IP Address Enrichment - Cisco Meraki

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

This playbook checks if malicious IP address is blocked or unblocked by Cisco Meraki MX network.

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`MerakiConnector`	Custom	1	4

Action parameters (URLs, paths, function IDs)

Action	Method	Endpoint	Other
Add_comment_to_incident	post	`/Incidents/Comment`	—
Entities_-_Get_IPs	post	`/entities/ip`	—

Action	Method	Endpoint	Other
Get_Network_Appliance_Firewall_L3_Firewall_Rules	get	`/networks/@{encodeURIComponent(items('For_each_Network')?['id'])}/appliance/firewall/l3FirewallRules`	—
Get_Network_Appliance_Firewall_L7_Firewall_Rules	get	`/networks/@{encodeURIComponent(items('For_each_Network')?['id'])}/appliance/firewall/l7FirewallRules`	—
Get_Networks	get	`/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks`	—
Get_Organizations	get	`/organizations`	—

📄 Source: IP-Address-Enrichment/readme.md

When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the below actions:

Fetches a list of potentially malicious IP addresses.
For each IP address in the list, checks if the IP address is blocked by L3 firewall rule or L7 firewall rule in MX network.

If IP address is part of both L3 firewall rule and L7 firewall rule but not blocked by either of the rules, then Incident Comment is created saying IP address allowed by firewall.
If IP address is part of either L3 firewall rule or L7 firewall rule and blocked by the rule, then Incident Comment is created saying IP address is blocked.
If IP address is not part of either L3 firewall rule or L7 firewall rule, then Incident Comment is created saying IP address not found in any rule.

Meraki

Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment.
Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. Refer here
Organization name should be known. Refer here

Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.

Parameter	Description
Playbook Name	Enter the playbook name without spaces
Cisco Meraki Connector name	Enter the name of Cisco Meraki custom connector without spaces
Organization Name	Enter organization name

Once deployment is complete, go under deployment details and authorize Cisco Meraki connection.

In Microsoft sentinel analytical rules should be configured to trigger an incident with IP addresses.
Configure the automation rules to trigger the playbook.

Captures potentially malicious or malware IP addresses incident information.

Get the list of IPs as entities from the Incident.

If organization name exists in list of organizations associated with the account, then get list of networks associated with the organization.
If organization name does not exist, then terminate with the error that organization not found.

Checks if the IP address is part of L3 firewall rule or L7 firewall rule in MX network.
- If IP address is part of both L3 firewall rule and L7 firewall rule but not blocked by either of the rules, then Incident Comment is created saying IP address allowed by firewall.
- If IP address is part of either L3 firewall rule or L7 firewall rule and blocked by the rule, then Incident Comment is created saying IP address is blocked.
- If IP address is not part of either L3 firewall rule or L7 firewall rule, then Incident Comment is created saying IP address not found in any rule.
Add incident Comment from all the cases.