Block Device Client - Cisco Meraki
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook checks if malicious device client is blocked by Cisco Meraki network.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoMeraki |
| Source | View on GitHub |
Additional Documentation
📄 Source: Block-Device-Client/readme.md
Cisco Meraki Block Device Client Playbook
Summary
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the below actions: 1. Fetches a list of device clients with suspicious activity. 2. For each client in the list, checks if the client is blocked by any network of the organization. - If client does not exist in network, then incident comment is created saying client not found. - If client exists in network, check policy rule associated with client. * If client policy does not exist in the network, then incident comment is created saying client policy not found. * If client policy exists in the network as Blocked, then incident comment is created saying client blocked using client policy. * If client policy exists in the network as Whitelisted, then incident comment is created saying client allowed using client policy. * If client policy exists in the network as group polciy, then check the group policy details and incident comment is created saying client blocked using client policy. * If client policy exists in the network as Normal, then client is blocked by playbook. Incident Comment is created saying Client blocked by playbook. - Add incident Comment from all the cases. 3. Update the incident with status 'Closed' and reason as - For allowed Client - 'BenignPositive - SuspiciousButExpected' - For blocked Client - 'TruePositive - SuspiciousActivity'
## Pre-requisites for deployment 1. Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment. 2. Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. Refer here 3. Organization name should be known. Refer here 4. Network name should be known.Refer here 5. Network Group Policy name should be known. Refer here
## Deployment Instructions 1. Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
| Parameter | Description |
|---|---|
| Playbook Name | Enter the playbook name without spaces |
| Cisco Meraki Connector Name | Enter the name of Cisco Meraki custom connector without spaces |
| Organization Name | Enter organization name |
| Network Name | Enter network name |
| Group Policy | Enter group policy name |
Post-Deployment Instructions
a. Authorize API connection
- Once deployment is complete, go under deployment details and authorize Cisco Meraki connection. 1. Click the Cisco Meraki connection 2. Click Edit API connection 3. Enter API Key 4. Click Save
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with hosts.
- Device Client MAC needs to be mapped with hostname in Host entity.
- Configure the automation rules to trigger the playbook.
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Captures potentially malicious client incident information.
Entities - Get Hosts
Get the list of device clients as entities from the Incident.
Check if Organization exists
- If organization name exists in list of organizations associated with the account, then return organization.
- If organization name does not exist, then terminate with the error that organization not found.
## Check if network exists
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊