Cisco Meraki ASimNetworkSession Parser Missing Detection of Security Events (ids_alerted)

[yusufozturk]

Hi,

In the ASimNetworkSessionCiscoMerakiSyslog parser, the current KQL query includes the condition:

LogMessage has_all("security_event", "ids-alerted")

However, the actual log messages use the field ids_alerted (with an underscore), not ids-alerted (with a hyphen). According to the official Meraki documentation, the correct value is ids_alerted:

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples

Initially, I suspected this might be a typo in the KQL parser. But interestingly, in this sample data file:

https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/ASIM/Cisco_Meraki_NetworkSession_IngestedLogs.csv

The value is shown as ids-alerted, which is quite odd. It’s possible that the format has changed over time or may vary between Meraki firmware versions.

Suggestion:
To ensure compatibility, it might be safer to support both variants — ids_alerted and ids-alerted.

I plan to submit a PR to address this. Just wanted to flag the inconsistency here first.

Thanks!

[yusufozturk]

Additionally, PR should cover this:
#9471

[v-sudkharat]

@yusufozturk, thank you for flagging this issue and for your contribution. Once you have raised the PR, please let us know so our team can review it.

Thanks!

[v-sudkharat]

@yusufozturk, Just checking, did you get a chance to open a PR for this? if so, could you please share the PR no with us so will request PR team to review it.

Thanks!

[yusufozturk]

@v-sudkharat not yet. We did the changes internally. I will provide the PR this week.
Thanks.