Block Device Client - Cisco Meraki
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook checks if malicious device client is blocked by Cisco Meraki network.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoMeraki |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
MerakiConnector |
Custom | 1 | 7 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
MerakiConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Network_Group_Policy | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/groupPolicies/@{encodeURIComponent(body('Get_Network_Client_Policy')?['groupPolicyId'])} |
— |
| Update_Network_Client_Policy | put | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/clients/@{encodeURIComponent(outputs('Compose_network_client')?['id'])}/policy |
— |
| Get_Network_Client_Policy | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/clients/@{encodeURIComponent(outputs('Compose_network_client')?['id'])}/policy |
— |
| Get_Network_Clients | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/clients |
— |
| Get_Network_Group_Policies | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/groupPolicies |
— |
| Get_Networks | get | /organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks |
— |
| Get_Organizations | get | /organizations |
— |
Additional Documentation
📄 Source: Block-Device-Client/readme.md
Cisco Meraki Block Device Client Playbook
Summary
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the below actions:
- Fetches a list of device clients with suspicious activity.
- For each client in the list, checks if the client is blocked by any network of the organization.
- If client does not exist in network, then incident comment is created saying client not found.
- If client exists in network, check policy rule associated with client.
- If client policy does not exist in the network, then incident comment is created saying client policy not found.
- If client policy exists in the network as Blocked, then incident comment is created saying client blocked using client policy.
- If client policy exists in the network as Whitelisted, then incident comment is created saying client allowed using client policy.
- If client policy exists in the network as group polciy, then check the group policy details and incident comment is created saying client blocked using client policy.
- If client policy exists in the network as Normal, then client is blocked by playbook. Incident Comment is created saying Client blocked by playbook.
- Add incident Comment from all the cases.
- Update the incident with status 'Closed' and reason as
- For allowed Client - 'BenignPositive - SuspiciousButExpected'
- For blocked Client - 'TruePositive - SuspiciousActivity'
Pre-requisites for deployment
- Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment.
- Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. Refer here
- Organization name should be known. Refer here
- Network name should be known.Refer here
- Network Group Policy name should be known. Refer here
Deployment Instructions
- Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
| Parameter | Description |
|---|---|
| Playbook Name | Enter the playbook name without spaces |
| Cisco Meraki Connector Name | Enter the name of Cisco Meraki custom connector without spaces |
| Organization Name | Enter organization name |
| Network Name | Enter network name |
| Group Policy | Enter group policy name |
Post-Deployment Instructions
a. Authorize API connection
- Once deployment is complete, go under deployment details and authorize Cisco Meraki connection.
- Click the Cisco Meraki connection
- Click Edit API connection
- Enter API Key
- Click Save
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with hosts.
- Device Client MAC needs to be mapped with hostname in Host entity.
- Configure the automation rules to trigger the playbook.
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Captures potentially malicious client incident information.
Entities - Get Hosts
Get the list of device clients as entities from the Incident.
Check if Organization exists
- If organization name exists in list of organizations associated with the account, then return organization.
- If organization name does not exist, then terminate with the error that organization not found.
Check if network exists
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊