Alerts for device traffic

Solved
JacoboLevy
Getting noticed

Alerts for device traffic

Given all the added security being implemented due to the Russia/Ukraine conflict, I have a question, is it possible to generate an alert when certain websites are visited, for example anything that ends on .ru or that is in Russian for example??

 

I know that with MX and Advanced Security licenses you can do a layer 7 and block the country from and to, but on places where there is no advanced security, I would like to see if such a report could be generated. 

1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

Short answer: you can use Syslog or the API to query URLs that have been accessed via your Meraki infrastructure externally.

 

But would that make sense? Meraki has strong built-in security backed by Talos. Any attacker that directly connects back to something ending in .ru would probably be found within seconds nonetheless.

From my point of view, you'd be better off with leveraging Content Security and Threat Filtering capabilities on your MX and keep a close eye to your Security Overview.

 

What you can do in addition to that would be pushing Syslog out into a SIEM platform and / or use a network anomaly detection system like Secure Network Analytics. But the possibilities here are for more efficient than simply sending out an alert for some access to a russian website.

View solution in original post

1 Reply 1
CptnCrnch
Kind of a big deal
Kind of a big deal

Short answer: you can use Syslog or the API to query URLs that have been accessed via your Meraki infrastructure externally.

 

But would that make sense? Meraki has strong built-in security backed by Talos. Any attacker that directly connects back to something ending in .ru would probably be found within seconds nonetheless.

From my point of view, you'd be better off with leveraging Content Security and Threat Filtering capabilities on your MX and keep a close eye to your Security Overview.

 

What you can do in addition to that would be pushing Syslog out into a SIEM platform and / or use a network anomaly detection system like Secure Network Analytics. But the possibilities here are for more efficient than simply sending out an alert for some access to a russian website.

Get notified when there are additional replies to this discussion.