Forum Discussion
David Caddick
Mar 16, 2020Iron Contributor
Sentinel & Cisco Meraki?
Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
JKatzmandu
Nov 23, 2020Brass Contributor
I've done this Meraki recipe for two customers; it comes in via syslog, syslog puts it into its own file, it's read as a Custom Log by the Log Analytics Agent and is forwarded into Sentinel. Then within Sentinel we have a KQL function to extract the most common stuff. What's frustrating is that Cisco Meraki isn't always the most consistent with the log format.
Here's my GitHub with the extractors, which I have no problem with anyone else using, and if you guys have fixes, I'm happy to incorporate them:
https://github.com/jkatzmandu/sentinel_tricks
mhaasEFD
Nov 23, 2020Copper Contributor
Thanks,
I got syslog up and running already but looking over your info. I did setup a CEF output from my graylog server and found that cleaner but if you don’t need an internal graylog server it’s probably an extra step.
I got syslog up and running already but looking over your info. I did setup a CEF output from my graylog server and found that cleaner but if you don’t need an internal graylog server it’s probably an extra step.