Cisco Meraki MX Custom Response Integration
Cisco Meraki MX Custom Response Integration
This article shows how to leverage the Lumu Defender API and Meraki Dashboard API to mitigate security risks.
Figure 1 - Response setup leveraging Lumu detections with Meraki Dashboard
Requirements
-
Cisco Meraki deployment with MX devices
These devices support the security features used by the integration. vMX appliances don't fully support them. -
Cisco Meraki MX Advanced Security Licensing or superior.
A Cisco Meraki MX Advanced Security Licensing is required to have Content filtering features in your deployment. To get more information about licensing options, you can consult Meraki MX Security and SD-WAN Licensing .
It's recommended to create a dedicated user for integrations with its API key. -
Lumu Defender API key
For retrieving an API token, please refer to the Defender API document. -
Script package.
Contact the Lumu support team to request the package we created to deploy the required files.
Set up Meraki Dashboard
Enable Meraki Dashboard API access
To enable access to Cisco Meraki Dashboard API, please refer to Cisco Meraki Dashboard API
Identify Meraki Organization and Network
You need to identify the Meraki organization’s and network’s name. These parameters are required to deploy the integration script. Please log in to your Meraki Dashboard instance, and use the left navigation bar to identify both.
Figure 2 - Meraki Dashboard Network and Organization
Deploy the script
First, contact the Lumu support team to request the deployment package.
Scripts location
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <meraki_lumu_root>.
In the package, you will find the scripts required to run the integration. To use the scripts, you must locate yourself on the path selected for deployment (<meraki_lumu_root>). Specific directions are included in the next sections.
Install requirements
The file requirements.txt contains the list of requirements for this integration. After deploying the package locally, run the following command from the deployment folder:
Script details
To use the script, you must locate yourself on the path selected for deployment (<meraki_lumu_root>). Use the following command to show all options available for the package:
|
Options |
Description |
|
-h, --help
|
show this help message and exit
|
|
--config CONFIG
|
Load options from config file
|
|
--company-key COMPANY_KEY
--company_key COMPANY_KEY
|
Lumu Company Key (Defender API).
|
|
--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
|
Proxy host (if required)
|
|
--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
|
Proxy port (if required)
|
|
--proxy-user PROXY_USER
--proxy_user PROXY_USER
|
Proxy user (if required)
|
|
--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
|
Proxy password (if required)
|
|
--logging {screen,file}
|
Logging option (default screen).
|
|
--verbose, -v
|
Verbosity level.
|
|
--api-key API_KEY
--api_key API_KEY
|
Meraki dashboard API key.
|
|
--organization ORGANIZATION
|
Meraki organization to operate with.
|
|
--network NETWORK
|
Meraki network to operate with.
|
|
--feature {L3Rule,URL}
|
Meraki features to feed IOCs to: L3Rule,URL (Default "all" - L3 rules will not include hosts).
|
|
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
|
Lumu adversary types to be filtered.
|
|
--days DAYS
|
The number of days backward from now to query Lumu incidents.
|
|
--clean
|
Cleans all rules and objects created by the Lumu integration.
|
Usage Examples
Task: query and add indicators (IP, URLs) related to Lumu open incidents
Use the following command to fetch and push to Meraki layer 3 rule and URL patterns of the Content filtering configuration all the IOCs (IP, URLs) related to open incidents found in your organization by Lumu:
After the integration has run, you will see a new layer 3 rule (without hosts) and new URL patterns inside the Content filtering configuration.
NOTE: URL patterns will be added instead of hosts in the layer 3 rule . The layer 3 rule will appear at the beginning of all the rules.
Task: query and add indicators (IP, URLs) related to Lumu open incidents with contacts in the last X days
Use the following command to fetch and push to Meraki layer 3 rules and URL patterns of the Content filtering configuration all IOCs related to open incidents detected in your organization by Lumu with contacts in the last X days.
NOTE: All previously pushed IOC to Meraki configuration will be replaced, even if they correspond to incidents with contacts before X days.
Task: query and add IOCs to a specific configuration within Meraki
If you need to create only a Layer 3 rule or feed URL patterns in the Content filtering configuration, you can use the argument --feature L3Rule to add a Layer 3 rule or --feature URL to add URL patterns .
NOTE: The integration will delete previous changes to the configuration. If you have added a Layer 3 rule and try to add just URL patterns, the integration will delete the Layer 3 rule from the Meraki configuration.
Task: query and add Meraki configuration related to Lumu open incidents of specific types
By default, the script queries open incidents of all adversary types (Phishing, Malware, DAG, Spam, others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE . If you need to indicate two or more adversary types, you only need to append a new instance of the parameter.
In this example, the adversary types queried are Phishing and Malware.
Task: clean all configuration changes made by the integration in Meraki Dashboard
If you need to clean all the configuration changes made by previous executions of the integration, use the flag --clean as follows:
The integration script will delete all the configurations made in previous executions preserving others not written by it.
Task: save log output to file
By default, you will see the execution log on the screen console. Use the argument --logging file to store a record of all tasks run in the lumu.log file in the script root path.
This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. This aids you to check the execution progress.
Figure 3 - Lumu integration’s log file
Other tasks
The above samples can be combined according to your needs.
Expected results
After the integration’s execution, the Firewall configuration page and the Content filtering page will be populated with a new L3 rule and a list of URL patterns.
Figure 4 - Meraki Firewall configuration page
Further considerations
To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.
To avoid race conditions, you can run only one instance of the integration at the same time. If there is another instance running, the second one will be terminated immediately.
Troubleshooting and known issues
To identify failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.
Another instance is running
If you receive the following error.
Figure 6 - Check integration process - Linux
If the previous validation indicates that another instance of the integration is running, please, check the progress of the execution using the integration’s log lumu.log .
Related Articles
Cisco Meraki Out-of-the-Box Response Integration
Requirements Cisco Meraki A Cisco deployment with MX devices is needed to work with Firewall rules. To get more information about licensing options, you can consult the documentation on Meraki MX Security and SD-WAN Licensing. An active Lumu Defender ...Cisco Secure Endpoint Custom Response Integration
This article shows how to leverage the Lumu Defender API and Cisco Secure Endpoint API to mitigate security risks. Requirements Cisco Secure Endpoint subscription You need a Cisco Secure Endpoint Essentials or above. Lumu Defender API key. To ...Cisco Umbrella Custom Response Integration with Lumu Defender API
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...Bitdefender Custom Response Integration
Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...Infoblox Custom Response Integration
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...