Skip to content

Commit

Permalink
cisco_meraki: fix webhook configuration and behavior
Browse files Browse the repository at this point in the history 
Cisco Meraki's approach to 'authentication' is not actually based on
authentication. Instead a shared secret is passed as part of the event that is
sent in the web hook publication[1]. So, in order to prevent ingestion of
invalid or unauthorised events, check for shared secret matching in the ingest
pipeline and drop event that do not match.

Note that Cisco Meraki's approach does not provide any mechanism to prevent
unauthorized connections.

[1]https://developer.cisco.com/meraki/webhooks/introduction/#shared-secret
  • Loading branch information
@efd6
efd6 committed Mar 21, 2024
1 parent 6805e4d commit ac540bb
Show file tree
Hide file tree
Showing 12 changed files with 29 additions and 10 deletions.
2 changes: 0 additions & 2 deletions packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml
View file
Expand Up @@ -7,7 +7,6 @@ services:
environment:
- STREAM_PROTOCOL=webhook
- STREAM_ADDR=http://elastic-agent:8686/meraki/events
- STREAM_WEBHOOK_HEADER=Authorization=abc123
command: log --start-signal=SIGHUP --delay=5s /sample_events/meraki-mx-ndjson.log
meraki-webhook-https:
image: docker.elastic.co/observability/stream:v0.6.2
Expand All @@ -16,7 +15,6 @@ services:
environment:
- STREAM_PROTOCOL=webhook
- STREAM_ADDR=https://elastic-agent:8686/meraki/events
- STREAM_WEBHOOK_HEADER=Authorization=abc123
- STREAM_INSECURE=true
command: log --start-signal=SIGHUP --delay=5s /sample_events/meraki-mx-ndjson.log
cisco_meraki-log-logfile:
Expand Down
5 changes: 3 additions & 2 deletions packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log
View file
@@ -1,2 +1,3 @@
{ "version": "0.1", "sharedSecret": "secret", "sentAt": "2021-10-07T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } }
{ "version": "0.1", "sharedSecret": "secret", "sentAt": "2021-10-07T08:42:00.927486Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "", "alertId": "0000000000000000", "alertType": "Insight Alert", "alertTypeId": "mi_alert", "alertLevel": "warning", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": {} }
{ "version": "0.1", "sharedSecret": "abc123", "sentAt": "2021-10-07T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } }
{ "version": "0.1", "sharedSecret": "abc123", "sentAt": "2021-10-07T08:42:00.927486Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "", "alertId": "0000000000000000", "alertType": "Insight Alert", "alertTypeId": "mi_alert", "alertLevel": "warning", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": {} }
{ "version": "0.1", "sharedSecret": "wrongsecret", "sentAt": "2021-10-09T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } }
5 changes: 5 additions & 0 deletions packages/cisco_meraki/changelog.yml
View file
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.21.2"
changes:
- description: Fix webhook shared secret configuration and behavior.
type: bugfix
link: https://github.com/elastic/integrations/pull/9415
- version: "1.21.1"
changes:
- description: Fix url processing.
Expand Down
2 changes: 2 additions & 0 deletions packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml
View file
Expand Up @@ -9,3 +9,5 @@ data_stream:
url: /meraki/events
secret_value: abc123
preserve_original_event: true
assert:
hit_count: 2
2 changes: 2 additions & 0 deletions packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml
View file
Expand Up @@ -60,3 +60,5 @@ data_stream:
Iqi7is4z2mP8pbcIIlmloogE
-----END PRIVATE KEY-----
verification_mode: none
assert:
hit_count: 2
6 changes: 4 additions & 2 deletions packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs
View file
Expand Up @@ -13,8 +13,10 @@ url: {{url}}
{{/if}}

{{#if secret_value}}
secret.header: Authorization
secret.value: "{{secret_value}}"
fields_under_root: true
fields:
_conf:
secret: "{{secret_value}}"
{{/if}}

{{#if ssl}}
Expand Down
7 changes: 5 additions & 2 deletions packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml
View file
@@ -1,6 +1,8 @@
---
description: Pipeline for processing Cisco Meraki events
processors:
- drop:
if: ctx.json?.sharedSecret != null && ctx.json.sharedSecret != '' && ctx._conf?.secret != ctx.json.sharedSecret
- set:
field: ecs.version
value: '8.11.0'
Expand All @@ -15,7 +17,7 @@ processors:
- append:
field: observer.mac
value: '{{{_tmp.observer.mac}}}'
if: ctx?._tmp?.observer?.mac != null
if: ctx._tmp?.observer?.mac != null
- set:
field: observer.name
copy_from: json.deviceName
Expand Down Expand Up @@ -267,10 +269,11 @@ processors:
- cisco_meraki.event.alertType
- cisco_meraki.event.alertLevel
- _tmp
- _conf
ignore_missing: true
- remove:
field: event.original
if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))"
ignore_failure: true
ignore_missing: true
- script:
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_meraki/data_stream/events/manifest.yml
View file
Expand Up @@ -32,7 +32,7 @@ streams:
default: /meraki/events
- name: secret_value
type: password
description: Authorization token
description: Shared secret used for selecting events that can be ingested.
multi: false
required: false
show_user: true
Expand Down
2 changes: 2 additions & 0 deletions packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml
View file
Expand Up @@ -5,3 +5,5 @@ data_stream:
paths:
- "{{SERVICE_LOGS_DIR}}/cisco-meraki*.log"
preserve_original_event: true
assert:
hit_count: 204
2 changes: 2 additions & 0 deletions packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml
View file
Expand Up @@ -6,3 +6,5 @@ data_stream:
listen_address: 0.0.0.0
listen_port: 8685
preserve_original_event: true
assert:
hit_count: 204
2 changes: 2 additions & 0 deletions packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml
View file
Expand Up @@ -6,3 +6,5 @@ data_stream:
listen_address: 0.0.0.0
listen_port: 8685
preserve_original_event: true
assert:
hit_count: 204
2 changes: 1 addition & 1 deletion packages/cisco_meraki/manifest.yml
View file
@@ -1,7 +1,7 @@
format_version: "3.0.2"
name: cisco_meraki
title: Cisco Meraki
version: "1.21.1"
version: "1.21.2"
description: Collect logs from Cisco Meraki with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit ac540bb

Please sign in to comment.