Cisco Meraki Monitoring

Updated Sep 27, 2023

Configure Cisco Meraki monitoring

Note: Only use this procedure when a Cisco Meraki device is not able to send syslog messages to a sensor or log collector. When possible, Configure a Cisco Meraki Firewall to send logs to Arctic Wolf.

Arctic Wolf® can use the Cisco Meraki® API to monitor Cisco Meraki logs and alert you about suspicious or malicious activity.

Sign in to the Cisco Meraki dashboard as a full-access administrator.

Tip: A full-access administrator has the Organization privilege on the Administrators page.
If you have multiple organizations, in the Organization list, select the organization you want to configure.
Click Organization > Configure > Settings.
In the Security section, if Limit Dashboard and Dashboard API access to these IP ranges or Limit Dashboard API access to these IP ranges is selected, ensure that the selected option contains the Arctic Wolf Cloud Services IP ranges.

Note: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Cloud Service Integrations.
In the Dashboard API access section, select the Enable access to the Cisco Meraki Dashboard API checkbox.
Click Save Changes.

Sign in to the Cisco Meraki dashboard as a full-access administrator.

Tip: A full-access administrator has the Organization privilege on the Administrators page.
If you have multiple organizations, in the Organization list, select the organization you want to add the user to.
Click Organization > Configure > Administrators.
Click Add admin.

The Create administrator dialog opens.
Enter the name and email of the user.
In the Organization access list, select Read-only.
Click Create admin.
Click Save Changes.
In the page footer, copy the numeric value of the Organization ID to a safe place, and provide it to Arctic Wolf in Provide cloud credentials to Arctic Wolf.

Note: The user added in Create a read-only user account must set up their account before generating an API key.

Sign in to the Cisco Meraki dashboard with the account created in Create a read-only user account.
From the profile menu, select My profile, and then click Generate new API key.

Note: The generated API key is associated with the user that generated the key and inherits the same permissions as that user.
Copy the generated API key to a safe place, and provide it to Arctic Wolf in Provide cloud credentials to Arctic Wolf.

Sign in to the Arctic Wolf Unified Portal.
In the menu bar, click Telemetry Management > Connected Accounts.
Click Add Account +.
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
From the list of cloud services, select Cisco Meraki API.
On the Add Account page, complete these steps:
1. Account Name — Enter a unique and descriptive name for the account.
2. In the API Key field, paste the API key value from Generate an API key.
3. In the Org ID field, paste the organization ID from Create a read-only user account.
4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
Click Test and Submit Credentials.

After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

You must repeat these steps for every organization you want Arctic Wolf to monitor.

Complete Configure API access for an organization.
Complete Create a read-only user account.

Note: Use the same user email for all organizations you want Arctic Wolf to monitor. The user must accept an invitation to each new organization they are added to.
Complete Provide cloud credentials to Arctic Wolf.

Note: Submit the previous API key and the new organization ID. You should always use the same API key in this step. The organization ID varies based on the organization.