The Meraki app for Splunk Phantom uses the Meraki dashboard API to locate end-user devices within one or more organizations, networks / devices, and to bind a configuration template to a specified network.
2. Meraki app for
Splunk Phantom
2
Retail/Hospitality
Smart Spaces
Manufacturing/Healthcare
Operations
Problem Statement
An investment management financial services company has increased their
remote workers from 400 to 2,700 agents supported primarily by the Cisco
Meraki Z3 Cloud Managed Teleworker Gateway.
The firm requires stringent access controls of the devices (only corporate IP
Phones and laptops) connected to the gateway. The security analyst(s) must
quarantine the teleworker if unauthorized devices are discovered on the
teleworker gateway.
The Meraki app for Phantom Cyber was enhanced to include a 'bind network'
function, allowing the security operations team to specify the target network and
the name of the quarantine template to apply to the teleworker.
3. Features and functionality
The Meraki app for Splunk Phantom uses the Meraki dashboard API to locate end-user devices
within one or more organizations, networks / devices, and to bind a configuration template to a
specified network.
By using the REST API of Splunk Phantom, security incidents (containers and artifacts) can be
created and playbooks are programmatically initiated invoking the Meraki app functionality.
It is assumed the organization can identify the presence of unauthorized devices by way of log
analysis or a host PC agent distributed scan. From these tools, the source MAC address and other
supporting information are populated into a Common Event Format (CEF) record. The CEF data is
part of the Phantom container and artifact generated by a program using the Phantom Ingest SDK.
Splunk Phantom will invoke a playbook which executes the Meraki app after the container is created
on Splunk Phantom. The first step is to locate the name of the network where the source MAC
address is found. The second step is to bind a quarantine network template to the targeted network
name.
The results of these operations are returned to Splunk Phantom and logged.
This workflow can execute without human intervention to the point of end-user notification and
remediation.
3
4. Resources
How Agile Is Your Managed SD-WAN Solution?
https://www.wwt.com/article/how-agile-is-your-managed-sd-wan-solution
Source code and app deployment tarball
https://github.com/joelwking/Phantom-Cyber/tree/master/meraki
Phantom Ingest SDK
https://github.com/joelwking/Phantom-Cyber/tree/master/REST_ingest
Video Clip
https://vimeo.com/423587585
4
19. 19
onstration playbook locates the network name where the MAC address has been observed – passes
etwork name to the ‘bind network’ action to quarantine the gateway
20. 20
The MAC address has been located on the network ‘JOEL’ associated with device ‘Teleworker Z1’
24. Team Members
Joel W. King : Joel.King@wwt.com
Gene Geddes : Gene.Geddes@wwt.com
Rita Younger : Rita.Younger@wwt.com
Jeff Andiorio : Jeff.Andiorio@wwt.com
Tafsir Thiam : Tafsir.Thiam@wwt.com
Nick Thompson : Nick.Thompson@wwt.com
24