Meraki

Community

Meraki to Microsoft Sentinel integration using API

Seasco
Comes here often
‎May 15 2024 12:14 PM
‎May 15 2024 12:14 PM

Meraki to Microsoft Sentinel integration using API

Trying to integrate Meraki with Microsoft Sentinel using API. Sentinel has a data connector that helps with this and requires the API key and organization ID. It gets connected, and logs are coming in.

 

Now, the questions:

 

1) Are there any configurations required at the individual Meraki devices' end to ensure this API method retrieves logs from all connected devices? There are many MX devices, access points, and switches. The API is generated from the dashboard as per documentation 


2) Are the IDS/Security events collected via API the same as when collected via syslog method ?

 

3) What are the important considerations when opting for API collection instead of syslog collection?

Labels:
0 Kudos
3 Replies 3
MariaP8
Meraki Employee
Meraki Employee
‎May 16 2024 12:21 PM
‎May 16 2024 12:21 PM

Hi,

 

I'm not familiar with using Microsoft Sentinel for the API. Are you looking at something like Cisco Meraki Events via REST API? Or like Cisco Meraki connector for Microsoft Sentinel

 

1) Not from individual Meraki devices. However, depending on the API endpoint you are using you may need to enter information such as a VLAN ID, serial number, port, etc. Those are just parameters of some API endpoints. 

 

2) Yes, if using one of these endpoints: getOrganizationApplianceSecurityEvents or getNetworkApplianceSecurityEvents. 

 

3) This depends on how everything is formatted with Microsoft Sentinel. What comes to mind is how the information will be processed and if formatting is important. Lastly, keep your API key safe. 

 

Let me know if you have any questions. 

Maria P | Network Support Engineer, Cisco Meraki
In response to MariaP8
Seasco
Comes here often
‎May 16 2024 12:42 PM
‎May 16 2024 12:42 PM

Yes, I’m using Cisco Meraki Events via REST API data connector in sentinel. 

Thanks for the responses. I’m not able to view which API endpoint the connector is querying as it is an out-of-the-box connector provided by Microsoft. I'll see if there is documentation available related to this. And yes, I’ll keep the API key safe.

0 Kudos
In response to Seasco
MariaP8
Meraki Employee
Meraki Employee
‎May 16 2024 3:10 PM
‎May 16 2024 3:10 PM

Hi,

 

From Cisco Meraki Events via REST API

 

The Cisco Meraki Events via REST API solution for Microsoft Sentinel enables you to easily ingest the following events from Cisco Meraki MX security appliance to Microsoft Sentinel using Cisco Meraki API:

1. Organization Appliance Security Events
2. Organization Api Requests
3. Organization Configuration Changes

 

1. Based on the information above I would expect this to use most GET organization level API calls. 

- when clicking this link type "/organization" into the first search box. 

 

2. It also specifically calls out the Organization Appliance Security Events which is probably this call: getOrganizationApplianceSecurityEvents.

 

3. Refers to the changelog found under Organization > Changelog. This seems to refer to this API endpoint: getOrganizationConfigurationChanges

 

But as you stated, it's always good to get confirmation from Microsoft. 

 

Feel free to reach back out should you need anything else. 

Maria P | Network Support Engineer, Cisco Meraki
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.