Classification:

attack

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the meraki integration.

Goal

Detect when intrustion detection system (IDS) alerts are created by the Meraki MX Security Appliance.

Strategy

The Cisco Meraki MX Security Appliance threat protection is comprised of the Sourcefire SNORT intrusion detection engine and anti-malware technology. Advanced malware prevention (AMP) inspects HTTP file downloads through the MX Security Appliance and blocks or allows file downloads based on threat intelligence retrieved from the AMP cloud. The intrusion detection engine monitors the network to detect malicious or anomalous behaviours, and then raises an alert. The security appliance can also be used as an Intrusion Prevention System (IPS) blocking malicious packets.

Note: This detection filters for IDS alerts.

Triage and response

1. Investigate the SNORT alert to determine if it is malicious or benign:
   • Have the malicious packets been blocked @blocked:true?
   • Are there other security signals related to the affected internal host?
   • Does the internal host run the affected technology specified in the SNORT alert.
2. If it is determined to be benign, consider including an attribute in a suppression list. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
3. If it is determined to be malicious, begin your organization’s incident response process and investigate.