topic Re: Meraki to Microsoft Sentinel integration using API in Cloud Networking Platform

Meraki to Microsoft Sentinel integration using API

Mathews — Wed, 15 May 2024 19:14:11 GMT

Trying to integrate Meraki with Microsoft Sentinel using API. Sentinel has a data connector that helps with this and requires the API key and organization ID. It gets connected, and logs are coming in.

Now, the questions:

1) Are there any configurations required at the individual Meraki devices' end to ensure this API method retrieves logs from all connected devices? There are many MX devices, access points, and switches. The API is generated from the dashboard as per documentation

2) Are the IDS/Security events collected via API the same as when collected via syslog method ?

3) What are the important considerations when opting for API collection instead of syslog collection?

Re: Meraki to Microsoft Sentinel integration using API

MariaP8 — Thu, 16 May 2024 19:21:10 GMT

Hi,

I'm not familiar with using Microsoft Sentinel for the API. Are you looking at something like Cisco Meraki Events via REST API? Or like Cisco Meraki connector for Microsoft Sentinel

1) Not from individual Meraki devices. However, depending on the API endpoint you are using you may need to enter information such as a VLAN ID, serial number, port, etc. Those are just parameters of some API endpoints.

2) Yes, if using one of these endpoints: getOrganizationApplianceSecurityEvents or getNetworkApplianceSecurityEvents.

3) This depends on how everything is formatted with Microsoft Sentinel. What comes to mind is how the information will be processed and if formatting is important. Lastly, keep your API key safe.

Let me know if you have any questions.

Re: Meraki to Microsoft Sentinel integration using API

Mathews — Thu, 16 May 2024 19:42:00 GMT

Yes, I’m using Cisco Meraki Events via REST API data connector in sentinel.

Thanks for the responses. I’m not able to view which API endpoint the connector is querying as it is an out-of-the-box connector provided by Microsoft. I'll see if there is documentation available related to this. And yes, I’ll keep the API key safe.

Re: Meraki to Microsoft Sentinel integration using API

MariaP8 — Thu, 16 May 2024 22:10:11 GMT

Hi,

From Cisco Meraki Events via REST API:

The Cisco Meraki Events via REST API solution for Microsoft Sentinel enables you to easily ingest the following events from Cisco Meraki MX security appliance to Microsoft Sentinel using Cisco Meraki API:

1. Organization Appliance Security Events
2. Organization Api Requests
3. Organization Configuration Changes

1. Based on the information above I would expect this to use most GET organization level API calls.

- when clicking this link type "/organization" into the first search box.

2. It also specifically calls out the Organization Appliance Security Events which is probably this call: getOrganizationApplianceSecurityEvents.

3. Refers to the changelog found under Organization > Changelog. This seems to refer to this API endpoint: getOrganizationConfigurationChanges.

But as you stated, it's always good to get confirmation from Microsoft.

Feel free to reach back out should you need anything else.

Re: Meraki to Microsoft Sentinel integration using API

austinmorphies — Mon, 12 May 2025 19:07:12 GMT

Hello, this may help you.

Azure-Sentinel/Solutions/Cisco Meraki Events via REST API/Data Connectors/CiscoMerakiMultiRule_ccp/dataConnectorPoller.json at master · Azure/Azure-Sentinel · GitHub