Cisco Meraki

  • Updated on Jan 26, 2025
  • Published on May 15, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Appliances

meraki_appliances

NDJSON

API

Clients

✅

✅

meraki_clients

NDJSON

API

Clients Traffic

✅

✅

meraki_clients_traffic

NDJSON

API

Networks

meraki_networks

NDJSON

API

Security Events

✅

meraki_security_events

NDJSON

API

Air Marshal

✅

meraki_airmarshal_logs

Key value

S3

Meraki Syslog Logs

✅

✅

meraki_syslog_logs

Key value

S3

Meraki Auth Users

✅

✅

meraki_auth_users

NDJSON

API

Overview

imageCisco Meraki offers a range of networking solutions, including wireless access points, security appliances, switches, and mobile device management (MDM) software. Meraki's products are designed to be easy to deploy, manage, and scale, making them ideal for businesses of all sizes, those without dedicated IT resources. The cloud-based management dashboard allows administrators to configure devices, monitor network performance, and apply security policies from anywhere, providing a high level of visibility and control. Meraki's emphasis on simplicity and scalability has made it a popular choice for organizations looking to streamline their IT operations and improve network reliability.

Supported data types

Appliances

Overview

Table name: meraki_appliances

Meraki Appliances logs capture detailed information on the operations, security, and performance of network devices managed through Cisco's Meraki cloud-managed platform. These logs can include data on network traffic, device status, configuration changes, and security alerts, aiding in network management and troubleshooting.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.

To connect Cisco Meraki logs:

  1. Switch to an Organization - Read Only Admin role.

    📘 Why?

    The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.

    To configure a read-only admin, follow the instructions in the Meraki Documentation.

  2. From the left-side menu, navigate to Organization > Settings.
    image

  3. Under the Dashboard API access section, enable the API Access and click Save Changes.
    image

  4. From the upper bar, click on your email address and then select My profile.
    image

  5. Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
    image

    The new generated key will pop up.

  6. Copy the key and save it in a secure location.
    image

  7. Complete the process on the Hunters platform, following these guidelines.

    💡Tip
    When connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.


Expected format

Logs are expected in NDJSON format.

{"name": "Name", "serial": "QSS-PP78-MS9D", "mac": "1:1:1:a1:11:e1", "networkId": "L_592223999999220653", "productType": "wireless", "model": "MR42", "address": "", "lat": 51.5192, "lng": 12.406100000000038, "notes": "", "tags": ["recently-added"], "lanIp": "10.10.10.10", "configurationUpdatedAt": "2021-09-07T12:04:34Z", "firmware": "wireless-25-14", "url": "https://n52.meraki.com/___/n/GGGGG/manage/nodes/new_list/111111", "sample_time": "2021-09-07T12:27:40.712Z"}

Clients

Overview

Table name: meraki_clients

Meraki client logs provide detailed information about the network activity and behavior of devices connected to the Meraki network. These logs can include data on the connectivity status, bandwidth usage, security incidents, and other diagnostic information to help in monitoring, troubleshooting, and optimizing client device performance on the network.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.

To connect Cisco Meraki logs:

  1. Switch to an Organization - Read Only Admin role.

    📘 Why?

    The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.

    To configure a read-only admin, follow the instructions in the Meraki Documentation.

  2. From the left-side menu, navigate to Organization > Settings.
    image

  3. Under the Dashboard API access section, enable the API Access and click Save Changes.
    image

  4. From the upper bar, click on your email address and then select My profile.
    image

  5. Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
    image

    The new generated key will pop up.

  6. Copy the key and save it in a secure location.
    image

  7. Complete the process on the Hunters platform, following these guidelines.

    💡Tip
    When connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.


Expected format

Logs are expected in NDJSON format.

{"id": "k6111794", "mac": "1c:f1:da:c1:10:df", "description": null, "ip": "10.10.10.10", "ip6": null, "ip6Local": null, "user": null, "firstSeen": "2020-05-03T22:42:20Z", "lastSeen": "2021-09-07T12:26:23Z", "manufacturer": "Samsung", "os": "Samsung TV", "deviceTypePrediction": null, "recentDeviceSerial": "AA11-AVCS-9GFW", "recentDeviceName": "MELB-AAA1", "recentDeviceMac": "1c:1b:19:d1:ea:11", "recentDeviceConnection": "Wired", "ssid": null, "vlan": "1", "switchport": null, "usage": {"sent": 9150, "recv": 129793, "total": 139543}, "status": "Online", "notes": null, "smInstalled": false, "groupPolicy8021x": null, "adaptivePolicyGroup": null, "sample_time": "2021-09-07T12:27:46.766Z", "network_id": "L_59222111119220483"}

Clients Traffic

Overview

Table name: meraki_clients_traffic

Meraki client traffic logs record the data traffic details for devices connected to the Meraki network, including the amount of data transmitted and received, the type of traffic, and the applications or services used. These logs are crucial for analyzing network usage patterns, identifying bandwidth demands, and troubleshooting network issues.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.

To connect Cisco Meraki logs:

  1. Switch to an Organization - Read Only Admin role.

    📘 Why?

    The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.

    To configure a read-only admin, follow the instructions in the Meraki Documentation.

  2. From the left-side menu, navigate to Organization > Settings.
    image

  3. Under the Dashboard API access section, enable the API Access and click Save Changes.
    image

  4. From the upper bar, click on your email address and then select My profile.
    image

  5. Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
    image

    The new generated key will pop up.

  6. Copy the key and save it in a secure location.
    image

  7. Complete the process on the Hunters platform, following these guidelines.

    💡Tip
    When connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.


Expected format

Logs are expected in NDJSON format.

{"ts": "2021-09-07T00:00:00.000000Z", "application": "iTunes", "destination": "itunes.apple.com", "protocol": "TCP", "port": 443, "recv": 11, "sent": 5, "numFlows": 2, "activeSeconds": 120, "sample_time": "2021-09-07T12:28:00.582Z", "network_id": "L_592211110999220483", "client_id": "k111752"}

Networks

Overview

Table name: meraki_networks

Network logs provide information about the networks that the user has privileges on in an organization, including the relevant product types, time zone, and more.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.

To connect Cisco Meraki logs:

  1. Switch to an Organization - Read Only Admin role.

    📘 Why?

    The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.

    To configure a read-only admin, follow the instructions in the Meraki Documentation.

  2. From the left-side menu, navigate to Organization > Settings.
    image

  3. Under the Dashboard API access section, enable the API Access and click Save Changes.
    image

  4. From the upper bar, click on your email address and then select My profile.
    image

  5. Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
    image

    The new generated key will pop up.

  6. Copy the key and save it in a secure location.
    image

  7. Complete the process on the Hunters platform, following these guidelines.

    💡Tip
    When connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.


Expected format

Logs are expected in NDJSON format.

{"id": "L_592221111999220483", "organizationId": "1111", "name": "Melbourne Network", "productTypes": ["appliance", "switch", "systemsManager", "wireless"], "timeZone": "Israel/Tel-Aviv", "tags": [], "enrollmentString": null, "url": "https://n52.meraki.com/Tel-Aviv-Networ/n/1111/manage/usage/list", "notes": "", "isBoundToConfigTemplate": false, "sample_time": "2021-09-07T12:27:44.034Z"}

Security Events

Overview

Table name: meraki_security_events

Lists all security events for a network, including the types of the events, relevant IP addresses, timestamps and more.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.

To connect Cisco Meraki logs:

  1. Switch to an Organization - Read Only Admin role.

    📘 Why?

    The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.

    To configure a read-only admin, follow the instructions in the Meraki Documentation.

  2. From the left-side menu, navigate to Organization > Settings.
    image

  3. Under the Dashboard API access section, enable the API Access and click Save Changes.
    image

  4. From the upper bar, click on your email address and then select My profile.
    image

  5. Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
    image

    The new generated key will pop up.

  6. Copy the key and save it in a secure location.
    image

  7. Complete the process on the Hunters platform, following these guidelines.

    💡Tip
    When connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.


Expected format

Logs are expected in NDJSON format.

{"ts": "2021-09-06T19:23:15.386013Z", "eventType": "File Scanned", "clientName": "DESKTOP-AAA1", "clientMac": "1c:1f:17:c1:1e:e1", "clientIp": "172.01.01.01", "srcIp": "172.01.01.01", "destIp": "10.10.10.10", "protocol": "http", "uri": "http://b.11r.ts.cdn.office.net/pr/411ddd-3a01-4f97-b9c0-c7c1111/Office/Data/11.0.15601.20088/i640.c2rx", "canonicalName": "", "destinationPort": 80, "fileHash": "d7329811111e78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873", "fileType": "ZIP", "fileSizeBytes": 10481576, "disposition": "Unknown", "action": "Allowed", "sample_time": "2021-09-07T12:25:23.165Z"}

Air Marshal

Overview

Table name: meraki_airmarshal_logs

Cisco Meraki’s Air Marshal mode allows network administrators to design an airtight network architecture that provides a WIPS platform in order to protect the airspace from wireless attacks. Air Marshal events are generated as syslog messages describing the wireless traffic detected.

Learn more here.

Send data to Hunters

Hunters supports the collection of Air Marshal logs using an intermediary AWS S3 bucket.

  1. Follow this guide to export the data to syslog, and then export it to S3 accessible to Hunters.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key value format.

1 1701694904.006948381 ABC1_1D_EFG1_HI22 airmarshal_events type=type_1 ssid='ID-1234' bssid='C1:A2:E3:64:15:C6' src='C5:A6:E7:68:19:C0' dst='FF:FF:FF:EE:EE:EE' wired_mac='' vlan_id='' channel='1' rssi='22' fc_type='0' fc_subtype='1'

Meraki Syslog Logs

Overview

Table name: meraki_syslog_logs

Meraki devices can generate syslog logs, which are messages containing information about system events, status, and performance. These logs can be sent to a syslog server for storage, analysis, and monitoring. Syslog logs from Meraki devices can provide valuable insights into network activity, security incidents, and device performance. By analyzing syslog logs, administrators can identify and troubleshoot issues, monitor network traffic, and ensure compliance with security policies. Meraki syslog logs can be configured to include different levels of detail, allowing administrators to customize the logging process to meet their specific needs.

Send data to Hunters

Hunters supports the collection of Cisco Meraki Syslog using an intermediary AWS S3 bucket.

  1. Follow this guide to export the logs into an S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key value format.

1706285609.588568598 SSC_MR_55_3rd_Floor_10_4_0_131 flows allow src=10.4.13.153 dst=10.0.0.65 mac=28:6B:35:DB:CA:FE protocol=tcp sport=62389 dport=443

Meraki Auth Users

Overview

Table name: meraki_auth_users

The Meraki Auth Users logs list the users configured under Meraki Authentication for a network (splash guest or RADIUS users for a wireless network, or client VPN users for a MX network).

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Cisco Meraki using API. Complete the process below to gather required information from your Cisco instance and to set up log collection.

To connect Cisco Meraki logs:

  1. Switch to an Organization - Read Only Admin role.

    📘 Why?

    The generated API Key inherits the access level of the admin who created it. As Hunters requires read-only permissions, the API Key will have to be set up by a corresponding user role.

    To configure a read-only admin, follow the instructions in the Meraki Documentation.

  2. From the left-side menu, navigate to Organization > Settings.
    image

  3. Under the Dashboard API access section, enable the API Access and click Save Changes.
    image

  4. From the upper bar, click on your email address and then select My profile.
    image

  5. Under API Keys, click Generate new API key. Note: If you already have a key and want to generate a new one you will have to revoke the old one first.
    image

    The new generated key will pop up.

  6. Copy the key and save it in a secure location.
    image

  7. Complete the process on the Hunters platform, following these guidelines.

    💡Tip
    When connecting from different regions, specify the region-specific Meraki hostname in the Hostname field. For example, for accounts on the China cloud network, use api.meraki.cn. Otherwise, leave the field as is with the default api.meraki.com value.


Expected format

Logs are expected in NDJSON format.

[
    {
        "id": "aGlAaGkuY29t",
        "email": "miles@meraki.com",
        "name": "Miles Meraki",
        "createdAt": "2018-02-11T00:00:00.090210Z",
        "accountType": "802.1X",
        "isAdmin": false,
        "authorizations": [
            {
                "ssidNumber": 1,
                "authorizedZone": "Store WiFi",
                "expiresAt": "2018-03-13T00:00:00.090210Z",
                "authorizedByName": "Miles Meraki",
                "authorizedByEmail": "miles@meraki.com"
            }
        ]
    }
]