Cisco Meraki Integration
Cisco Meraki provides cloud-managed IT solutions, from networking appliances to endpoint management, and allows you to expand globally by deploying networks quickly via simple configuration and meet the changing demands of your business without compromising reliability or security. When you integrate Meraki with Cisco XDR, you will get enhanced network detections using Meraki telemetry, enriched endpoint details, and incidents published in the Cisco XDR portal and Meraki dashboard.
Cisco XDR ingests IPFIX netflow records and Meraki meta data, including organization, network, and node serial number. This data is then used for detection analytics and correlation to create incidents.
For an overview of the integration and configuration steps, view the click-through Cisco XDR and Meraki MX Demo.
Note: If you have configured the Cisco Meraki integration with Cisco XDR, you should not install Cisco Telemetry Broker or an ONA sensor to avoid duplicate observations and alerts.
-
Ensure that you are a full Organization Admin in Meraki and that you are logged in as an Administrator in Cisco XDR.
-
In the Cisco XDR navigation menu, choose Administration > Integrations.
-
On the Integrations page, click the Cisco tab and navigate to the Cisco Meraki integration.
-
Click Enable. The Meraki sign-on page is displayed.
-
In the Meraki dashboard, enable the Cisco XDR Integration and select your Cisco XDR tenant region. Then configure the Meraki networks to send telemetry to Cisco XDR. For more information, see the Cisco Meraki and Cisco XDR User Guide.
-
Verify the Meraki integration is listed in the My Integrations panel on the Cisco XDR Integrations page.
Note: If you had previously configured Meraki in Cisco XDR, we recommend deleting the old Meraki module when configuring the new Cisco Meraki module to avoid duplication of data.
To verify and view the Meraki data in Secure Cloud Analytics (now part of Cisco XDR):
-
Log in to Secure Cloud Analytics.
-
In the navigation menu, choose Settings > Sensors.
-
Scroll to the Meraki Sensors section to verify Secure Cloud Analytics is receiving data from Meraki.
-
In the navigation menu, choose Investigate > Event Viewer.
-
The Session Traffic tab provides the detailed telemetry collected by your sensors. In the Namespace column, filter on "meraki" to see the Meraki metadata displayed together.
Note: Depending on your network configuration, Secure Cloud Analytics may not see public IP addresses. Public IPs that need to be monitored should be explicitly added using the Settings > Subnets > On-Premises page. For more information, see the Secure Cloud Analytics Subnet Configuration Guide.
Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.
To view incidents with Meraki data:
-
In the Cisco XDR navigation menu, choose Incidents.
-
Select an incident with the Cisco XDR Analytics source and endpoint data, and open the Incident Detail page.
-
On the Detection tab, click on the pivot menu to view the Asset endpoint attributes with the XDR Network source. You should see the Meraki metadata, including meraki_network_id.
You can perform the following tasks after you integrate Cisco Meraki with Cisco XDR:
-
Pivot Menu - Use the Pivot menu to access actions in Meraki.
-
Investigate - Start a new investigation by searching on a known Meraki IP, observable, or asset. For more information, see Investigate.
-
Assets - View devices from Cisco Meraki. For more information, see Devices.
-
Atomic Actions - The atomic actions for Meraki can be used as building blocks in custom workflows. See Atomic Actions.
-
Automation Workflows - The Meraki target is automatically created for out-of-box workflows. For details, see Targets Created From Integrations.