Share via

Need Cisco Meraki firewall logs on sentinel

Jaffar Hussain 26 Reputation points
2022-12-07T03:24:09.95+00:00

Want to get Cisco Meraki firewall logs on sentinel.Kindly anybody share a complete flow either in terms of documentation or as available. Becuse after searching alot still unable to find proper guidence. to configure meraki firwall logs on microsoft sentinel.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,261 questions
Accepted answer
  1. Givary-MSFT 35,591 Reputation points Microsoft Employee
    2022-12-07T14:46:20.543+00:00

    @Jaffar Hussain Adding to David's comments, Cisco Meraki data connector is based on Syslog and many of our customers have been asking us to build an API based data connector to help with the ease of deployment. The new Cisco Meraki data connector uses the Cisco Meraki REST API to fetch security events (supported by Cisco Meraki MX security appliances) and supports DCR-based ingestion-time transformations

    268187-image.png

    As part of the new data connector, we have out of the box ingestion time transformations that parse the received security event data into a custom column so that queries don't need to parse it again, thus resulting in better performance.

    In addition to ingestion time transformations, we have also added query time normalization to map the security events received from Cisco Meraki to ASIM Network Session normalization schema. This ensures that Meraki events are available in uniform, normalized views of Network Session schema thus making the events source agnostics and enables you to use common security content that is built using Network Session ASIM schema.

    We have also updated the existing Meraki parser (for syslog events) to make it compatible with the new data connector (for Cisco Meraki REST API) to ensure that your current security content continues to work with the new data connector.
    NOTE: New data connector currently supports Files Scanned and IDS Alert Event Types that are reported as part of security events.

    268179-image.png

    Let me know if this information helps, if you have any further questions, feel free to post back.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 6,196 Reputation points MVP
    2022-12-07T14:06:51.653+00:00

    Cisco Meraki will log via syslog using the standard cisco ios logging commands.
    The trick may be the logging level you want to set.
    I would not recommend logging level lower than 5 (Notification)
    However the user login events are at log level 6 (Information)

    So after setting log level 5 you should add a 'logging list' for the additional events you need.

    For example my meraki was showing 113005 for the Invalid Password and Account locked out events, so your logging list might look like:

    Logging list mylist message 113005
    Logging trap mylist
    Logging trap notification
    logging host <ip of syslog collector>

    If someone has a more comprehensive list of level 6 events that are of value for all Cisco ios devices please share them here!

    References:
    3132434
    ch18s09.html

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.