Block IP Address - Cisco Meraki
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook checks if malicious IP address is blocked or unblocked by Cisco Meraki MX network.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoMeraki |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
MerakiConnector |
Custom | 1 | 5 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
MerakiConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Network_Appliance_Firewall_L3_Firewall_Rules | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/firewall/l3FirewallRules |
— |
| Get_Network_Appliance_Firewall_L7_Firewall_Rules | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/firewall/l7FirewallRules |
— |
| Update_Network_Appliance_L3_Firewall_Rules | put | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/firewall/l3FirewallRules |
— |
| Get_Networks | get | /organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks |
— |
| Get_Organizations | get | /organizations |
— |
Additional Documentation
📄 Source: Block-IP-Address/readme.md
Cisco Meraki Block IP Address Playbook
Summary
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the below actions:
- Fetches a list of potentially malicious IP addresses.
- For each IP address in the list, checks if the IP address is blocked by L3 firewall rule or L7 firewall rule of MX network.
- If IP address is part of both L3 firewall rule and L7 firewall rule but not blocked by either of the rules, then Incident Comment is created saying IP address allowed by firewall.
- If IP address is part of either L3 firewall rule or L7 firewall rule and blocked by the rule, then Incident Comment is created saying IP address is blocked.
- If IP address is not part of either L3 firewall rule or L7 firewall rule, then that IP address is blocked by playbook.
- Update the incident with status 'Closed' and reason as
- For allowed IP - 'BenignPositive - SuspiciousButExpected'
- For blocked IP - 'TruePositive - SuspiciousActivity'
Pre-requisites for deployment
- Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment.
- Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. Refer here
- Organization name should be known. Refer here
- Network name should be known.Refer here
Deployment Instructions
- Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
| Parameter | Description |
|---|---|
| Playbook Name | Enter the playbook name here without spaces |
| Cisco Meraki Connector Name | Enter the name of Cisco Meraki custom connector without spaces |
| Organization Name | Enter organization name |
| Network Name | Enter network name |
Post-Deployment Instructions
a. Authorize API connection
- Once deployment is complete, go under deployment details and authorize Cisco Meraki connection.
- Click the Cisco Meraki connection
- Click Edit API connection
- Enter API Key
- Click Save
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with IP addresses.
- Configure the automation rules to trigger the playbook.
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Captures potentially malicious or malware IP addresses incident information.
Entities - Get IPs
Get the list of IPs as entities from the Incident.
Compose image to add in the incident
This action will compose the Cisco Meraki image to add to the incident comments.
Check if Organization exists
- If organization name exists in list of organizations associated with the account, then return organization.
- If organization name does not exist, then terminate with the error that organization not found.
Check if network exists
- If network name exists in list of networks associated with the organization, then return network associated with the organization.
- If network name does not exist, then terminate with the error that network not found.
For each malicious IP received from the incident
- Checks if the IP address is part of L3 firewall rule or L7 firewall rule of MX network.
- If IP address is part of both L3 firewall rule and L7 firewall rule but not blocked by either of the rules, then Incident Comment is created saying IP address allowed by firewall.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊