I saw another post about the Cisco Meraki (using REST API) Data Connector in Sentinel, but this is an expansion on that so creating a separate thread.
I have both the Sentinel Data Connectors (Cisco Meraki and Cisco Meraki (using REST API)) working. The REST API connector get IDS alert, config changes and file scanned events, and a lot of http connections.
The non-REST API connector, Cisco Meraki, requires a VM with syslog running and that also works and generates logs with a Log Message field:
For example:
Log Message:
<134>1 1716321702.465461554 Switch_2 events Port 08:F1:B3:F7:FF:FD/24 received a BPDU from 08:F1:F3:F7:D5:FD, expected 70:4C:F5:E0:8C:6A
<134>1 1716321700.647755673 MX75 ip_flow_start src=10.1.5.6 dst=2.11.14.32 protocol=tcp sport=52192 dport=443 translated_src_ip=16.28.23.198 translated_port=52192
I assumes that the syslog connector would parse this field into source ip, destination ip type fields, but it does not seem to be doing that. This seems strange to me and makes me think I am missing something. So my question is, should this connector be parsing it or is this just an extra step that I have to perform using data collection rules? Assuming so, is there a public version of the DCR so I don't have to recreate the wheel? I see two on https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/CiscoMeraki but the MerakiSecurityEvents one is not working for me and I'm not if it is incompatible or what.
