This sample workflow will retrieve all security events from Meraki for a specific Org ID. It will then filter out Malware Downloaded and IDS Priority 1 events. It then sends deatils for this to a Webex Teams space. Please make sure to set the 4 variables ('api key meraki', 'api key webex', 'webex space ID' and 'Meraki Org ID') before running (follow the installation steps to do so). You can also run this scheduled by enabling a trigger.
- Retrieve Meraki MX security events.
- Filter out high priority events, right now: "Malware Downloaded" and "IDS Priority 1" events.
- Send Webex Teams notification to Space of choice.
- Add Case in SecureX Casebook with observables of event.
- Possibility to run scheduled or based on trigger.
Below you can view the current workflow. Please feel inspired to add to it as you see fit. Please always test thoroughly before using in production!
Below you can see the result of the case in SecureX Casebook. Remember, it can also send a Webex Teams message!
- Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
- US: https://securex-ao.us.security.cisco.com/orch-ui/workflows/
- EU: https://securex-ao.eu.security.cisco.com/orch-ui/workflows/
- APJC: https://securex-ao.apjc.security.cisco.com/orch-ui/workflows/
- Click on IMPORT to import the workflow:
- Click on Browse and copy paste the content of the meraki-mx-security-events.json file inside of the text window.
- Click on IMPORT. You will now receive an error that information is missing:
- Click on UPDATE and fill in the CTR (SecureX threat response), Meraki and Webex API key. These are not stored as plain text, as they are stored as "secure strings" in SecureX.
Note: To obtain the threat response API keys, create one here: https://securex.us.security.cisco.com/settings/apiClients. Please change the .us. in the url to .eu. or .apjc. respectively for the European or Asian instances. It might be that you have these already created, just make sure it has at least the
Casebook
scope checked. If you are using the EU or APJC instance, you will also need to change the target of theCTRGenerateAccessToken
andCTR Create Casebook
activities in the workflow. You do this by clicking on the activity and scrolling to thetarget
section. Make sure to do this for all 4 related CTR targets! Here is an example:
Note: To obtain your Meraki API key, please follow these steps: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API
Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.
- You are still missing 2 more values before you are done. Click on the workflow like below, and let's fill in the Meraki Org ID and Webex Team space ID.
- Click on the
Meraki Org ID
variable and fill in the Org ID of the Meraki organization that you want to track security events for. More info on this can be found here: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API#Organizations
-
Next click on
webex space ID
. You can create a new space or find an existing one via these link: retrieve the Room ID from: https://developer.webex.com/docs/api/v1/rooms/list-rooms. You can also add the [email protected] bot to the room and it will send you the roomId in a private message and then remove itself from the room. -
Now it is time to test, click on RUN in the top right of your window, and eveyrhting shopuld be working now. If not try troubleshooting by click on the activity that is colored red.
- As a final step you could choose to schedule this workflow.
- Please test this properly before implementing in a production environment. This is a sample workflow!
- Christopher van der Made (Cisco)