Change log for CISCO_MERAKI
Date | Changes |
---|---|
2024-12-05 | Enhancement:
- When "protocol" is equal to "88" then set "network.ip_protocol" to "EIGRP". - When "protocol" is equal to "50" then set "network.ip_protocol" to "ESP". - When "protocol" is equal to "97" then set "network.ip_protocol" to "ETHERIP". - When "protocol" is equal to "47" then set "network.ip_protocol" to "GRE". - When "protocol" is equal to "1" then set "network.ip_protocol" to "ICMP". - When "protocol" is equal to "58" then set "network.ip_protocol" to "ICMP6". - When "protocol" is equal to "2" then set "network.ip_protocol" to "IGMP". - When "protocol" is equal to "41" then set "network.ip_protocol" to "IP6IN4". - When "protocol" is equal to "103" then set "network.ip_protocol" to "PIM". - When "protocol" is equal to "132" then set "network.ip_protocol" to "SCTP". - When "protocol" is equal to "6" then set "network.ip_protocol" to "TCP". - When "protocol" is equal to "17" then set "network.ip_protocol" to "UDP". - When "protocol" is equal to "112" then set "network.ip_protocol" to "VRRP". - When "protocol" is equal to "0" then set "network.ip_protocol" to "UNKNOWN_IP_PROTOCOL". |
2024-12-05 | Enhancement:
- When "protocol" is equal to "88" then set "network.ip_protocol" to "EIGRP". - When "protocol" is equal to "50" then set "network.ip_protocol" to "ESP". - When "protocol" is equal to "97" then set "network.ip_protocol" to "ETHERIP". - When "protocol" is equal to "47" then set "network.ip_protocol" to "GRE". - When "protocol" is equal to "1" then set "network.ip_protocol" to "ICMP". - When "protocol" is equal to "58" then set "network.ip_protocol" to "ICMP6". - When "protocol" is equal to "2" then set "network.ip_protocol" to "IGMP". - When "protocol" is equal to "41" then set "network.ip_protocol" to "IP6IN4". - When "protocol" is equal to "103" then set "network.ip_protocol" to "PIM". - When "protocol" is equal to "132" then set "network.ip_protocol" to "SCTP". - When "protocol" is equal to "6" then set "network.ip_protocol" to "TCP". - When "protocol" is equal to "17" then set "network.ip_protocol" to "UDP". - When "protocol" is equal to "112" then set "network.ip_protocol" to "VRRP". - When "protocol" is equal to "0" then set "network.ip_protocol" to "UNKNOWN_IP_PROTOCOL". |
2024-10-04 | Enhancement:
- Added the Grok pattern and conditional checks to parse unparsed "ip", "userid", "mac", "bytes", and "vlan". - Mapped "ip" to "principal.ip". - Mapped "userid" to "principal.userid". - Mapped "mac" to "principal.mac". - Mapped "bytes" to "network.sent_bytes". - Mapped "vlan" to "security_result.detection_fields". |
2024-09-26 | Enhancement:
- Added a Grok pattern to parse unparsed IP and mapped it to "target.ip". |
2024-09-19 | Enhancement:
- Mapped "networkName" to "principal.hostname". - Mapped "organizationName" to "principal.resource.name". - Mapped "organizationUrl" to "principal.resource.attribute.labels". - Mapped "networkTags", "alertType", "alertTypeId" , and "alertData.num" to "additional.fields". - Mapped ""networkId" to "network.session_id". - Mapped "networkUrl" to "network.http.referral_url". - Mapped "deviceMac" to "target.mac". - Mapped "deviceUrl" to "target.url". - Mapped "deviceModel" to "target.hardware.model" - Mapped "alertLevel" to "security_result.severity". |
2024-08-29 | Enhancement:
- Added Grok pattern with a conditional check to parse the unparsed SYSLOG logs. |
2024-07-31 | Enhancement:
- Removed the drop tag and added Grok pattern with a conditional check to parse unparsed logs. |
2024-06-19 | Enhancement:
- Added a Grok pattern to parse unparsed logs. |
2024-03-19 | Enhancement:
- Added a Grok pattern to map the sending device IP address to "intermediary.ip". |
2024-02-06 | Enhancement:
- Parsed logs where "eventSummary" is "cli_set_rad_parms" or "cli_set_rad_pmksa_parms". - Mapped "group" and "attr" to "additional.fields". |
2023-12-26 | Enhancement:
- Parsed logs containing "eventSummary" as "status changed" and "changed STP role". |
2023-10-09 | Enhancement:
- Set "sec_res.action" to "BLOCK" when "pattern" is in "1 all", "deny all", or "Group Policy Deny". - Set "sec_res.action" to "ALLOW" when "pattern" is in "0 all", "allow all", or "Group Policy Allow". |
2023-07-19 | Bug-Fix -
Parsed unparsed syslog logs of type "firewall". |
2023-07-14 | Enhancement -
- for type "splash_auth" mapped "event_type" to "USER_LOGIN". - for type "device_packet_flood", "packet_flood" mapped "event_type" to "GENERIC_EVENT". - for type "vpn_connectivity_change", "wpa_deauth", "wpa_auth" mapped "event_type" to "STATUS_UPDATE". - Mapped "agent" to "network.http.parsed_user_agent". - If "protocol" == "47" then mapped "network.ip_protocol" to "GRE". - If "protocol" == "103" then mapped "network.ip_protocol" to "PIM". |
2023-07-04 | Enhancement -
- Used key-value filters, instead of a Grok pattern, to parse the logs of type "urls", "firewall", "vpn_firewall". |
2023-06-16 | Enhancement -
- Mapped "src" to "principal.ip" - Mapped "dst" to "target.ip" - Mapped "protocol" to "network.ip_protocol" - Mapped "sport" to "principal.port" - Mapped "dport" to "target.port" - Mapped "mac" to "principal.mac". - Mapped "pattern" to "security_result.description". |
2023-06-09 | Enhancement -
- Mapped 'metadata.event_type' to 'USER_LOGOUT' when 'type' = '8021x_deauth'. - Mapped 'radio','vap','reason','is_8021x','instigator','band' to 'additional.fields' for 'type' = 'disassociation'. |
2023-05-26 | Enhancement -
- For type "security_filtering_file_scanned" modified "metadata.event_type" from "STATUS_UPDATE" to "SCAN_FILE". - Added Grok pattern to parse syslog logs. - Mapped "ip" to "principal.ip" - Mapped "mac" to "principal.mac". |
2023-03-03 | Enhancement -
- Added Grok pattern to parse logs which have the field "ip_flow_end". - Mapped "natsrcIp" mapped "principal.nat_ip". - Mapped "natsrcport" mapped "principal.nat_port". |
2022-11-25 | Enhancement -
- Added support for unparsed JSON logs, network_dns query logs and failing syslog+kv_data logs. - Mapped "metadata.eventType" to RESOURCE_CREATION, FILE_UNCATEGORIZED, SETTING_MODIFICATION, NETWORK_UNCATEGORIZED, GROUP_UNCATEGORIZED, PROCESS_LAUNCH, PROCESS_TERMINATION, STATUS_UNCATEGORIZED, SYSTEM_AUDIT_LOG_UNCATEGORIZED, USER_LOGOUT, USER_LOGIN, RESOURCE_PERMISSIONS_CHANGE, USER_RESOURCE_ACCESS based on "EventID" for json logs. - Mapped "DisabledPrivilegeList", "EnabledPrivilegeList" to "target.user.attribute.permissions". - Mapped "GroupMembership" to "target.user.group_identifiers". - Mapped "AccessList" to "target.resource.attribute". - Mapped "auth_mechanism" to "extensions.auth.mechanism". - Mapped "question" to "network.dns.questions". - Set "security_result.priority" based on "priority" value. - Mapped "RecordNumber" to "metadata.product_log_id". |
2022-10-06 | Enhancement -
- Mapped "dvc" to "intermediary.hostname". - Mapped "eventType" to "metadata.product_event_type". - Mapped "pattren" to "security_result.action_details". - Mapped "principalMac" to "principal.mac". - Mapped "principalIp" to "principal.ip". - Added null check for "dstIp" prior mapping to udm. |
2022-07-04 | Enhancement -
- When "protocol" is equal to "47" then set "protocol" to "GRE". - When "protocol" is equal to "50" then set "protocol" to "ESP". - Added kv block when "eventType" is equal to "events". - Mapped "identity" to "target.user.userid". - Mapped "last_known_client_ip" to "principal.ip". - When "eventSummary" is equal to "association". - Mapped "client_ip" to "principal.ip"; - Mapped "client_mac" to "principal.mac". - Mapped "rssi" to "intermediary.asset.product_object_id". - Mapped "channel" to "security_result.detection_fields". - Mapped "aid" to "network.session_id". |
2022-06-15 | Enhancement -
- Mapped "lastSeen", "firstSeen", "wiredLastSeen" to "security_result.detection_fields". - Mapped "wiredMacs" to "intermediary.mac". - Mapped "type" to "security_result.summary". - Mapped "description" to "security_result.description". - Mapped "deviceSerial" to "_target_hardware.serial_number". - Mapped "deviceName" to "target.hostname". - Mapped "ssidName", "clientId", "clientDescription" to "additional.fields". - Mapped "eventData.client_mac" to "principal.mac". - Mapped "eventData.identity" to "principal.hostname". - Mapped "eventData.aid" to "principal.asset_id". - Mapped "organizationId" to "principal.resource.id". - Mapped "eventData.group" to "principal.group.group_display_name". - Mapped "eventData.client_ip" to "principal.ip". - Mapped "occurredAt" to "metadata.event_timestamp". |
2022-05-04 | Enhancement - Added mapping for hostname.
|
2022-04-13 | Enhancement - Added parsing of logs of JSON type.
|