I wondered if someone can provide some advice regarding the following matter.
I have been asked to determine if it is feasible to send API requests within the Meraki console to an external SIEM product to monitor which users access which API's.
would anyone be able to confirm if i can export audit logs for API request activity within the Meraki console out to an external SIEM solution for monitoring and alerting purposes?
Many Thanks
Solved! Go to solution.
@JPC6892 the link that @alemabrahao posted is to the documentation and test page for use by humans, it's not the actual endpoint as it would used for real (which is like... https://api.meraki.com/api/v1/organizations/org_id/apiRequests )
In practice you need to access this endpoint within a program that has the surrounding code to handle scheduling, authentication etc., get the data and then push it to your SIEM tool.
Meraki make the API available, they don't generally develop integrations for other companies' tools - that's the job of the SIEM developer, third-party developer(s), or you/your organization to do.
Afaik there's no Meraki webhook (or other push) of the API usage data, so the only way you'll get it is via the API.
If you want to detect in near real-time, you need to develop something to get the last few minutes usage data every few minutes, then push it into your SIEM using whatever method it supports.
If you know Python, the Meraki Python library simplifies using the API... https://github.com/meraki/dashboard-api-python
Maybe it can help you.
https://developer.cisco.com/meraki/api-latest/#!get-organization-api-requests
Hi Alemabrahao,
I've already viewed this link, however it doesn't explain to me how i can get this information in to my SIEM tool. I also don't have all the information to use the tool on that link, which appears to just be review web tool rather than getting logs direct from Meraki into SIEM. I have a webhook set up to collect event logs from meraki devices, and expect there to be a method to capture this level of data for auditing activity within the console via SIEM.
Is your SIEM unable to access this data via API?
Yes I can access data via API's however i'm struggling to understand how i would do this using this URL.
Is there no guidance explaining how to capture this data from the URL, or is the tool on this URL also available in the meraki console and i connect to the console using the API in my SIEM to capture the date.
@JPC6892 the link that @alemabrahao posted is to the documentation and test page for use by humans, it's not the actual endpoint as it would used for real (which is like... https://api.meraki.com/api/v1/organizations/org_id/apiRequests )
In practice you need to access this endpoint within a program that has the surrounding code to handle scheduling, authentication etc., get the data and then push it to your SIEM tool.
Meraki make the API available, they don't generally develop integrations for other companies' tools - that's the job of the SIEM developer, third-party developer(s), or you/your organization to do.
Afaik there's no Meraki webhook (or other push) of the API usage data, so the only way you'll get it is via the API.
If you want to detect in near real-time, you need to develop something to get the last few minutes usage data every few minutes, then push it into your SIEM using whatever method it supports.
If you know Python, the Meraki Python library simplifies using the API... https://github.com/meraki/dashboard-api-python
Thank you for the explanation, makes much more sense to me now.
If you look in marketplace, it's possible someone has already developed what you need, or could do it on your behalf.
https://apps.meraki.io/en-US/home
Yes, we also look at this. This is the API endpoint...
https://developer.cisco.com/meraki/api-v1/#!get-organization-api-requests