Block URL - Cisco Meraki
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook checks if malicious URL is blocked in Cisco Meraki network.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoMeraki |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
MerakiConnector |
Custom | 1 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
MerakiConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Network_Appliance_Content_Filtering | get | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/contentFiltering |
— |
| Update_Network_Appliance_Content_Filtering | put | /networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/contentFiltering |
— |
| Get_Networks | get | /organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks |
— |
| Get_Organizations | get | /organizations |
— |
Additional Documentation
📄 Source: Block-URL/readme.md
Cisco Meraki Block URL Playbook
Summary
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the below actions:
- Fetches a list of potentially malicious URLs.
- For each URL in the list, checks if the URL is blocked by the network of the organization.
- If URL is allowed by the network, then incident comment is created saying URL is allowed.
- If URL is blocked by the network, then incident comment is created saying URL is blocked.
- If URL is not blocked by the network and not part of the network, that URL is blocked by playbook.
- Update the incident with status 'Closed' and reason as
- For allowed URL - 'BenignPositive - SuspiciousButExpected'
- For blocked URL - 'TruePositive - SuspiciousActivity'
Pre-requisites for deployment
- Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment.
- Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. Refer here
- Organization name should be known. Refer here
- Network name should be known.Refer here
Deployment Instructions
- Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
| Parameter | Description |
|---|---|
| Playbook Name | Enter the playbook name without spaces |
| Cisco Meraki Connector name | Enter the name of Cisco Meraki custom connector without spaces |
| Organization Name | Enter organization name |
| Network Name | Enter network name |
Post-Deployment Instructions
a. Authorize API connection
- Once deployment is complete, go under deployment details and authorize Cisco Meraki connection.
- Click the Cisco Meraki connection
- Click Edit API connection
- Enter API Key
- Click Save
- Similarly authorize teams api connection as well.
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with URLs.
- Configure the automation rules to trigger the playbook.
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Captures potentially malicious or malware URL incident information.
Entities - Get URLs
Get the list of URLs as entities from the Incident.
Check if Organization exists
- If organization name exists in list of organizations associated with the account, then return organization.
- If organization name does not exist, then terminate with the error that organization not found.
Check if network exists
- If network name exists in list of networks associated with the organization, then return network associated with the organization.
- If network name does not exist, then terminate with the error that network not found.
For each malicious URL received from the incident
- Checks if the URL is blocked or allowed by the network of the organization.
- If URL is allowed by the network then incident comment is created saying URL is allowed using content filtering.
- If URL is blocked by network then incident comment is created saying URL is blocked using content filtering.
- If URL is not part of the network, then such URL is blocked by playbook using content filtering. Incident Comment is created saying URL blocked by playbook.
- Add incident Comment from all the cases.
- Update the incident with status 'Closed' and reason as
- For allowed URL - 'BenignPositive - SuspiciousButExpected'
- For blocked URL - 'TruePositive - SuspiciousActivity'
Incident comment
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊