Why is it important for Threat Hunting?
Meraki devices, usually deployed in organizational offices, can act as many different classic devices at once, and as such provide multiple different log types which are helpful and relevant for detection and for context enrichment during automatic investigations - firewall logs, DHCP logs, DNS logs, IDS logs, switch logs, and more. Each one of these log types from the Meraki devices can enable detections relevant for the enterprise and office networks, primarily at the network level. Additionally, depending on the logical configuration of the Meraki devices, they supply contextual information relevant for enrichment (e.g. geographical locations, network types and distinctions, in-building locations).
Supported data types
- Clients Traffic
- Security Events
Sending data to Hunters
In order for Hunters to ingest your data, you must supply it with an Authentication Token. Login into Meraki and follow these steps:
- Switch to a read only admin
Make sure to log in to the meraki dashboard with an 'Organization - Read Only Admin'.
The generated API Key inherits the access level of the admin who created it.
To configure a readonly admin please follow the instructions in the Meraki Documentation
On the left menu bar. under Organization go to Settings
In the settings section, enable the API Access and click Save Changes.
Go to your profile page.
Under API Keys click the Generate new API key button.
If you already have a key and want to generate a new one you will have to revoke the old one first.
6. The new generated key will pop up. Copy the key and save it in a secure location.
Creating a Dataflow
After generating a new API Key, login into the Hunters Portal, go to the "Data Flows" section in the left bar, and click the "Add Data Flows" button.
- In the Product box, select Meraki
- Paster the API Key you generated into the Authentication Token box
- Click the "Test Connection" button.
- After the test has passed, click the "Submit" button and the dataflow will be created.