Meraki CIM Compliance Add-on for Splunk

This add-on provides CIM-compliant field mappings and tags for Cisco Meraki Air Marshal and Access Point data to populate Splunk Enterprise Security data models. When using the Cisco Meraki Add-on for Splunk (available separately on Splunkbase, v3.x) to collect data from the Meraki Dashboard API, two key sourcetypes lack complete CIM compliance: - meraki:airmarshal - Air Marshal wireless threat detection events are collected but lack the tags and CIM field mappings required by the Intrusion_Detection (IDS_Attacks) data model. Rogue AP detections, SSID spoofing alerts, and other wireless threats do not appear in Splunk ES security dashboards or correlation searches. - meraki:accesspoints - Client association, disassociation, and fast roaming events are collected but lack the tags and CIM field mappings required by the Network_Sessions data model. Wireless session data is invisible to session-based correlation in Splunk ES. This add-on supplements the Meraki TA by adding event type definitions, CIM tags, and EVAL-based field extractions that map raw Meraki API fields to CIM-compliant field names. CIM Data Models Covered: - Intrusion_Detection (IDS_Attacks) - meraki:airmarshal - Maps fields: ids_type, signature, category, severity, action, src, dvc - Network_Sessions - meraki:accesspoints - Maps fields: dest, ssid, session_action, duration The Meraki TA already provides CIM compliance for Authentication (802.1X events) and Change (configuration and availability events). This add-on fills the remaining gaps. Requirements: - Cisco Meraki Add-on for Splunk v3.0.0 or later, - Splunk Common Information Model (CIM) v4.0.0 or later, - Splunk Enterprise Security (recommended but not required)