Forum Discussion
David Caddick
Mar 16, 2020Iron Contributor
Sentinel & Cisco Meraki?
Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
JKatzmandu
Nov 23, 2020Brass Contributor
I've done this Meraki recipe for two customers; it comes in via syslog, syslog puts it into its own file, it's read as a Custom Log by the Log Analytics Agent and is forwarded into Sentinel. Then within Sentinel we have a KQL function to extract the most common stuff. What's frustrating is that Cisco Meraki isn't always the most consistent with the log format.
Here's my GitHub with the extractors, which I have no problem with anyone else using, and if you guys have fixes, I'm happy to incorporate them:
https://github.com/jkatzmandu/sentinel_tricks
mhaasEFD
Dec 05, 2020Copper Contributor
Are you running this function when you query? or can this be used at collection without having to create individual custom fields?
- krabelizeNov 05, 2023Copper Contributor
UnifiedJD Here is a blog post some Meraki Analytics rules: https://cryptsus.com/blog/cisco-meraki-sentinel-siem.html
- UnifiedJDJun 10, 2021Copper Contributor
JKatzmandu good thread, the solution worked well to get the data separated. The only issue here is Sentinel has 0 analytics for Meraki, none of their scheduled/ML/Anomaly analytics will every query that table so I am going to work on getting the data into CommonSecurityLog in hopes it might catch something.
- JKatzmanduJan 08, 2021Brass Contributor
I use it when we query; so instead of "Cisco_Meraki_CL" as the "table" in my search, it's this function...