Skip to content

Meraki

Overview

Why is it important for Threat Hunting?

Meraki devices, usually deployed in organizational offices, can act as many different classic devices at once, and as such provide multiple different log types which are helpful and relevant for detection and for context enrichment during automatic investigations - firewall logs, DHCP logs, DNS logs, IDS logs, switch logs, and more. Each one of these log types from the Meraki devices can enable detections relevant for the enterprise and office networks, primarily at the network level. Additionally, depending on the logical configuration of the Meraki devices, they supply contextual information relevant for enrichment (e.g. geographical locations, network types and distinctions, in-building locations).

Supported data types

  • Appliances
  • Clients
  • Clients Traffic
  • Networks
  • Security Events

Sending data to Hunters

Prerequisites

In order for Hunters to ingest your data, you must supply it with an Authentication Token. Login into Meraki and follow these steps:

  1. Switch to a read only admin
    Make sure to log in to the meraki dashboard with an 'Organization - Read Only Admin'.
    The generated API Key inherits the access level of the admin who created it.
    To configure a readonly admin please follow the instructions in the Meraki Documentation
  2. On the left menu bar. under Organization go to Settings Go to Settings

  3. In the settings section, enable the API Access and click Save Changes. Enable API Access

  4. Go to your profile page. Go to Profile

  5. Under API Keys click the Generate new API key button.

Note

If you already have a key and want to generate a new one you will have to revoke the old one first.

Generate API Key 6. The new generated key will pop up. Copy the key and save it in a secure location. Copy API Key

Creating a Dataflow

After generating a new API Key, login into the Hunters Portal, go to the "Data Flows" section in the left bar, and click the "Add Data Flows" button.

  1. In the Product box, select Meraki
  2. Paster the API Key you generated into the Authentication Token box meraki-wizard
  3. Click the "Test Connection" button.
  4. After the test has passed, click the "Submit" button and the dataflow will be created.

References