Forum Discussion
Sentinel & Cisco Meraki?
I've done this Meraki recipe for two customers; it comes in via syslog, syslog puts it into its own file, it's read as a Custom Log by the Log Analytics Agent and is forwarded into Sentinel. Then within Sentinel we have a KQL function to extract the most common stuff. What's frustrating is that Cisco Meraki isn't always the most consistent with the log format.
Here's my GitHub with the extractors, which I have no problem with anyone else using, and if you guys have fixes, I'm happy to incorporate them:
https://github.com/jkatzmandu/sentinel_tricks
- Thanks,
I got syslog up and running already but looking over your info. I did setup a CEF output from my graylog server and found that cleaner but if you don’t need an internal graylog server it’s probably an extra step. - Are you running this function when you query? or can this be used at collection without having to create individual custom fields?
I use it when we query; so instead of "Cisco_Meraki_CL" as the "table" in my search, it's this function...
JKatzmandu good thread, the solution worked well to get the data separated. The only issue here is Sentinel has 0 analytics for Meraki, none of their scheduled/ML/Anomaly analytics will every query that table so I am going to work on getting the data into CommonSecurityLog in hopes it might catch something.
UnifiedJD Here is a blog post some Meraki Analytics rules: https://cryptsus.com/blog/cisco-meraki-sentinel-siem.html
