{"name":"Meraki content pack","description":"Contains:\n- Input\n- Extractors\n- Stream\n- Spoofed SSID stream (change rules to match your company WIFI name)\n- Operational statistics dashboard\n- Security dashboard\n","category":"Meraki, wireless, AP","inputs":[{"id":"5a9952c843818f57abbd1635","title":"Meraki-Raw","configuration":{"override_source":null,"recv_buffer_size":262144,"bind_address":"0.0.0.0","port":5144},"static_fields":{},"type":"org.graylog2.inputs.raw.udp.RawUDPInput","global":true,"extractors":[{"title":"General - Category","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"category","source_field":"message","configuration":{"index":4,"split_by":" "},"converters":[],"condition_type":"NONE","condition_value":"","order":1},{"title":"General - Hostname","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"hostname","source_field":"message","configuration":{"index":3,"split_by":" "},"converters":[],"condition_type":"NONE","condition_value":"","order":3},{"title":"General -  Convert syslog priority","type":"REGEX","cursor_strategy":"COPY","target_field":"syslog_priority","source_field":"message","configuration":{"regex_value":"^<(\\d\\d\\d)"},"converters":[{"type":"SYSLOG_PRI_LEVEL","configuration":{}}],"condition_type":"REGEX","condition_value":"^<(\\d\\d\\d)","order":0},{"title":"General - Epoch (no MS precision)","type":"REGEX","cursor_strategy":"COPY","target_field":"epoch","source_field":"message","configuration":{"regex_value":"\\s([^.]*)"},"converters":[{"type":"FLEXDATE","configuration":{"time_zone":"Europe/Amsterdam"}}],"condition_type":"REGEX","condition_value":"\\s([^.]*)","order":2},{"title":"Events - Extract key/value pairs for pipeline","type":"REGEX","cursor_strategy":"COPY","target_field":"_key_value_pairs_for_pipeline","source_field":"message","configuration":{"regex_value":"(?:\\S*\\s){4}(.*)"},"converters":[{"type":"TOKENIZER","configuration":{}}],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(events)","order":19},{"title":"Flows - Action","type":"REGEX","cursor_strategy":"COPY","target_field":"action","source_field":"message","configuration":{"regex_value":"(?:\\S*\\s){4}(\\S*)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(flows)","order":17},{"title":"Flows - Protocol","type":"REGEX","cursor_strategy":"COPY","target_field":"protocol","source_field":"message","configuration":{"regex_value":"protocol=(\\S+) "},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(flows)","order":12},{"title":"Flows - Source port","type":"REGEX","cursor_strategy":"COPY","target_field":"source_port","source_field":"message","configuration":{"regex_value":"sport=(\\S+) "},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(flows)","order":16},{"title":"Flows - Destination port","type":"REGEX","cursor_strategy":"COPY","target_field":"destination_port","source_field":"message","configuration":{"regex_value":"dport=(\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(flows)","order":15},{"title":"Flows - Destination address","type":"REGEX","cursor_strategy":"COPY","target_field":"destination_address","source_field":"message","configuration":{"regex_value":"dst=(\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(flows)","order":13},{"title":"Flows - Source address","type":"REGEX","cursor_strategy":"COPY","target_field":"source_address","source_field":"message","configuration":{"regex_value":"src=(\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(flows)","order":14},{"title":"URLS - Source address","type":"REGEX","cursor_strategy":"COPY","target_field":"source_address","source_field":"message","configuration":{"regex_value":"src=(\\S+):"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls)","order":5},{"title":"URLS - Destination port","type":"REGEX","cursor_strategy":"COPY","target_field":"destination_port","source_field":"message","configuration":{"regex_value":"dst=\\S+:(\\d+)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls) ","order":4},{"title":"URLS - Destination address","type":"REGEX","cursor_strategy":"COPY","target_field":"destination_address","source_field":"message","configuration":{"regex_value":"dst=(\\S+):"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls) ","order":6},{"title":"URLS - Request agent","type":"REGEX","cursor_strategy":"COPY","target_field":"request_agent","source_field":"message","configuration":{"regex_value":"agent='(.+)'"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls)","order":10},{"title":"URLS - Source port","type":"REGEX","cursor_strategy":"COPY","target_field":"source_port","source_field":"message","configuration":{"regex_value":"src=\\S+:(\\d+)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls)","order":8},{"title":"URLS - Request type","type":"REGEX","cursor_strategy":"COPY","target_field":"request_type","source_field":"message","configuration":{"regex_value":"request: (.*)\\s"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls)","order":7},{"title":"URLS - Request URL","type":"REGEX","cursor_strategy":"COPY","target_field":"request_url","source_field":"message","configuration":{"regex_value":"request: (?:.*)\\s(.*)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls)","order":11},{"title":"URLS & Flows - Source mac address","type":"REGEX","cursor_strategy":"COPY","target_field":"source_mac_address","source_field":"message","configuration":{"regex_value":"mac=(\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"(?:\\S*\\s){3}(urls|flows)","order":9},{"title":"Air Marshall - Key/value pairs","type":"REGEX","cursor_strategy":"COPY","target_field":"_key_value_pairs_for_pipeline","source_field":"message","configuration":{"regex_value":"airmarshal_events\\s(.+)"},"converters":[{"type":"TOKENIZER","configuration":{}}],"condition_type":"REGEX","condition_value":"airmarshal_events\\s","order":18}]}],"streams":[{"id":"5abe46b343818f22034794e5","title":"Meraki detected - spoofed SSID's","description":"Messages indicating a spoofed SSID was detected.","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"category","value":"airmarshal_events","inverted":false,"description":""},{"type":"REGEX","field":"ssid","value":".*abc.*defg.*|.*abc.*","inverted":false,"description":""}],"outputs":[],"default_stream":false},{"id":"5a9954c343818f57abbd1869","title":"Meraki devices","description":"Messages coming from Meraki access-points","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"gl2_source_input","value":"5a9952c843818f57abbd1635","inverted":false,"description":""}],"outputs":[],"default_stream":false}],"outputs":[],"dashboards":[{"title":"Meraki - WiFi - Operational statistics","description":"Detected malware, DNS&DHCP response times, top URL's, blocked URL","dashboard_widgets":[{"description":"URL request agents","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"request_agent","stream_id":"5a9954c343818f57abbd1869","query":"","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"","data_table_limit":50},"col":2,"row":1,"height":3,"width":1},{"description":"DNS response time","type":"FIELD_CHART","cache_time":10,"configuration":{"valuetype":"mean","renderer":"area","interpolation":"linear","timerange":{"type":"relative","range":86400},"rangeType":"relative","field":"dns_resp","stream_id":"5a9954c343818f57abbd1869","query":"_exists_:dns_resp","interval":"hour","relative":300},"col":3,"row":6,"height":1,"width":2},{"description":"DHCP response time","type":"FIELD_CHART","cache_time":10,"configuration":{"valuetype":"mean","renderer":"area","interpolation":"linear","timerange":{"type":"relative","range":86400},"rangeType":"relative","field":"dhcp_resp","stream_id":"5a9954c343818f57abbd1869","query":"_exists_:dhcp_resp","interval":"hour","relative":300},"col":3,"row":8,"height":1,"width":2},{"description":"Average time associated","type":"FIELD_CHART","cache_time":10,"configuration":{"valuetype":"mean","renderer":"area","interpolation":"linear","timerange":{"type":"relative","range":86400},"rangeType":"relative","field":"duration","stream_id":"5a9954c343818f57abbd1869","query":"_exists_:duration","interval":"hour","relative":300},"col":1,"row":4,"height":1,"width":2},{"description":"Total examined connections","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"stream_id":"5a9954c343818f57abbd1869","trend":true,"query":"category:flows"},"col":3,"row":1,"height":1,"width":1},{"description":"Mooiland medewerkers - Associations by time of day","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"interval":"minute","stream_id":"5a9954c343818f57abbd1869","query":"type:association AND vap:0"},"col":3,"row":2,"height":1,"width":2},{"description":"Mooiland gasten - Associations by time of day","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"interval":"hour","stream_id":"5a9954c343818f57abbd1869","query":"type:association AND vap:3"},"col":3,"row":4,"height":1,"width":2},{"description":"Mooiland gasten - total associations","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"stream_id":"5a9954c343818f57abbd1869","trend":true,"query":"type:association AND vap:0"},"col":3,"row":5,"height":1,"width":1},{"description":"Mooiland medewerkers - total associations","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"stream_id":"5a9954c343818f57abbd1869","trend":true,"query":"type:association AND vap:3"},"col":3,"row":7,"height":1,"width":1},{"description":"Total WiFi associations","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"stream_id":"5a9954c343818f57abbd1869","trend":true,"query":"type:association"},"col":3,"row":3,"height":1,"width":1},{"description":"Requested URLs","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"request_url","stream_id":"5a9954c343818f57abbd1869","query":"","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"","data_table_limit":50},"col":1,"row":1,"height":3,"width":1}]},{"title":"Meraki - WiFi - Security","description":"Firewall and malware detection summary on Meraki devices","dashboard_widgets":[{"description":"Locations of blocked connections (lookup via IP)","type":"org.graylog.plugins.map.widget.strategy.MapWidgetStrategy","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"destination_address_geolocation","stream_id":"5a9954c343818f57abbd1869","query":"category:flows AND NOT action:deny"},"col":1,"row":1,"height":2,"width":2},{"description":"Blocked connections per time of day","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"interval":"hour","stream_id":"5a9954c343818f57abbd1869","query":"category:flows AND action:deny"},"col":1,"row":3,"height":1,"width":2},{"description":"Total examined connections (allowed & denied)","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"interval":"hour","stream_id":"5a9954c343818f57abbd1869","query":"category:flows"},"col":1,"row":4,"height":1,"width":2},{"description":"Blocked connections by client name/address","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"src_hostname","stream_id":"5a9954c343818f57abbd1869","query":"category:flows AND action:deny","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"source_address","data_table_limit":50},"col":3,"row":2,"height":3,"width":1},{"description":"Top blocked destinations","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"destination_address","stream_id":"5a9954c343818f57abbd1869","query":"category:flows AND action:deny","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"dst_hostname","data_table_limit":50},"col":4,"row":2,"height":3,"width":1},{"description":"Total examined connections","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"stream_id":"5a9954c343818f57abbd1869","trend":true,"query":"category:flows"},"col":3,"row":1,"height":1,"width":1},{"description":"Total blocked connections","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":true,"stream_id":"5a9954c343818f57abbd1869","trend":true,"query":"action:deny AND category:flows"},"col":4,"row":1,"height":1,"width":1},{"description":"Top detected SSID's","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"ssid","stream_id":"5a9954c343818f57abbd1869","query":"category:airmarshal_events AND _exists_:bssid","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"","data_table_limit":50},"col":1,"row":5,"height":3,"width":1}]}],"grok_patterns":[],"lookup_tables":[],"lookup_caches":[],"lookup_data_adapters":[]}