Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki to Microsoft Sentinel integration using API

Seasco
Comes here often
4 weeks ago
4 weeks ago

Meraki to Microsoft Sentinel integration using API

Trying to integrate Meraki with Microsoft Sentinel using API. Sentinel has a data connector that helps with this and requires the API key and organization ID. It gets connected, and logs are coming in.

 

Now, the questions:

 

1) Are there any configurations required at the individual Meraki devices' end to ensure this API method retrieves logs from all connected devices? There are many MX devices, access points, and switches. The API is generated from the dashboard as per documentation 


2) Are the IDS/Security events collected via API the same as when collected via syslog method ?

 

3) What are the important considerations when opting for API collection instead of syslog collection?

Labels:
0 Kudos
Subscribe
3 Replies 3
MariaP8
Meraki Employee
Meraki Employee
4 weeks ago
4 weeks ago

Hi,

 

I'm not familiar with using Microsoft Sentinel for the API. Are you looking at something like Cisco Meraki Events via REST API? Or like Cisco Meraki connector for Microsoft Sentinel

 

1) Not from individual Meraki devices. However, depending on the API endpoint you are using you may need to enter information such as a VLAN ID, serial number, port, etc. Those are just parameters of some API endpoints. 

 

2) Yes, if using one of these endpoints: getOrganizationApplianceSecurityEvents or getNetworkApplianceSecurityEvents. 

 

3) This depends on how everything is formatted with Microsoft Sentinel. What comes to mind is how the information will be processed and if formatting is important. Lastly, keep your API key safe. 

 

Let me know if you have any questions. 

Maria P | Network Support Engineer, Cisco Meraki
0 Kudos
Subscribe
In response to MariaP8
Seasco
Comes here often
4 weeks ago
4 weeks ago

Yes, I’m using Cisco Meraki Events via REST API data connector in sentinel. 

Thanks for the responses. I’m not able to view which API endpoint the connector is querying as it is an out-of-the-box connector provided by Microsoft. I'll see if there is documentation available related to this. And yes, I’ll keep the API key safe.

0 Kudos
Subscribe
In response to Seasco
MariaP8
Meraki Employee
Meraki Employee
4 weeks ago
4 weeks ago

Hi,

 

From Cisco Meraki Events via REST API

 

The Cisco Meraki Events via REST API solution for Microsoft Sentinel enables you to easily ingest the following events from Cisco Meraki MX security appliance to Microsoft Sentinel using Cisco Meraki API:

1. Organization Appliance Security Events
2. Organization Api Requests
3. Organization Configuration Changes

 

1. Based on the information above I would expect this to use most GET organization level API calls. 

- when clicking this link type "/organization" into the first search box. 

 

2. It also specifically calls out the Organization Appliance Security Events which is probably this call: getOrganizationApplianceSecurityEvents.

 

3. Refers to the changelog found under Organization > Changelog. This seems to refer to this API endpoint: getOrganizationConfigurationChanges

 

But as you stated, it's always good to get confirmation from Microsoft. 

 

Feel free to reach back out should you need anything else. 

Maria P | Network Support Engineer, Cisco Meraki
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.