Skip to content
Find out how we support MDR.

Cisco Meraki integration (log collector)

You can integrate Cisco Meraki with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Cisco Meraki product overview

Cisco Meraki offers a cloud-managed firewall solution that integrates with Meraki's broader suite of network products. The platform itself provides centralized management, visibility, and control.

Sophos documents

Integrate Cisco Meraki (Log collector)

What we ingest

Sample alerts seen by Sophos:

  • Malware accessed
  • Brute force login attempts
  • C2 traffic
  • Cryptocurrency Miner outbound connections
  • SQL ingestion attempts
  • ids-alerts
  • security_event ids_alerted
  • security_event security_filtering_file_scanned
  • security_event security_filtering_disposition_change

Alerts ingested in full

We ingest all security events returned by the query set up here: Get Organization Appliance Security Events.

These are the same events as ingested by the Cisco Meraki API integration.

We also ingest additional Event logs and some Flow alerts.

Filtering

We recommend that you configure the Meraki appliance to send the following data to the syslog collector:

  • Security events
  • Appliance event log
  • Flows
  • IDS Alerts

Agent Filter

We filter the results as follows:

  • We DROP routine flows logs (allow, drop and src).
  • We DROP ip_flow_start, ip_flow_endlogs
  • We DROP urls logs

Sample threat mappings

The alert type is defined as follows:

If the field message isn't empty, search for specific regular expressions in message using the lists provided (_.referenceValues.code_translation.regex_alert_type and _.globalReferenceValues.code_translation.regex_alert_type). If a match is found, return the result; otherwise, return the original message.

If message is empty, check that the field eventType isn't empty. If it isn't empty, perform a similar search for regular expressions in eventType. If a match is found, return the result; otherwise, return the original eventType.

If both message and eventType are empty, return undefined.

{"alertType": "MySQL Login Attempt", "threatId": "TA0008", "threatName": "Lateral Movement"}
{"alertType": "TFTP request", "threatId": "T1046", "threatName": "Network Service Scanning"}
{"alertType": "Canary Disconnected", "threatId": "T1489", "threatName": "Service Stop"}

Vendor documentation

Syslog Server Overview and Configuration