Change log for CISCO_MERAKI

Date Changes
2024-12-05 Enhancement:
- When "protocol" is equal to "88" then set "network.ip_protocol" to "EIGRP".
- When "protocol" is equal to "50" then set "network.ip_protocol" to "ESP".
- When "protocol" is equal to "97" then set "network.ip_protocol" to "ETHERIP".
- When "protocol" is equal to "47" then set "network.ip_protocol" to "GRE".
- When "protocol" is equal to "1" then set "network.ip_protocol" to "ICMP".
- When "protocol" is equal to "58" then set "network.ip_protocol" to "ICMP6".
- When "protocol" is equal to "2" then set "network.ip_protocol" to "IGMP".
- When "protocol" is equal to "41" then set "network.ip_protocol" to "IP6IN4".
- When "protocol" is equal to "103" then set "network.ip_protocol" to "PIM".
- When "protocol" is equal to "132" then set "network.ip_protocol" to "SCTP".
- When "protocol" is equal to "6" then set "network.ip_protocol" to "TCP".
- When "protocol" is equal to "17" then set "network.ip_protocol" to "UDP".
- When "protocol" is equal to "112" then set "network.ip_protocol" to "VRRP".
- When "protocol" is equal to "0" then set "network.ip_protocol" to "UNKNOWN_IP_PROTOCOL".
2024-12-05 Enhancement:
- When "protocol" is equal to "88" then set "network.ip_protocol" to "EIGRP".
- When "protocol" is equal to "50" then set "network.ip_protocol" to "ESP".
- When "protocol" is equal to "97" then set "network.ip_protocol" to "ETHERIP".
- When "protocol" is equal to "47" then set "network.ip_protocol" to "GRE".
- When "protocol" is equal to "1" then set "network.ip_protocol" to "ICMP".
- When "protocol" is equal to "58" then set "network.ip_protocol" to "ICMP6".
- When "protocol" is equal to "2" then set "network.ip_protocol" to "IGMP".
- When "protocol" is equal to "41" then set "network.ip_protocol" to "IP6IN4".
- When "protocol" is equal to "103" then set "network.ip_protocol" to "PIM".
- When "protocol" is equal to "132" then set "network.ip_protocol" to "SCTP".
- When "protocol" is equal to "6" then set "network.ip_protocol" to "TCP".
- When "protocol" is equal to "17" then set "network.ip_protocol" to "UDP".
- When "protocol" is equal to "112" then set "network.ip_protocol" to "VRRP".
- When "protocol" is equal to "0" then set "network.ip_protocol" to "UNKNOWN_IP_PROTOCOL".
2024-10-04 Enhancement:
- Added the Grok pattern and conditional checks to parse unparsed "ip", "userid", "mac", "bytes", and "vlan".
- Mapped "ip" to "principal.ip".
- Mapped "userid" to "principal.userid".
- Mapped "mac" to "principal.mac".
- Mapped "bytes" to "network.sent_bytes".
- Mapped "vlan" to "security_result.detection_fields".
2024-09-26 Enhancement:
- Added a Grok pattern to parse unparsed IP and mapped it to "target.ip".
2024-09-19 Enhancement:
- Mapped "networkName" to "principal.hostname".
- Mapped "organizationName" to "principal.resource.name".
- Mapped "organizationUrl" to "principal.resource.attribute.labels".
- Mapped "networkTags", "alertType", "alertTypeId" , and "alertData.num" to "additional.fields".
- Mapped ""networkId" to "network.session_id".
- Mapped "networkUrl" to "network.http.referral_url".
- Mapped "deviceMac" to "target.mac".
- Mapped "deviceUrl" to "target.url".
- Mapped "deviceModel" to "target.hardware.model"
- Mapped "alertLevel" to "security_result.severity".
2024-08-29 Enhancement:
- Added Grok pattern with a conditional check to parse the unparsed SYSLOG logs.
2024-07-31 Enhancement:
- Removed the drop tag and added Grok pattern with a conditional check to parse unparsed logs.
2024-06-19 Enhancement:
- Added a Grok pattern to parse unparsed logs.
2024-03-19 Enhancement:
- Added a Grok pattern to map the sending device IP address to "intermediary.ip".
2024-02-06 Enhancement:
- Parsed logs where "eventSummary" is "cli_set_rad_parms" or "cli_set_rad_pmksa_parms".
- Mapped "group" and "attr" to "additional.fields".
2023-12-26 Enhancement:
- Parsed logs containing "eventSummary" as "status changed" and "changed STP role".
2023-10-09 Enhancement:
- Set "sec_res.action" to "BLOCK" when "pattern" is in "1 all", "deny all", or "Group Policy Deny".
- Set "sec_res.action" to "ALLOW" when "pattern" is in "0 all", "allow all", or "Group Policy Allow".
2023-07-19 Bug-Fix -
Parsed unparsed syslog logs of type "firewall".
2023-07-14 Enhancement -
- for type "splash_auth" mapped "event_type" to "USER_LOGIN".
- for type "device_packet_flood", "packet_flood" mapped "event_type" to "GENERIC_EVENT".
- for type "vpn_connectivity_change", "wpa_deauth", "wpa_auth" mapped "event_type" to "STATUS_UPDATE".
- Mapped "agent" to "network.http.parsed_user_agent".
- If "protocol" == "47" then mapped "network.ip_protocol" to "GRE".
- If "protocol" == "103" then mapped "network.ip_protocol" to "PIM".
2023-07-04 Enhancement -
- Used key-value filters, instead of a Grok pattern, to parse the logs of type "urls", "firewall", "vpn_firewall".
2023-06-16 Enhancement -
- Mapped "src" to "principal.ip"
- Mapped "dst" to "target.ip"
- Mapped "protocol" to "network.ip_protocol"
- Mapped "sport" to "principal.port"
- Mapped "dport" to "target.port"
- Mapped "mac" to "principal.mac".
- Mapped "pattern" to "security_result.description".
2023-06-09 Enhancement -
- Mapped 'metadata.event_type' to 'USER_LOGOUT' when 'type' = '8021x_deauth'.
- Mapped 'radio','vap','reason','is_8021x','instigator','band' to 'additional.fields' for 'type' = 'disassociation'.
2023-05-26 Enhancement -
- For type "security_filtering_file_scanned" modified "metadata.event_type" from "STATUS_UPDATE" to "SCAN_FILE".
- Added Grok pattern to parse syslog logs.
- Mapped "ip" to "principal.ip"
- Mapped "mac" to "principal.mac".
2023-03-03 Enhancement -
- Added Grok pattern to parse logs which have the field "ip_flow_end".
- Mapped "natsrcIp" mapped "principal.nat_ip".
- Mapped "natsrcport" mapped "principal.nat_port".
2022-11-25 Enhancement -
- Added support for unparsed JSON logs, network_dns query logs and failing syslog+kv_data logs.
- Mapped "metadata.eventType" to RESOURCE_CREATION, FILE_UNCATEGORIZED, SETTING_MODIFICATION, NETWORK_UNCATEGORIZED,
GROUP_UNCATEGORIZED, PROCESS_LAUNCH, PROCESS_TERMINATION, STATUS_UNCATEGORIZED, SYSTEM_AUDIT_LOG_UNCATEGORIZED,
USER_LOGOUT, USER_LOGIN, RESOURCE_PERMISSIONS_CHANGE, USER_RESOURCE_ACCESS based on "EventID" for json logs.
- Mapped "DisabledPrivilegeList", "EnabledPrivilegeList" to "target.user.attribute.permissions".
- Mapped "GroupMembership" to "target.user.group_identifiers".
- Mapped "AccessList" to "target.resource.attribute".
- Mapped "auth_mechanism" to "extensions.auth.mechanism".
- Mapped "question" to "network.dns.questions".
- Set "security_result.priority" based on "priority" value.
- Mapped "RecordNumber" to "metadata.product_log_id".
2022-10-06 Enhancement -
- Mapped "dvc" to "intermediary.hostname".
- Mapped "eventType" to "metadata.product_event_type".
- Mapped "pattren" to "security_result.action_details".
- Mapped "principalMac" to "principal.mac".
- Mapped "principalIp" to "principal.ip".
- Added null check for "dstIp" prior mapping to udm.
2022-07-04 Enhancement -
- When "protocol" is equal to "47" then set "protocol" to "GRE".
- When "protocol" is equal to "50" then set "protocol" to "ESP".
- Added kv block when "eventType" is equal to "events".
- Mapped "identity" to "target.user.userid".
- Mapped "last_known_client_ip" to "principal.ip".
- When "eventSummary" is equal to "association".
- Mapped "client_ip" to "principal.ip";
- Mapped "client_mac" to "principal.mac".
- Mapped "rssi" to "intermediary.asset.product_object_id".
- Mapped "channel" to "security_result.detection_fields".
- Mapped "aid" to "network.session_id".
2022-06-15 Enhancement -
- Mapped "lastSeen", "firstSeen", "wiredLastSeen" to "security_result.detection_fields".
- Mapped "wiredMacs" to "intermediary.mac".
- Mapped "type" to "security_result.summary".
- Mapped "description" to "security_result.description".
- Mapped "deviceSerial" to "_target_hardware.serial_number".
- Mapped "deviceName" to "target.hostname".
- Mapped "ssidName", "clientId", "clientDescription" to "additional.fields".
- Mapped "eventData.client_mac" to "principal.mac".
- Mapped "eventData.identity" to "principal.hostname".
- Mapped "eventData.aid" to "principal.asset_id".
- Mapped "organizationId" to "principal.resource.id".
- Mapped "eventData.group" to "principal.group.group_display_name".
- Mapped "eventData.client_ip" to "principal.ip".
- Mapped "occurredAt" to "metadata.event_timestamp".
2022-05-04 Enhancement - Added mapping for hostname.
2022-04-13 Enhancement - Added parsing of logs of JSON type.