Meraki

Community

Monitor Meraki Organization API Requests in External SIEM

Solved
JPC6892
New here
‎Apr 3 2023 6:21 AM
‎Apr 3 2023 6:21 AM

Monitor Meraki Organization API Requests in External SIEM

 

I wondered if someone can provide some advice regarding the following matter.

 

I have been asked to determine if it is feasible to send API requests within the Meraki console to an external SIEM product to monitor which users access which API's.

 

would anyone be able to confirm if i can export audit logs for API request activity within the Meraki console out to an external SIEM solution for monitoring and alerting purposes?

 

Many Thanks

0 Kudos
1 Accepted Solution
In response to JPC6892
sungod
Kind of a big deal
‎Apr 3 2023 7:37 AM
‎Apr 3 2023 7:37 AM

@JPC6892 the link that @alemabrahao posted is to the documentation and test page for use by humans, it's not the actual endpoint as it would used for real (which is like... https://api.meraki.com/api/v1/organizations/org_id/apiRequests )

 

In practice you need to access this endpoint within a program that has the surrounding code to handle scheduling, authentication etc., get the data and then push it to your SIEM tool.

 

Meraki make the API available, they don't generally develop integrations for other companies' tools - that's the job of the SIEM developer, third-party developer(s), or you/your organization to do.

 

Afaik there's no Meraki webhook (or other push) of the API usage data, so the only way you'll get it is via the API.

 

If you want to detect in near real-time, you need to develop something to get the last few minutes usage data every few minutes, then push it into your SIEM using whatever method it supports.

 

If you know Python, the Meraki Python library simplifies using the API...  https://github.com/meraki/dashboard-api-python

 

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 3 2023 6:48 AM
‎Apr 3 2023 6:48 AM

Maybe it can help you.

 

https://developer.cisco.com/meraki/api-latest/#!get-organization-api-requests

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
JPC6892
New here
‎Apr 3 2023 6:51 AM
‎Apr 3 2023 6:51 AM

Hi Alemabrahao,

 

I've already viewed this link, however it doesn't explain to me how i can get this information in to my SIEM tool. I also don't have all the information to use the tool on that link, which appears to just be review web tool rather than getting logs direct from Meraki into SIEM. I have a webhook set up to collect event logs from meraki devices, and expect there to be a method to capture this level of data for auditing activity within the console via SIEM.

0 Kudos
In response to JPC6892
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 3 2023 7:11 AM
‎Apr 3 2023 7:11 AM

Is your SIEM unable to access this data via API?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
JPC6892
New here
‎Apr 3 2023 7:24 AM
‎Apr 3 2023 7:24 AM

Yes I can access data via API's however i'm struggling to understand how i would do this using this URL.

Is there no guidance explaining how to capture this data from the URL, or is the tool on this URL also available in the meraki console and i connect to the console using the API in my SIEM to capture the date.

0 Kudos
In response to JPC6892
sungod
Kind of a big deal
‎Apr 3 2023 7:37 AM
‎Apr 3 2023 7:37 AM

@JPC6892 the link that @alemabrahao posted is to the documentation and test page for use by humans, it's not the actual endpoint as it would used for real (which is like... https://api.meraki.com/api/v1/organizations/org_id/apiRequests )

 

In practice you need to access this endpoint within a program that has the surrounding code to handle scheduling, authentication etc., get the data and then push it to your SIEM tool.

 

Meraki make the API available, they don't generally develop integrations for other companies' tools - that's the job of the SIEM developer, third-party developer(s), or you/your organization to do.

 

Afaik there's no Meraki webhook (or other push) of the API usage data, so the only way you'll get it is via the API.

 

If you want to detect in near real-time, you need to develop something to get the last few minutes usage data every few minutes, then push it into your SIEM using whatever method it supports.

 

If you know Python, the Meraki Python library simplifies using the API...  https://github.com/meraki/dashboard-api-python

 

In response to sungod
JPC6892
New here
‎Apr 3 2023 7:38 AM
‎Apr 3 2023 7:38 AM

Thank you for the explanation, makes much more sense to me now.

0 Kudos
In response to JPC6892
sungod
Kind of a big deal
‎Apr 3 2023 7:40 AM
‎Apr 3 2023 7:40 AM

If you look in marketplace, it's possible someone has already developed what you need, or could do it on your behalf.

 

https://apps.meraki.io/en-US/home

 

0 Kudos
sungod
Kind of a big deal
‎Apr 3 2023 6:52 AM
‎Apr 3 2023 6:52 AM

Yes, we also look at this. This is the API endpoint...

 

https://developer.cisco.com/meraki/api-v1/#!get-organization-api-requests

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.