Meraki

Community

Security events count and type

omaralrafei
Here to help
‎Jul 25 2024 2:49 AM
‎Jul 25 2024 2:49 AM

Security events count and type

I am interested in displaying the security events in an organization. I have found my way around the pagination for this specific call, however it seems a bit tedious to call this endpoint 40 times to get all of the events in a specific timespan (1 week gets me 40000 events).

Is there a more efficient way to tackle this? unless i need to maintain a database for my calls as cache 🙂

0 Kudos
3 Replies 3
sungod
Kind of a big deal
‎Jul 25 2024 8:24 AM
‎Jul 25 2024 8:24 AM

Assume you mean this call...

 

https://developer.cisco.com/meraki/api-v1/get-organization-appliance-security-events/ 

 

It will return up to a year of events. If you use the Meraki Python library it will handle the pagination for you.

 

Fwiw we gather this data on multiple organizations and store it for analysis/reporting, the call is run monthly for the previous month's events, and results appended to our long-term archive.

 

There are also non-appliance security events, these are retrieved per-network...

https://developer.cisco.com/meraki/api-v1/get-network-events/

...the events are returned most recent first, so we page until we get to events older than the month before and stop there.

In response to sungod
omaralrafei
Here to help
‎Jul 28 2024 7:40 AM
‎Jul 28 2024 7:40 AM

Hi @sungod, thank you for your insights on the back-end side of this API call. I am definitely interested in the security appliances' events at the moment, however i am retrieving this data through a node.js backend. This still requires the same amount of API calls on this endpoint and they can't be made asynchronously as i have to wait for the "rel=next" link to be able to proceed.

I guess i was a bit optimistic in finding a faster way of providing this info, but it seems setting up a database to act as cache is necessary for these kinds of calls as to not overload the server with too many requests for the same resource as it seems redundant. 😅

0 Kudos
In response to omaralrafei
sungod
Kind of a big deal
‎Jul 29 2024 12:17 AM
‎Jul 29 2024 12:17 AM

You do need to use both API calls to get all the events, the second one I mention isn't appliance specific, but still is the only way to get certain appliance events that are security related (you can specify a filter so that it will only return appliance events).

 

These include...

{'category': 'Network-Based Application Recognition', 'type': 'nbar_block', 'description': 'Layer 7 firewall rule'}
{'category': 'Filtering', 'type': 'cf_block', 'description': 'Content filtering blocked URL'}
{'category': 'Filtering', 'type': 'sf_url_block', 'description': 'Security blocked URL'}
{'category': 'Filtering', 'type': 'sf_binary_block', 'description': 'Security blocked file'}
{'category': 'Intrusion Detection', 'type': 'ids_start', 'description': 'Intrusion detection started'}
{'category': 'Intrusion Detection', 'type': 'ids_error', 'description': 'Intrusion detection error'}
{'category': 'Intrusion Detection', 'type': 'ids_update', 'description': 'Intrusion detection rules update'}

 

...also events for AnyConnect.

 

This call will get you the current set of possible events, you can see which might be of interest to record...

https://developer.cisco.com/meraki/api-v1/get-network-events-event-types/

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.