[Meraki] Incorrect 'threat' mappings #8493

jamiehynds · 2023-11-14T10:52:44Z

As reported by @mattmac1 - our Meraki integration is incorrectly mapping data to event.category:threat and type:indicator which are typically reserved for indicators of compromise from Threat Intel feeds. As a result, data from Meraki is incorrectly appearing in the intelligence tab and dashboards within Elastic Security.

Can we remove these mappings, to ensure Meraki data isn't treated an an indicator of compromise.

 "data_stream": {
      "namespace": "group",
      "type": "logs",
      "dataset": "cisco_meraki.log"
    },
    "event": {
      "agent_id_status": "missing",
      "ingested": "2023-11-08T15:06:51Z",
      "action": "rogue-ssid-detected",
      "category": [
        "network",
        "threat"
      ],
      "type": [
        "info",
        "indicator"
      ],
      "dataset": "cisco_meraki.log"

The text was updated successfully, but these errors were encountered:

elasticmachine · 2023-11-14T10:52:52Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

jamiehynds added the Team:Security-External Integrations label Nov 14, 2023

jamiehynds added Integration:Cisco Meraki bug Something isn't working labels Nov 14, 2023

efd6 self-assigned this Nov 15, 2023

efd6 mentioned this issue Nov 15, 2023

cisco_meraki: remove incorrect event.category:threat and event.type:indicator values #8508

Merged

4 tasks

efd6 closed this as completed in #8508 Nov 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Meraki] Incorrect 'threat' mappings #8493

[Meraki] Incorrect 'threat' mappings #8493

jamiehynds commented Nov 14, 2023

elasticmachine commented Nov 14, 2023

[Meraki] Incorrect 'threat' mappings #8493

[Meraki] Incorrect 'threat' mappings #8493

Comments

jamiehynds commented Nov 14, 2023

elasticmachine commented Nov 14, 2023