search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
201 stars 433 forks source link

[Meraki] Incorrect 'threat' mappings #8493

Closed jamiehynds closed 11 months ago

jamiehynds commented 11 months ago

As reported by @mattmac1 - our Meraki integration is incorrectly mapping data to event.category:threat and type:indicator which are typically reserved for indicators of compromise from Threat Intel feeds. As a result, data from Meraki is incorrectly appearing in the intelligence tab and dashboards within Elastic Security.

Can we remove these mappings, to ensure Meraki data isn't treated an an indicator of compromise. 

 "data_stream": {
      "namespace": "group",
      "type": "logs",
      "dataset": "cisco_meraki.log"
    },
    "event": {
      "agent_id_status": "missing",
      "ingested": "2023-11-08T15:06:51Z",
      "action": "rogue-ssid-detected",
      "category": [
        "network",
        "threat"
      ],
      "type": [
        "info",
        "indicator"
      ],
      "dataset": "cisco_meraki.log"
elasticmachine commented 11 months ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)