Cisco Meraki API integration
You can integrate Cisco Meraki with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Cisco Meraki product overview
Cisco Meraki offers a cloud-managed firewall solution that integrates with Meraki's broader suite of network products. The platform itself provides centralized management, visibility, and control.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
- Malware accessed
- Brute force login attempts
- C2 traffic
- Cryptocurrency Miner outbound connections
- SQL ingestion attempts
Alerts ingested in full
We ingest all security events returned by the query set up here: Get Organization Appliance Security Events
Filtering
We query the Endpoint /organizations/{organizationId}/appliance/security/events.
We filter the results to remove data provided in a non-compliant format.
Sample threat mappings
The alert type is defined as follows:
If the field message isn't empty, search for specific regular expressions in message using the lists provided (_.referenceValues.code_translation.regex_alert_type and _.globalReferenceValues.code_translation.regex_alert_type). If a match is found, return the result; otherwise, return the original message.
If message is empty, check that the field eventType isn't empty. If it isn't empty, perform a similar search for regular expressions in eventType. If a match is found, return the result; otherwise, return the original eventType.
If both message and eventType are empty, return undefined.
Examples mapped to MITRE ATT&CK:
{"alertType": "MySQL Login Attempt", "threatId": "TA0008", "threatName": "Lateral Movement"}
{"alertType": "TFTP request", "threatId": "T1046", "threatName": "Network Service Scanning"}
{"alertType": "Canary Disconnected", "threatId": "T1489", "threatName": "Service Stop"}