Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Appliances | meraki_appliances | NDJSON | API | ||||
Clients | ✅ | ✅ | meraki_clients | NDJSON | API | ||
Clients Traffic | ✅ | ✅ | meraki_clients_traffic | NDJSON | API | ||
Networks | meraki_networks | NDJSON | API | ||||
Security Events | ✅ | meraki_security_events | NDJSON | API | |||
Air Marshal | ✅ | meraki_airmarshal_logs | Key value | S3 | |||
Meraki Syslog Logs | ✅ | ✅ | meraki_syslog_logs | Key value | S3 | ||
Meraki Auth Users | ✅ | ✅ | meraki_auth_users | NDJSON | API |
Overview
Cisco Meraki offers a range of networking solutions, including wireless access points, security appliances, switches, and mobile device management (MDM) software. Meraki's products are designed to be easy to deploy, manage, and scale, making them ideal for businesses of all sizes, those without dedicated IT resources. The cloud-based management dashboard allows administrators to configure devices, monitor network performance, and apply security policies from anywhere, providing a high level of visibility and control. Meraki's emphasis on simplicity and scalability has made it a popular choice for organizations looking to streamline their IT operations and improve network reliability.
Supported data types
Appliances
Overview
Table name: meraki_appliances
Meraki Appliances logs capture detailed information on the operations, security, and performance of network devices managed through Cisco's Meraki cloud-managed platform. These logs can include data on network traffic, device status, configuration changes, and security alerts, aiding in network management and troubleshooting.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.
To connect Cisco Meraki logs:
Switch to an Organization - Read Only Admin role.
📘 Why?
The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.
To configure a read-only admin, follow the instructions in the Meraki Documentation.
From the left-side menu, navigate to Organization > Settings.
Under the Dashboard API access section, enable the API Access and click Save Changes.
From the upper bar, click on your email address and then select My profile.
Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
The new generated key will pop up.Copy the key and save it in a secure location.
Complete the process on the Hunters platform, following these guidelines.
💡TipWhen connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.
Expected format
Logs are expected in NDJSON format.
{"name": "Name", "serial": "QSS-PP78-MS9D", "mac": "1:1:1:a1:11:e1", "networkId": "L_592223999999220653", "productType": "wireless", "model": "MR42", "address": "", "lat": 51.5192, "lng": 12.406100000000038, "notes": "", "tags": ["recently-added"], "lanIp": "10.10.10.10", "configurationUpdatedAt": "2021-09-07T12:04:34Z", "firmware": "wireless-25-14", "url": "https://n52.meraki.com/___/n/GGGGG/manage/nodes/new_list/111111", "sample_time": "2021-09-07T12:27:40.712Z"}
Clients
Overview
Table name: meraki_clients
Meraki client logs provide detailed information about the network activity and behavior of devices connected to the Meraki network. These logs can include data on the connectivity status, bandwidth usage, security incidents, and other diagnostic information to help in monitoring, troubleshooting, and optimizing client device performance on the network.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.
To connect Cisco Meraki logs:
Switch to an Organization - Read Only Admin role.
📘 Why?
The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.
To configure a read-only admin, follow the instructions in the Meraki Documentation.
From the left-side menu, navigate to Organization > Settings.
Under the Dashboard API access section, enable the API Access and click Save Changes.
From the upper bar, click on your email address and then select My profile.
Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
The new generated key will pop up.Copy the key and save it in a secure location.
Complete the process on the Hunters platform, following these guidelines.
💡TipWhen connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.
Expected format
Logs are expected in NDJSON format.
{"id": "k6111794", "mac": "1c:f1:da:c1:10:df", "description": null, "ip": "10.10.10.10", "ip6": null, "ip6Local": null, "user": null, "firstSeen": "2020-05-03T22:42:20Z", "lastSeen": "2021-09-07T12:26:23Z", "manufacturer": "Samsung", "os": "Samsung TV", "deviceTypePrediction": null, "recentDeviceSerial": "AA11-AVCS-9GFW", "recentDeviceName": "MELB-AAA1", "recentDeviceMac": "1c:1b:19:d1:ea:11", "recentDeviceConnection": "Wired", "ssid": null, "vlan": "1", "switchport": null, "usage": {"sent": 9150, "recv": 129793, "total": 139543}, "status": "Online", "notes": null, "smInstalled": false, "groupPolicy8021x": null, "adaptivePolicyGroup": null, "sample_time": "2021-09-07T12:27:46.766Z", "network_id": "L_59222111119220483"}
Clients Traffic
Overview
Table name: meraki_clients_traffic
Meraki client traffic logs record the data traffic details for devices connected to the Meraki network, including the amount of data transmitted and received, the type of traffic, and the applications or services used. These logs are crucial for analyzing network usage patterns, identifying bandwidth demands, and troubleshooting network issues.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.
To connect Cisco Meraki logs:
Switch to an Organization - Read Only Admin role.
📘 Why?
The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.
To configure a read-only admin, follow the instructions in the Meraki Documentation.
From the left-side menu, navigate to Organization > Settings.
Under the Dashboard API access section, enable the API Access and click Save Changes.
From the upper bar, click on your email address and then select My profile.
Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
The new generated key will pop up.Copy the key and save it in a secure location.
Complete the process on the Hunters platform, following these guidelines.
💡TipWhen connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.
Expected format
Logs are expected in NDJSON format.
{"ts": "2021-09-07T00:00:00.000000Z", "application": "iTunes", "destination": "itunes.apple.com", "protocol": "TCP", "port": 443, "recv": 11, "sent": 5, "numFlows": 2, "activeSeconds": 120, "sample_time": "2021-09-07T12:28:00.582Z", "network_id": "L_592211110999220483", "client_id": "k111752"}
Networks
Overview
Table name: meraki_networks
Network logs provide information about the networks that the user has privileges on in an organization, including the relevant product types, time zone, and more.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.
To connect Cisco Meraki logs:
Switch to an Organization - Read Only Admin role.
📘 Why?
The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.
To configure a read-only admin, follow the instructions in the Meraki Documentation.
From the left-side menu, navigate to Organization > Settings.
Under the Dashboard API access section, enable the API Access and click Save Changes.
From the upper bar, click on your email address and then select My profile.
Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
The new generated key will pop up.Copy the key and save it in a secure location.
Complete the process on the Hunters platform, following these guidelines.
💡TipWhen connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.
Expected format
Logs are expected in NDJSON format.
{"id": "L_592221111999220483", "organizationId": "1111", "name": "Melbourne Network", "productTypes": ["appliance", "switch", "systemsManager", "wireless"], "timeZone": "Israel/Tel-Aviv", "tags": [], "enrollmentString": null, "url": "https://n52.meraki.com/Tel-Aviv-Networ/n/1111/manage/usage/list", "notes": "", "isBoundToConfigTemplate": false, "sample_time": "2021-09-07T12:27:44.034Z"}
Security Events
Overview
Table name: meraki_security_events
Lists all security events for a network, including the types of the events, relevant IP addresses, timestamps and more.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.
To connect Cisco Meraki logs:
Switch to an Organization - Read Only Admin role.
📘 Why?
The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.
To configure a read-only admin, follow the instructions in the Meraki Documentation.
From the left-side menu, navigate to Organization > Settings.
Under the Dashboard API access section, enable the API Access and click Save Changes.
From the upper bar, click on your email address and then select My profile.
Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
The new generated key will pop up.Copy the key and save it in a secure location.
Complete the process on the Hunters platform, following these guidelines.
💡TipWhen connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.
Expected format
Logs are expected in NDJSON format.
{"ts": "2021-09-06T19:23:15.386013Z", "eventType": "File Scanned", "clientName": "DESKTOP-AAA1", "clientMac": "1c:1f:17:c1:1e:e1", "clientIp": "172.01.01.01", "srcIp": "172.01.01.01", "destIp": "10.10.10.10", "protocol": "http", "uri": "http://b.11r.ts.cdn.office.net/pr/411ddd-3a01-4f97-b9c0-c7c1111/Office/Data/11.0.15601.20088/i640.c2rx", "canonicalName": "", "destinationPort": 80, "fileHash": "d7329811111e78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873", "fileType": "ZIP", "fileSizeBytes": 10481576, "disposition": "Unknown", "action": "Allowed", "sample_time": "2021-09-07T12:25:23.165Z"}
Air Marshal
Overview
Table name: meraki_airmarshal_logs
Cisco Meraki’s Air Marshal mode allows network administrators to design an airtight network architecture that provides a WIPS platform in order to protect the airspace from wireless attacks. Air Marshal events are generated as syslog messages describing the wireless traffic detected.
Learn more here.
Send data to Hunters
Hunters supports the collection of Air Marshal logs using an intermediary AWS S3 bucket.
Follow this guide to export the data to syslog, and then export it to S3 accessible to Hunters.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in Key value format.
1 1701694904.006948381 ABC1_1D_EFG1_HI22 airmarshal_events type=type_1 ssid='ID-1234' bssid='C1:A2:E3:64:15:C6' src='C5:A6:E7:68:19:C0' dst='FF:FF:FF:EE:EE:EE' wired_mac='' vlan_id='' channel='1' rssi='22' fc_type='0' fc_subtype='1'
Meraki Syslog Logs
Overview
Table name: meraki_syslog_logs
Meraki devices can generate syslog logs, which are messages containing information about system events, status, and performance. These logs can be sent to a syslog server for storage, analysis, and monitoring. Syslog logs from Meraki devices can provide valuable insights into network activity, security incidents, and device performance. By analyzing syslog logs, administrators can identify and troubleshoot issues, monitor network traffic, and ensure compliance with security policies. Meraki syslog logs can be configured to include different levels of detail, allowing administrators to customize the logging process to meet their specific needs.
Send data to Hunters
Hunters supports the collection of Cisco Meraki Syslog using an intermediary AWS S3 bucket.
Follow this guide to export the logs into an S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in Key value format.
1706285609.588568598 SSC_MR_55_3rd_Floor_10_4_0_131 flows allow src=10.4.13.153 dst=10.0.0.65 mac=28:6B:35:DB:CA:FE protocol=tcp sport=62389 dport=443
Meraki Auth Users
Overview
Table name: meraki_auth_users
The Meraki Auth Users logs list the users configured under Meraki Authentication for a network (splash guest or RADIUS users for a wireless network, or client VPN users for a MX network).
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.
To connect Cisco Meraki logs:
Switch to an Organization - Read Only Admin role.
📘 Why?
The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.
To configure a read-only admin, follow the instructions in the Meraki Documentation.
From the left-side menu, navigate to Organization > Settings.
Under the Dashboard API access section, enable the API Access and click Save Changes.
From the upper bar, click on your email address and then select My profile.
Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
The new generated key will pop up.Copy the key and save it in a secure location.
Complete the process on the Hunters platform, following these guidelines.
💡TipWhen connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.
Expected format
Logs are expected in NDJSON format.
[
{
"id": "aGlAaGkuY29t",
"email": "miles@meraki.com",
"name": "Miles Meraki",
"createdAt": "2018-02-11T00:00:00.090210Z",
"accountType": "802.1X",
"isAdmin": false,
"authorizations": [
{
"ssidNumber": 1,
"authorizedZone": "Store WiFi",
"expiresAt": "2018-03-13T00:00:00.090210Z",
"authorizedByName": "Miles Meraki",
"authorizedByEmail": "miles@meraki.com"
}
]
}
]