediary.asset.product_object_id |
Converted to a string. |
Channel |
about.resource.attribute.labels |
Added as a key-value pair to the about.resource.attribute.labels array with the key "Channel". |
clientDescription |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "clientDescription". |
clientId |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "clientId". |
clientIp |
principal.ip , principal.asset.ip |
Directly mapped from the clientIp field. |
clientMac |
principal.mac |
Converted to lowercase. Directly mapped from the clientMac field in JSON logs. |
client_ip |
principal.ip , principal.asset.ip |
Directly mapped from the client_ip field. |
client_mac |
principal.mac |
Converted to lowercase. Directly mapped from the client_mac field. |
code |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "code". |
collection_time |
metadata.event_timestamp |
The seconds and nanos fields are combined to create a timestamp. |
Conditions |
security_result.about.resource.attribute.labels |
Carriage returns, newlines, and tabs are replaced with spaces and specific values are substituted. The modified value is added as a key-value pair to the security_result.about.resource.attribute.labels array with the key "Conditions". |
decision |
security_result.action |
If the value is "blocked", it's set to "BLOCK". |
desc |
metadata.description |
Directly mapped from the desc field. |
description |
security_result.description |
Directly mapped from the description field in JSON logs. |
DestAddress |
target.ip , target.asset.ip |
Directly mapped from the DestAddress field. |
DestPort |
target.port |
Converted to an integer. Directly mapped from the DestPort field. |
deviceIp |
target.ip |
Directly mapped from the deviceIp field. |
deviceMac |
target.mac |
Converted to lowercase. Directly mapped from the deviceMac field. |
deviceName |
target.hostname , target.asset.hostname |
Directly mapped from the deviceName field in JSON logs. |
deviceSerial |
target.asset.hardware.serial_number |
Directly mapped from the deviceSerial field in JSON logs. |
Direction |
network.direction |
Special characters are removed, and the value is mapped to network.direction . |
DisabledPrivilegeList |
target.user.attribute |
Carriage returns, newlines, and tabs are replaced, and the modified value is parsed as JSON and merged into the target.user.attribute object. |
dport |
target.port |
Converted to an integer. Directly mapped from the dport field. |
dst |
target.ip , target.asset.ip |
Directly mapped from the dst field. |
dstIp |
target.ip , target.asset.ip |
Directly mapped from the dstIp field. |
dstPort |
target.port |
Converted to an integer. Directly mapped from the dstPort field. |
dvc |
intermediary.hostname |
Directly mapped from the dvc field. |
EnabledPrivilegeList |
target.user.attribute |
Carriage returns, newlines, and tabs are replaced, and the modified value is parsed as JSON and merged into the target.user.attribute object. |
eventData.aid |
principal.asset_id |
Formatted as "ASSET_ID: |
eventData.client_ip |
principal.ip , principal.asset.ip |
Directly mapped from the eventData.client_ip field in JSON logs. |
eventData.client_mac |
principal.mac |
Converted to lowercase. Directly mapped from the eventData.client_mac field in JSON logs. |
eventData.group |
principal.group.group_display_name |
Directly mapped from the eventData.group field in JSON logs. |
eventData.identity |
principal.hostname |
Directly mapped from the eventData.identity field in JSON logs. |
eventData.ip |
principal.ip , principal.asset.ip |
Directly mapped from the eventData.ip field in JSON logs. |
EventID |
metadata.product_event_type , security_result.rule_name |
Converted to a string. Mapped to metadata.product_event_type . Also used to create security_result.rule_name in the format "EventID: event_type and sec_action . |
eventSummary |
security_result.summary , metadata.description |
Directly mapped from the eventSummary field. Also used in security_result.description for some events. |
eventType |
metadata.product_event_type |
Directly mapped from the eventType field. Used to determine which parsing logic to apply. |
filename |
principal.process.file.full_path |
Directly mapped from the filename field. |
FilterId |
target.resource.product_object_id |
Directly mapped from the FilterId field for EventID 5447. |
FilterName |
target.resource.name |
Directly mapped from the FilterName field for EventID 5447. |
FilterRTID |
security_result.detection_fields |
Added as a key-value pair to the security_result.detection_fields array with the key "FilterRTID". |
firstSeen |
security_result.detection_fields |
Converted to a string. Added as a key-value pair to the security_result.detection_fields array with the key "firstSeen". |
gatewayDeviceMac |
target.mac |
Converted to lowercase. Merged into the target.mac array. |
group |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "group". |
GroupMembership |
target.user |
Carriage returns, newlines, tabs, and special characters are removed. The modified value is parsed as JSON and merged into the target.user object. |
Hostname |
principal.hostname , principal.asset.hostname |
Directly mapped from the Hostname field. |
identity |
target.user.userid |
Directly mapped from the identity field. |
instigator |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "instigator". |
int_ip |
intermediary.ip |
Directly mapped from the int_ip field. |
ip_msg |
principal.resource.attribute.labels |
Added as a key-value pair to the principal.resource.attribute.labels array with the key "IPs". |
is_8021x |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "is_8021x". |
KeyName |
target.resource.name |
Directly mapped from the KeyName field. |
KeyFilePath |
target.file.full_path |
Directly mapped from the KeyFilePath field. |
lastSeen |
security_result.detection_fields |
Converted to a string. Added as a key-value pair to the security_result.detection_fields array with the key "lastSeen". |
last_known_client_ip |
principal.ip , principal.asset.ip |
Directly mapped from the last_known_client_ip field. |
LayerName |
security_result.detection_fields |
Added as a key-value pair to the security_result.detection_fields array with the key "Layer Name". |
LayerRTID |
security_result.detection_fields |
Added as a key-value pair to the security_result.detection_fields array with the key "LayerRTID". |
localIp |
principal.ip , principal.asset.ip |
Directly mapped from the localIp field. |
login |
principal.user.email_addresses |
Directly mapped from the login field in JSON logs if it matches an email address format. |
LogonGuid |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "LogonGuid". |
LogonType |
extensions.auth.mechanism |
Mapped to a specific authentication mechanism based on its value. If PreAuthType is present, it overrides LogonType . Values are mapped as follows: 2 -> USERNAME_PASSWORD, 3 -> NETWORK, 4 -> BATCH, 5 -> SERVICE, 7 -> UNLOCK, 8 -> NETWORK_CLEAR_TEXT, 9 -> NEW_CREDENTIALS, 10 -> REMOTE_INTERACTIVE, 11 -> CACHED_INTERACTIVE, 12 -> CACHED_REMOTE_INTERACTIVE, 13 -> CACHED_UNLOCK, other -> MECHANISM_UNSPECIFIED. |
mac |
principal.mac |
Converted to lowercase. Merged into the principal.mac array. |
MandatoryLabel |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "MandatoryLabel". |
Message |
security_result.description , security_result.summary |
If AccessReason is present, Message is mapped to security_result.summary and AccessReason is mapped to security_result.description . Otherwise, Message is mapped to security_result.description . |
method |
network.http.method |
Directly mapped from the method field. |
msg |
security_result.description |
Directly mapped from the msg field. |
name |
principal.user.user_display_name |
Directly mapped from the name field in JSON logs. |
natsrcIp |
principal.nat_ip |
Directly mapped from the natsrcIp field. |
natsrcport |
principal.nat_port |
Converted to an integer. Directly mapped from the natsrcport field. |
network_id |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "Network ID". |
NewProcessId |
target.process.pid |
Directly mapped from the NewProcessId field. |
NewProcessName |
target.process.file.full_path |
Directly mapped from the NewProcessName field. |
NewSd |
target.resource.attribute.labels |
Added as a key-value pair to the target.resource.attribute.labels array with the key "New Security Descriptor". |
occurredAt |
metadata.event_timestamp |
Parsed as a timestamp using the ISO8601 format. |
ObjectName |
target.file.full_path , target.registry.registry_key , target.process.file.full_path , additional.fields |
If EventID is 4663 and ObjectType is "Process", it's mapped to target.process.file.full_path . If ObjectType is "Key", it's mapped to target.registry.registry_key . Otherwise, it's mapped to target.file.full_path . For other events, it's added as a key-value pair to the additional.fields array with the key "ObjectName". |
ObjectType |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "ObjectType". Used to determine event_type . |
OldSd |
target.resource.attribute.labels |
Added as a key-value pair to the target.resource.attribute.labels array with the key "Original Security Descriptor". |
organizationId |
principal.resource.id |
Directly mapped from the organizationId field in JSON logs. |
ParentProcessName |
target.process.parent_process.file.full_path |
Directly mapped from the ParentProcessName field. |
pattern |
security_result.description |
Directly mapped to security_result.description . Used to determine security_result.action . |
peer_ident |
target.user.userid |
Directly mapped from the peer_ident field. |
PreAuthType |
extensions.auth.mechanism |
Used to determine the authentication mechanism if present. Overrides LogonType . |
principalIp |
principal.ip , principal.asset.ip |
Directly mapped from the principalIp field. |
principalMac |
principal.mac |
Converted to lowercase. Merged into the principal.mac array. |
principalPort |
principal.port |
Converted to an integer. Directly mapped from the principalPort field. |
prin_ip2 |
principal.ip , principal.asset.ip |
Directly mapped from the prin_ip2 field. |
prin_url |
principal.url |
Directly mapped from the prin_url field. |
priority |
security_result.priority |
Mapped to a priority level based on its value: 1 -> HIGH_PRIORITY, 2 -> MEDIUM_PRIORITY, 3 -> LOW_PRIORITY, other -> UNKNOWN_PRIORITY. |
ProcessID |
principal.process.pid |
Converted to a string. Directly mapped from the ProcessID field. |
ProcessName |
principal.process.file.full_path , target.process.file.full_path |
If EventID is 4689, it's mapped to target.process.file.full_path . Otherwise, it's mapped to principal.process.file.full_path . |
prod_log_id |
metadata.product_log_id |
Directly mapped from the prod_log_id field. |
protocol |
network.ip_protocol |
Converted to uppercase. If it's a number, it's converted to its corresponding IP protocol name. If it's "ICMP6", it's replaced with "ICMP". Directly mapped from the protocol field. |
ProviderGuid |
metadata.product_deployment_id |
Directly mapped from the ProviderGuid field. |
query |
network.dns.questions.name |
Directly mapped from the query field. |
query_type |
network.dns.questions.type |
Renamed to question.type and merged into the network.dns.questions array. Mapped to a numerical value based on the DHCP query type. |
radio |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "radio". |
reason |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "reason". |
rec_bytes |
network.received_bytes |
Converted to an unsigned integer. Directly mapped from the rec_bytes field. |
RecordNumber |
metadata.product_log_id |
Converted to a string. Directly mapped from the RecordNumber field. |
RelativeTargetName |
target.process.file.full_path |
Directly mapped from the RelativeTargetName field. |
response_ip |
principal.ip , principal.asset.ip |
Directly mapped from the response_ip field. |
rssi |
intermediary.asset.product_object_id |
Directly mapped from the rssi field. |
sc_action |
security_result.action_details |
Directly mapped from the sc_action field. |
sec_action |
security_result.action |
Merged into the security_result.action array. |
server_ip |
client_ip |
Directly mapped to the client_ip field. |
Severity |
security_result.severity |
Mapped to a severity level based on its value: "Info" -> INFORMATIONAL, "Error" -> ERROR, "Warning" -> MEDIUM, other -> UNKNOWN_SEVERITY. |
sha256 |
target.file.sha256 |
Directly mapped from the sha256 field. |
signature |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "signature". |
SourceAddress |
principal.ip , principal.asset.ip |
Directly mapped from the SourceAddress field. |
SourceHandleId |
src.resource.id |
Directly mapped from the SourceHandleId field. |
SourceModuleName |
observer.labels |
Added as a key-value pair to the observer.labels array with the key "SourceModuleName". |
SourceModuleType |
observer.application |
Directly mapped from the SourceModuleType field. |
SourcePort |
principal.port |
Converted to an integer. Directly mapped from the SourcePort field. |
SourceProcessId |
src.process.pid |
Directly mapped from the SourceProcessId field. |
source_client_ip |
client_ip |
Directly mapped to the client_ip field. |
sport |
principal.port |
Converted to an integer. Directly mapped from the sport field. |
src |
principal.ip , principal.asset.ip |
Directly mapped from the src field. |
ssid |
network.session_id |
Directly mapped from the ssid field in JSON logs. |
ssidName |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "ssidName". |
state |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "state". |
Status |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "Status". |
status_code |
network.http.response_code |
Converted to an integer. Directly mapped from the status_code field. |
SubjectDomainName |
principal.administrative_domain |
Directly mapped from the SubjectDomainName field. |
SubjectLogonId |
principal.resource.attribute.labels |
Added as a key-value pair to the principal.resource.attribute.labels array with the key "SubjectLogonId". |
SubjectUserName |
principal.user.userid |
Directly mapped from the SubjectUserName field. |
SubjectUserSid |
principal.user.windows_sid |
Directly mapped from the SubjectUserSid field. |
targetHost |
target.hostname , target.asset.hostname |
Converted to an IP address if possible. Otherwise, parsed to extract the hostname and mapped to target.hostname and target.asset.hostname . |
TargetHandleId |
target.resource.id |
Directly mapped from the TargetHandleId field. |
TargetLogonId |
principal.resource.attribute.labels |
Added as a key-value pair to the principal.resource.attribute.labels array with the key "TargetLogonId" if it's different from SubjectLogonId . |
TargetProcessId |
target.process.pid |
Directly mapped from the TargetProcessId field. |
TargetUserName |
target.user.userid |
Directly mapped from the TargetUserName field. |
TargetUserSid |
target.user.windows_sid |
Directly mapped from the TargetUserSid field. |
Task |
additional.fields |
Converted to a string. Added as a key-value pair to the additional.fields array with the key "Task". |
timestamp |
metadata.event_timestamp |
The seconds field is used to create a timestamp. |
ts |
metadata.event_timestamp |
If ts is empty, it's created by combining tsDate , tsTime , and tsTZ . If it contains " |
type |
security_result.summary , metadata.product_event_type |
Directly mapped from the type field in JSON logs. Also used as eventSummary and metadata.product_event_type in some cases. |
url |
target.url , principal.url |
Directly mapped from the url field. |
url1 |
target.url |
Directly mapped from the url1 field. |
user |
target.user.group_identifiers |
Merged into the target.user.group_identifiers array. |
user_id |
target.user.userid |
Directly mapped from the user_id field. |
UserID |
principal.user.windows_sid |
Directly mapped from the UserID field. |
UserName |
principal.user.userid |
Directly mapped from the UserName field. |
user_agent |
network.http.user_agent |
Directly mapped from the user_agent field. |
userId |
target.user.userid |
Directly mapped from the userId field. |
vap |
additional.fields |
Added as a key-value pair to the additional.fields array with the key "vap". |
VirtualAccount |
security_result.about.labels |
Added as a key-value pair to the security_result.about.labels array with the key "VirtualAccount". |
wiredLastSeen |
security_result.detection_fields |
Converted to a string. Added as a key-value pair to the security_result.detection_fields array with the key "wiredLastSeen". |
wiredMacs |
intermediary.mac |
Converted to lowercase. Merged into the intermediary.mac array. |
WorkstationName |
principal.hostname , principal.asset.hostname |
Directly mapped from the WorkstationName field. |
Changes
2024-03-19
- Added a Grok pattern to map the sending device IP address to "intermediary.ip".
2024-02-06
- Parsed logs where "eventSummary" is "cli_set_rad_parms" or "cli_set_rad_pmksa_parms".
- Mapped "group" and "attr" to "additional.fields".
2023-12-26
- Parsed logs containing "eventSummary" as "status changed" and "changed STP role".
2023-10-09
- Set "sec_res.action" to "BLOCK" when "pattern" is in "1 all", "deny all", or "Group Policy Deny".
- Set "sec_res.action" to "ALLOW" when "pattern" is in "0 all", "allow all", or "Group Policy Allow".
2023-07-19
- Bug-Fix -
- Parsed unparsed syslog logs of type "firewall".
2023-07-14
- Enhancement -
- for type "splash_auth" mapped "event_type" to "USER_LOGIN".
- for type "device_packet_flood", "packet_flood" mapped "event_type" to "GENERIC_EVENT".
- for type "vpn_connectivity_change", "wpa_deauth", "wpa_auth" mapped "event_type" to "STATUS_UPDATE".
- Mapped "agent" to "network.http.parsed_user_agent".
- If "protocol" == "47" then mapped "network.ip_protocol" to "GRE".
- If "protocol" == "103" then mapped "network.ip_protocol" to "PIM".
2023-07-04
- Enhancement -
- Used key-value filters, instead of a Grok pattern, to parse the logs of type "urls", "firewall", "vpn_firewall".
2023-06-16
- Enhancement -
- Mapped "src" to "principal.ip"
- Mapped "dst" to "target.ip"
- Mapped "protocol" to "network.ip_protocol"
- Mapped "sport" to "principal.port"
- Mapped "dport" to "target.port"
- Mapped "mac" to "principal.mac".
- Mapped "pattern" to "security_result.description".
2023-06-09
- Enhancement -
- Mapped 'metadata.event_type' to 'USER_LOGOUT' when 'type' = '8021x_deauth'.
- Mapped 'radio','vap','reason','is_8021x','instigator','band' to 'additional.fields' for 'type' = 'disassociation'.
2023-05-26
- Enhancement -
- For type "security_filtering_file_scanned" modified "metadata.event_type" from "STATUS_UPDATE" to "SCAN_FILE".
- Added Grok pattern to parse syslog logs.
- Mapped "ip" to "principal.ip"
- Mapped "mac" to "principal.mac".
2023-03-03
- Enhancement -
- Added Grok pattern to parse logs which have the field "ip_flow_end".
- Mapped "natsrcIp" mapped "principal.nat_ip".
- Mapped "natsrcport" mapped "principal.nat_port".
2022-11-25
- Enhancement -
- Added support for unparsed JSON logs, network_dns query logs and failing syslog+kv_data logs.
- Mapped "metadata.eventType" to RESOURCE_CREATION, FILE_UNCATEGORIZED, SETTING_MODIFICATION, NETWORK_UNCATEGORIZED,
- GROUP_UNCATEGORIZED, PROCESS_LAUNCH, PROCESS_TERMINATION, STATUS_UNCATEGORIZED, SYSTEM_AUDIT_LOG_UNCATEGORIZED,
- USER_LOGOUT, USER_LOGIN, RESOURCE_PERMISSIONS_CHANGE, USER_RESOURCE_ACCESS based on "EventID" for json logs.
- Mapped "DisabledPrivilegeList", "EnabledPrivilegeList" to "target.user.attribute.permissions".
- Mapped "GroupMembership" to "target.user.group_identifiers".
- Mapped "AccessList" to "target.resource.attribute".
- Mapped "auth_mechanism" to "extensions.auth.mechanism".
- Mapped "question" to "network.dns.questions".
- Set "security_result.priority" based on "priority" value.
- Mapped "RecordNumber" to "metadata.product_log_id".
2022-10-06
- Enhancement -
- Mapped "dvc" to "intermediary.hostname".
- Mapped "eventType" to "metadata.product_event_type".
- Mapped "pattren" to "security_result.action_details".
- Mapped "principalMac" to "principal.mac".
- Mapped "principalIp" to "principal.ip".
- Added null check for "dstIp" prior mapping to udm.
2022-07-04
- Enhancement -
- When "protocol" is equal to "47" then set "protocol" to "GRE".
- When "protocol" is equal to "50" then set "protocol" to "ESP".
- Added kv block when "eventType" is equal to "events".
- Mapped "identity" to "target.user.userid".
- Mapped "last_known_client_ip" to "principal.ip".
- When "eventSummary" is equal to "association".
- Mapped "client_ip" to "principal.ip";
- Mapped "client_mac" to "principal.mac".
- Mapped "rssi" to "intermediary.asset.product_object_id".
- Mapped "channel" to "security_result.detection_fields".
- Mapped "aid" to "network.session_id".
2022-06-15
- Enhancement -
- Mapped "lastSeen", "firstSeen", "wiredLastSeen" to "security_result.detection_fields".
- Mapped "wiredMacs" to "intermediary.mac".
- Mapped "type" to "security_result.summary".
- Mapped "description" to "security_result.description".
- Mapped "deviceSerial" to "_target_hardware.serial_number".
- Mapped "deviceName" to "target.hostname".
- Mapped "ssidName", "clientId", "clientDescription" to "additional.fields".
- Mapped "eventData.client_mac" to "principal.mac".
- Mapped "eventData.identity" to "principal.hostname".
- Mapped "eventData.aid" to "principal.asset_id".
- Mapped "organizationId" to "principal.resource.id".
- Mapped "eventData.group" to "principal.group.group_display_name".
- Mapped "eventData.client_ip" to "principal.ip".
- Mapped "occurredAt" to "metadata.event_timestamp".
2022-05-04
- Enhancement - Added mapping for hostname.
2022-04-13
- Enhancement - Added parsing of logs of JSON type.