cisco_meraki: hndle blocked ARP packet messages

elastic · Sep 12, 2023 · db74b7a · db74b7a
1 parent 1d7f1cf
commit db74b7a
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 3 deletions.
diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.12.0"
+  changes:
+    - description: Handle blocked ARP packet messages.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7771
 - version: "1.11.1"
   changes:
     - description: Fix flows pipeline according to new Firmware MX18.101.

diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log
@@ -21,3 +21,4 @@
 <134>1 1639132875.360638431 1_2_AP_4 events type=disassociation radio='1' vap='1' client_mac='36:E7:E9:AE:04:3D' channel='132' reason='8' apple_da_reason='7' instigator='2' duration='40.260521941' auth_neg_dur='0.024206187' last_auth_ago='40.229666962' is_wpa='1' full_conn='0.477861916' ip_resp='1.005954707' ip_src='10.68.128.113' http_resp='0.477861916' arp_resp='0.179876562' arp_src='10.68.128.113' dns_server='10.128.128.128' dns_req_rtt='0.095675854' dns_resp='0.416596437' dhcp_lease_completed='0.182086020' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:49:F7:26' dhcp_resp='0.182086020' aid='1750957891'
 <134>1 1639132903.129587239 LG2_AP_01 events type=disassociation radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' channel='36' reason='8' apple_da_reason='7' instigator='2' duration='27.641499140' auth_neg_dur='0.008153688' last_auth_ago='27.627178619' is_wpa='1' full_conn='0.395120958' ip_resp='0.520431812' ip_src='10.72.66.49' http_resp='0.395120958' arp_resp='0.132684875' arp_src='10.72.66.49' dns_server='10.128.128.128' dns_req_rtt='0.121687' dns_resp='0.335365542' dhcp_lease_completed='0.133589958' dhcp_server='10.128.128.128' dhcp_server_mac='F8:9E:28:70:1A:7C' dhcp_resp='0.133589958' aid='1899362895'
 <134>1 1639132917.085087788 LG2_AP_01 events type=wpa_auth radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' aid='1546367691'
+<134>1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123
diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json
@@ -1048,6 +1048,57 @@
                 "forwarded",
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2021-12-10T10:40:51.416Z",
+            "cisco_meraki": {
+                "event_subtype": "blocked",
+                "event_type": "events"
+            },
+            "ecs": {
+                "version": "8.9.0"
+            },
+            "event": {
+                "action": "blocked",
+                "category": [
+                    "network"
+                ],
+                "original": "\u003c134\u003e1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123",
+                "type": [
+                    "info"
+                ]
+            },
+            "interface": {
+                "name": "VLAN 123"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 134
+                }
+            },
+            "observer": {
+                "hostname": "TCP9001"
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "mac": "AB-01-02-03-04-05"
+            },
+            "tags": [
+                "forwarded",
+                "preserve_original_event"
+            ]
         }
     ]
 }
diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml
@@ -11,11 +11,15 @@ processors:
 - set:
     field: cisco_meraki.event_subtype
     value: 'Site-to-Site VPN'
-    if: ctx?.msgtype.toLowerCase() == "site-to-site"
+    if: ctx.msgtype.toLowerCase() == "site-to-site"
 - set:
     field: cisco_meraki.event_subtype
     value: client_vpn_connect
-    if: ctx?.msgtype.toLowerCase() == "client_vpn_connect"
+    if: ctx.msgtype.toLowerCase() == "client_vpn_connect"
+- set:
+    field: cisco_meraki.event_subtype
+    value: blocked
+    if: ctx.msgtype.toLowerCase() == "blocked"
 ####################################################
 # log event with type=<value> format
 # these are dfs_event, association, disassocation, 
@@ -73,6 +77,28 @@ processors:
       WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
     if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN"
 
+####################################################
+# Handle Blocked ARP
+####################################################
+- grok:
+    field: event.original
+    patterns: 
+      - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}Blocked ARP Packet from %{MAC:source.mac} with IP %{IP:source.ip} on %{GREEDYDATA:interface.name}$'
+    pattern_definitions:
+      SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>'
+      SYSLOGVER: '\b(?:\d{1,2})\b'
+      SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}'
+      WORDORHOST: '(?:%{WORD}|%{HOSTNAME})'
+    if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "blocked"
+- gsub:
+    field: source.mac
+    pattern: '[:.]'
+    replacement: '-'
+    ignore_missing: true
+- uppercase:
+    field: source.mac
+    ignore_missing: true
+
 ####################################################
 # Handle dfs_event, wpa_auth, wpa_deauth, 
 # association or disassociation

diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml
@@ -114,6 +114,8 @@
   name: http.request.method
 - external: ecs
   name: http.request.referrer
+- external: ecs
+  name: interface.name
 - external: ecs
   name: log.level
 - external: ecs

diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md
@@ -194,6 +194,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server
 | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
 | http.request.referrer | Referrer for this HTTP request. | keyword |
 | input.type | Input type. | keyword |
+| interface.name | Interface name as reported by the system. | keyword |
 | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
 | log.offset | Offset of the entry in the log file. | long |

diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 2.7.0
 name: cisco_meraki
 title: Cisco Meraki
-version: "1.11.1"
+version: "1.12.0"
 description: Collect logs from Cisco Meraki with Elastic Agent.
 type: integration
 categories: