diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Deauthentication.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Deauthentication.yaml new file mode 100644 index 0000000..77753da --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Deauthentication.yaml @@ -0,0 +1,16 @@ +title: 802.1X Deauthentication +description: Cisco Meraki detection for 802.1X deauthentication. Detects Meraki switch events where a device is deauthenticated from an 802.1X protected port. +tags: + - mitre.t1110 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.type: '*8021x_deauth*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Failed Authentication Attempt.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Failed Authentication Attempt.yaml new file mode 100644 index 0000000..eff248a --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Failed Authentication Attempt.yaml @@ -0,0 +1,16 @@ +title: 802.1X Failed Authentication Attempt +description: Cisco Meraki detection for 802.1X failed authentication attempt. Detects Meraki wireless events where a client fails 802.1X/EAP authentication. +tags: + - mitre.t1110 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.type: '*8021x_eap_failure*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Blocked DHCP Server Response.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Blocked DHCP Server Response.yaml new file mode 100644 index 0000000..39daa0d --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Blocked DHCP Server Response.yaml @@ -0,0 +1,16 @@ +title: Blocked DHCP Server Response +description: Cisco Meraki detection for Blocked DHCP server response. Detects Meraki events where a DHCP server response is identified as rogue and blocked. +tags: + - mitre.t1557 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*Blocked DHCP server response*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 1 (IKE_SA) Tunnel.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 1 (IKE_SA) Tunnel.yaml new file mode 100644 index 0000000..54f1a38 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 1 (IKE_SA) Tunnel.yaml @@ -0,0 +1,18 @@ +title: Destroying Phase 1 (IKE_SA) Tunnel +description: Cisco Meraki detection for Destroying Phase 1 (IKE_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 1 (IKE_SA) tunnel teardown. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*deleting*' + string_condition_1: + vendorParsed.msg: '*IKE_SA*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 2 (CHILD_SA) Tunnel.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 2 (CHILD_SA) Tunnel.yaml new file mode 100644 index 0000000..85bea3c --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 2 (CHILD_SA) Tunnel.yaml @@ -0,0 +1,18 @@ +title: Destroying Phase 2 (CHILD_SA) Tunnel +description: Cisco Meraki detection for Destroying Phase 2 (CHILD_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 2 (CHILD_SA) data tunnel teardown. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*closing*' + string_condition_1: + vendorParsed.msg: '*CHILD_SA*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 1 (IKE_SA) Tunnel.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 1 (IKE_SA) Tunnel.yaml new file mode 100644 index 0000000..216ec1a --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 1 (IKE_SA) Tunnel.yaml @@ -0,0 +1,18 @@ +title: Establishing Phase 1 (IKE_SA) Tunnel +description: Cisco Meraki detection for Establishing Phase 1 (IKE_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 1 (IKE_SA) tunnel establishment. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*IKE_SA*' + string_condition_1: + vendorParsed.msg: '*established*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 2 (CHILD_SA) Tunnel.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 2 (CHILD_SA) Tunnel.yaml new file mode 100644 index 0000000..7f41be6 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 2 (CHILD_SA) Tunnel.yaml @@ -0,0 +1,18 @@ +title: Establishing Phase 2 (CHILD_SA) Tunnel +description: Cisco Meraki detection for Establishing Phase 2 (CHILD_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 2 (CHILD_SA) data tunnel establishment. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*CHILD_SA*' + string_condition_1: + vendorParsed.msg: '*established*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/File Retrospective Malicious Disposition.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/File Retrospective Malicious Disposition.yaml new file mode 100644 index 0000000..57adfe5 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/File Retrospective Malicious Disposition.yaml @@ -0,0 +1,18 @@ +title: File Retrospective Malicious Disposition +description: Cisco Meraki detection for File retrospective malicious disposition. Detects retrospective AMP disposition updates where a previously allowed file is later determined to be malicious. +tags: + - mitre.t1204 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.disposition: '*malicious*' + string_condition_1: + vendorParsed.action: '*allow*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Blocked).yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Blocked).yaml new file mode 100644 index 0000000..d9b44c5 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Blocked).yaml @@ -0,0 +1,18 @@ +title: IDS Signature Matched (Blocked) +description: Cisco Meraki detection for IDS signature matched (blocked). Detects events from Meraki MX where an IDS/IPS signature is present and the traffic was blocked. +tags: + - mitre.t1190 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.decision: '*blocked*' + string_condition_1: + vendorParsed.signature|exists: true + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Egress).yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Egress).yaml new file mode 100644 index 0000000..1ea21ea --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Egress).yaml @@ -0,0 +1,18 @@ +title: IDS Signature Matched (Egress) +description: Cisco Meraki detection for IDS signature matched (egress). Detects IDS/IPS signature matches on egress traffic on Meraki MX. +tags: + - mitre.t1190 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.direction: '*egress*' + string_condition_1: + vendorParsed.signature|exists: true + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Ingress).yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Ingress).yaml new file mode 100644 index 0000000..27fb6b9 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Ingress).yaml @@ -0,0 +1,18 @@ +title: IDS Signature Matched (Ingress) +description: Cisco Meraki detection for IDS signature matched (ingress). Detects IDS/IPS signature matches on ingress traffic on Meraki MX. +tags: + - mitre.t1190 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.direction: '*ingress*' + string_condition_1: + vendorParsed.signature|exists: true + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IPsec-SA Established (Pre MX 15.12).yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IPsec-SA Established (Pre MX 15.12).yaml new file mode 100644 index 0000000..d084431 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IPsec-SA Established (Pre MX 15.12).yaml @@ -0,0 +1,18 @@ +title: IPsec-SA Established (Pre MX 15.12) +description: Cisco Meraki detection for IPsec-SA established (pre MX 15.12). Detects legacy IKEv1 Phase 2 (IPsec-SA) establishment events on Meraki MX firmware prior to 15.12. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*IPsec-SA*' + string_condition_1: + vendorParsed.msg: '*established*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/ISAKMP-SA Established (Pre MX 15.12).yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/ISAKMP-SA Established (Pre MX 15.12).yaml new file mode 100644 index 0000000..07f83fe --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/ISAKMP-SA Established (Pre MX 15.12).yaml @@ -0,0 +1,18 @@ +title: ISAKMP-SA Established (Pre MX 15.12) +description: Cisco Meraki detection for ISAKMP-SA established (pre MX 15.12). Detects legacy IKEv1 Phase 1 (ISAKMP-SA) establishment events on Meraki MX firmware prior to 15.12. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*ISAKMP-SA*' + string_condition_1: + vendorParsed.msg: '*established*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/L3 Firewall Rule Matched.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/L3 Firewall Rule Matched.yaml new file mode 100644 index 0000000..322c625 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/L3 Firewall Rule Matched.yaml @@ -0,0 +1,18 @@ +title: L3 Firewall Rule Matched +description: Cisco Meraki detection for L3 firewall rule matched. Detects Meraki MX Layer 3 firewall rule match events (allow/deny). +tags: + - mitre.t1071 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.pattern: '*allow*' + string_condition_1: + vendorParsed.pattern: '*deny*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 or string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Malicious File Blocked by AMP.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Malicious File Blocked by AMP.yaml new file mode 100644 index 0000000..a3856c4 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Malicious File Blocked by AMP.yaml @@ -0,0 +1,18 @@ +title: Malicious File Blocked by AMP +description: Cisco Meraki detection for Malicious file blocked by AMP. Detects Meraki AMP events where a file is classified as malicious and blocked. +tags: + - mitre.t1204 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.disposition: '*malicious*' + string_condition_1: + vendorParsed.action: '*block*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Rogue SSID Detected.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Rogue SSID Detected.yaml new file mode 100644 index 0000000..7ba8a56 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Rogue SSID Detected.yaml @@ -0,0 +1,16 @@ +title: Rogue SSID Detected +description: Cisco Meraki detection for Rogue SSID detected. Detects Meraki wireless events indicating an unauthorized/rogue SSID has been detected. +tags: + - mitre.t1557 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.type: '*rogue_ssid_detected*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/SSID Spoofing Detected.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/SSID Spoofing Detected.yaml new file mode 100644 index 0000000..13fb875 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/SSID Spoofing Detected.yaml @@ -0,0 +1,16 @@ +title: SSID Spoofing Detected +description: Cisco Meraki detection for SSID spoofing detected. Detects Meraki wireless events where a device is broadcasting an organization SSID name without authorization. +tags: + - mitre.t1557 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.type: '*ssid_spoofing_detected*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Spanning-tree Guard State Change.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Spanning-tree Guard State Change.yaml new file mode 100644 index 0000000..6656ffb --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Spanning-tree Guard State Change.yaml @@ -0,0 +1,18 @@ +title: Spanning-tree Guard State Change +description: Cisco Meraki detection for Spanning-tree guard state change. Detects Meraki switch events where an unexpected STP BPDU triggers a guard state change/port block. +tags: + - mitre.t1498 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*STP BPDU*' + string_condition_1: + vendorParsed.msg: '*blocked*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/VPN Connectivity Change.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/VPN Connectivity Change.yaml new file mode 100644 index 0000000..67f41f3 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/VPN Connectivity Change.yaml @@ -0,0 +1,16 @@ +title: VPN Connectivity Change +description: Cisco Meraki detection for VPN connectivity change. Detects Meraki MX events indicating a site-to-site VPN connectivity status change. +tags: + - mitre.t1572 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.type: '*vpn_connectivity_change*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Virtual Router Collision.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Virtual Router Collision.yaml new file mode 100644 index 0000000..10aec5e --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Virtual Router Collision.yaml @@ -0,0 +1,18 @@ +title: Virtual Router Collision +description: Cisco Meraki detection for Virtual router collision. Detects Meraki events indicating VRRP packets with incompatible or conflicting configuration (virtual router collision). +tags: + - mitre.t1557 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.msg: '*VRRP*' + string_condition_1: + vendorParsed.msg: '*incompatible configuration*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Wireless Packet Flood Detected.yaml b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Wireless Packet Flood Detected.yaml new file mode 100644 index 0000000..1147c69 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Wireless Packet Flood Detected.yaml @@ -0,0 +1,18 @@ +title: Wireless Packet Flood Detected +description: Cisco Meraki detection for Wireless packet flood detected. Detects Meraki wireless events consistent with packet flood/DoS activity. +tags: + - mitre.t1498 +logsource: + category: THIRD_PARTY_LOG + product: Cisco + definition: THIRDPARTY_THIRDPARTY +detection: + string_condition_0: + vendorParsed.type: '*device_packet_flood*' + string_condition_1: + vendorParsed.state: '*start*' + productName: + pname: 'Meraki' + condition: productName and string_condition_0 and string_condition_1 +level: info +taxonomy: tm-v1