Cisco Meraki Integration Guide
Cisco Meraki must be configured to send logs via syslog to the Taegis™ XDR Collector. Logs are filtered and correlated in real-time for various security event observations.
You will need to configure the options based on the type of appliance you have. This document applies to:
- Meraki MX: Next-generation Firewall
Follow the instructions below to configure logging and enable monitoring by Secureworks.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| Cisco Meraki Appliance (MX) | XDR (mgmt IP) | UDP/514 |
Prerequisites ⫘
You must be licensed for each feature you are attempting to report on. You also must have admin access to the Meraki dashboard.
Data Provided from Integration ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cisco Meraki Firewall | D | Y | D | D | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration Instructions ⫘
Define syslog servers by following the instructions in the Configure Dashboard section of the Cisco Meraki Syslog Server Overview and Configuration documentation.
Consider the following requirements when completing the configuration steps:
- Server IP — The IP address of the Secureworks® Taegis™ XDR
- Port — UDP port 514
- Roles — Specify all roles available for your appliance and license; options may include Wireless event log, Switch event log, Flows, URLs, Security event log, and more.
- If the Flows role is enabled on an MX security appliance, logging for individual firewall rules can be enabled and disabled on the Security appliance > Configure > Firewall page, under the Logging column.