Cisco Meraki organization appliance security IDS events

meraki

Classification:

attack

Set up the meraki integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when intrustion detection system (IDS) alerts are created by the Meraki MX Security Appliance.

Strategy

The Cisco Meraki MX Security Appliance threat protection is comprised of the Sourcefire SNORT intrusion detection engine and anti-malware technology. Advanced malware prevention (AMP) inspects HTTP file downloads through the MX Security Appliance and blocks or allows file downloads based on threat intelligence retrieved from the AMP cloud. The intrusion detection engine monitors the network to detect malicious or anomalous behaviours, and then raises an alert. The security appliance can also be used as an Intrusion Prevention System (IPS) blocking malicious packets.

Note: This detection filters for IDS alerts.

Triage and response

  1. Investigate the SNORT alert to determine if it is malicious or benign:
    • Have the malicious packets been blocked @blocked:true?
    • Are there other security signals related to the affected internal host?
    • Does the internal host run the affected technology specified in the SNORT alert.
  2. If it is determined to be benign, consider including an attribute in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If it is determined to be malicious, begin your organization’s incident response process and investigate.