URL Enrichment - Cisco Meraki

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

This playbook checks if malicious URL is blocked or unblocked by Cisco Meraki network.

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`MerakiConnector`	Custom	1	3

Action parameters (URLs, paths, function IDs)

Action	Method	Endpoint	Other
Add_comment_to_incident	post	`/Incidents/Comment`	—
Entities_-_Get_URLs	post	`/entities/url`	—

Action	Method	Endpoint	Other
Get_Network_Appliance_Content_Filtering	get	`/networks/@{encodeURIComponent(items('For_each_Network')?['id'])}/appliance/contentFiltering`	—
Get_Networks	get	`/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks`	—
Get_Organizations	get	`/organizations`	—

📄 Source: URL-Enrichment/readme.md

When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the below actions:

Fetches a list of potentially malicious URLs.
For each URL in the list, checks if the URL is blocked by any of the networks of the organization.

If URL is allowed by the network, then incident comment is created saying URL is allowed.
If URL is blocked by the network, then incident comment is created saying URL is blocked.
If URL is not blocked by the network and not part of the network, then incident comment is created saying URL not found in network.

Meraki

Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment.
Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. Refer here
Organization name should be known. Refer here

Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.

Parameter	Description
Playbook Name	Enter the playbook name without spaces
Cisco Meraki Connector name	Enter the name of Cisco Meraki custom connector without spaces
Organization Name	Enter organization name

Once deployment is complete, go under deployment details and authorize Cisco Meraki connection.

In Microsoft sentinel analytical rules should be configured to trigger an incident with URLs.
Configure the automation rules to trigger the playbook.

Captures potentially malicious or malware URL incident information.

Get the list of URLs as entities from the Incident.

If organization name exists in list of organizations associated with the account, then get list of networks associated with the organization.
If organization name does not exist, then terminate with the error that organization not found.

Checks if the URL is blocked by any of the networks of the organization.
- If URL is allowed by the network, then incident comment is created saying URL is allowed.
- If URL is blocked by the network, then incident comment is created saying URL is blocked.
- If URL is not blocked by network and not part of the network, then incident comment is created saying URL not found.
Add incident Comment from all the cases.