Giter Club home page Giter Club logo

meraki-mx-security-events-workflow's Introduction

License: CISCO published

SecureX Orchestration Workflow to Retrieve and Parse Meraki MX Security Events

This sample workflow will retrieve all security events from Meraki for a specific Org ID. It will then filter out Malware Downloaded and IDS Priority 1 events. It then sends deatils for this to a Webex Teams space. Please make sure to set the 4 variables ('api key meraki', 'api key webex', 'webex space ID' and 'Meraki Org ID') before running (follow the installation steps to do so). You can also run this scheduled by enabling a trigger.

Features

  • Retrieve Meraki MX security events.
  • Filter out high priority events, right now: "Malware Downloaded" and "IDS Priority 1" events.
  • Send Webex Teams notification to Space of choice.
  • Add Case in SecureX Casebook with observables of event.
  • Possibility to run scheduled or based on trigger.

Below you can view the current workflow. Please feel inspired to add to it as you see fit. Please always test thoroughly before using in production!

test

Below you can see the result of the case in SecureX Casebook. Remember, it can also send a Webex Teams message!

Installation

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. Click on IMPORT to import the workflow:

  1. Click on Browse and copy paste the content of the meraki-mx-security-events.json file inside of the text window.

  1. Click on IMPORT. You will now receive an error that information is missing:

  1. Click on UPDATE and fill in the CTR (SecureX threat response), Meraki and Webex API key. These are not stored as plain text, as they are stored as "secure strings" in SecureX.

Note: To obtain the threat response API keys, create one here: https://securex.us.security.cisco.com/settings/apiClients. Please change the .us. in the url to .eu. or .apjc. respectively for the European or Asian instances. It might be that you have these already created, just make sure it has at least the Casebook scope checked. If you are using the EU or APJC instance, you will also need to change the target of the CTRGenerateAccessToken and CTR Create Casebook activities in the workflow. You do this by clicking on the activity and scrolling to the target section. Make sure to do this for all 4 related CTR targets! Here is an example:

Note: To obtain your Meraki API key, please follow these steps: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.

  1. You are still missing 2 more values before you are done. Click on the workflow like below, and let's fill in the Meraki Org ID and Webex Team space ID.

  1. Click on the Meraki Org ID variable and fill in the Org ID of the Meraki organization that you want to track security events for. More info on this can be found here: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API#Organizations

  1. Next click on webex space ID. You can create a new space or find an existing one via these link: retrieve the Room ID from: https://developer.webex.com/docs/api/v1/rooms/list-rooms. You can also add the [email protected] bot to the room and it will send you the roomId in a private message and then remove itself from the room.

  2. Now it is time to test, click on RUN in the top right of your window, and eveyrhting shopuld be working now. If not try troubleshooting by click on the activity that is colored red.

  1. As a final step you could choose to schedule this workflow.

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!

Author(s)

  • Christopher van der Made (Cisco)

meraki-mx-security-events-workflow's People

Contributors

chrivand avatar npateriya avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.