Skip to main content

API - Cisco Meraki Cloud

Nate OBrien
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: API Log Source
ENVIRONMENT: Cisco Meraki Cloud
SUMMARY: Configuration Guide for Meraki Cloud Log Ingestion

Vendor Information

Vendor

Cisco

Supported Model Name/Number

Meraki Cloud

Supported License Version(s)

Advanced Security

Collection Method

REST API

Query Syntax: event.provider

MerakiCloud

Additional Information

Currently Huntress SIEM can only ingest data from MX appliances via the Cisco Meraki Cloud integration. Switch and AP data cannot be ingested by this method. 

Device Configuration Checklist

  1. Log in to the Meraki Cloud Administrator Portal.
  2. Obtain an API Key. It's highly recommended you use a dedicated service account for this, so that the API key is associated with an existing account. 

Please be aware that any changes or removal of permissions to the account associated with the Meraki API key can invalidate those API keys. If you're seeing 500 errors in Huntress, that means the API key is invalid or does not have sufficient permissions.

  1. In the Huntress Console (from the Account-Level Dashboard), navigate to SIEM -> Source Management.
    • The Cisco Meraki Cloud Source option is not available at the Organization-Level because you are asked to map the Huntress equivalent organization later in the setup.
  2. Select the "Categories" tab below the Source Management header.
  3. Select View Details on the Meraki Cloud source card.
  4. Select the green +Add button to create a new Meraki Cloud configuration. Configure.png
  5. Enter the details of the configuration as needed, including the API key obtained in the first two steps. 
  6. Select the correct Base URI for your Meraki instance.
  7. Save the configuration. Configure 2.png
  8. After saving, you'll be directed to the Configure page where you will need to map the organizations between Cisco Meraki Cloud and Huntress. For each Meraki Cloud Organization, select a Huntress equivalent organization from the dropdown. configure 3.png
  9. Once the organizations have been mapped, the Meraki Cloud configuration page will show the mapped log sources. Clicking on a source organization will bring you to a query page with the relevant logs. configure 5.png

Troubleshooting

If your Meraki org uses API IP allowlisting or strict firewall rules

In most environments, you do not need to allowlist specific Huntress IP addresses for the Cisco Meraki Cloud integration to work.

However, if your Meraki organization has API access restricted by source IP (for example, via “API IP allowlisting” or similar firewall controls), Huntress’ API calls to Meraki may be blocked. Symptoms can include:

  • The Meraki Cloud source staying in Connecting or Inactive
  • 403 “forbidden” responses in the Meraki API logs for Huntress requests

In those cases, you must allowlist the Huntress egress IPs used for PSA and API-based SIEM sources (including Meraki Cloud). Those IPs are documented here.

Related articles