Skip to content

[CISCO Meraki] New CDFs #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
james-vargas wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[CISCO Meraki] New CDFs #170

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a614bb9
Add Meraki third-party Sigma rules
james-vargas Mar 2, 2026
b05e3b6
Set logsource product to Cisco and require Meraki
james-vargas Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Deauthentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
title: 802.1X Deauthentication
description: Cisco Meraki detection for 802.1X deauthentication. Detects Meraki switch events where a device is deauthenticated from an 802.1X protected port.
tags:
- mitre.t1110
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.type: '*8021x_deauth*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0
level: info
taxonomy: tm-v1
16 changes: 16 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/802.1X Failed Authentication Attempt.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
title: 802.1X Failed Authentication Attempt
description: Cisco Meraki detection for 802.1X failed authentication attempt. Detects Meraki wireless events where a client fails 802.1X/EAP authentication.
tags:
- mitre.t1110
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.type: '*8021x_eap_failure*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0
level: info
taxonomy: tm-v1
16 changes: 16 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Blocked DHCP Server Response.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
title: Blocked DHCP Server Response
description: Cisco Meraki detection for Blocked DHCP server response. Detects Meraki events where a DHCP server response is identified as rogue and blocked.
tags:
- mitre.t1557
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*Blocked DHCP server response*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 1 (IKE_SA) Tunnel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Destroying Phase 1 (IKE_SA) Tunnel
description: Cisco Meraki detection for Destroying Phase 1 (IKE_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 1 (IKE_SA) tunnel teardown.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*deleting*'
string_condition_1:
vendorParsed.msg: '*IKE_SA*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Destroying Phase 2 (CHILD_SA) Tunnel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Destroying Phase 2 (CHILD_SA) Tunnel
description: Cisco Meraki detection for Destroying Phase 2 (CHILD_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 2 (CHILD_SA) data tunnel teardown.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*closing*'
string_condition_1:
vendorParsed.msg: '*CHILD_SA*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 1 (IKE_SA) Tunnel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Establishing Phase 1 (IKE_SA) Tunnel
description: Cisco Meraki detection for Establishing Phase 1 (IKE_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 1 (IKE_SA) tunnel establishment.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*IKE_SA*'
string_condition_1:
vendorParsed.msg: '*established*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Establishing Phase 2 (CHILD_SA) Tunnel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Establishing Phase 2 (CHILD_SA) Tunnel
description: Cisco Meraki detection for Establishing Phase 2 (CHILD_SA) tunnel. Detects Meraki MX VPN logs indicating Phase 2 (CHILD_SA) data tunnel establishment.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*CHILD_SA*'
string_condition_1:
vendorParsed.msg: '*established*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions ...1-sigma-rules/third_party_logs/Cisco/Meraki/File Retrospective Malicious Disposition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: File Retrospective Malicious Disposition
description: Cisco Meraki detection for File retrospective malicious disposition. Detects retrospective AMP disposition updates where a previously allowed file is later determined to be malicious.
tags:
- mitre.t1204
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.disposition: '*malicious*'
string_condition_1:
vendorParsed.action: '*allow*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Blocked).yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: IDS Signature Matched (Blocked)
description: Cisco Meraki detection for IDS signature matched (blocked). Detects events from Meraki MX where an IDS/IPS signature is present and the traffic was blocked.
tags:
- mitre.t1190
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.decision: '*blocked*'
string_condition_1:
vendorParsed.signature|exists: true
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Egress).yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: IDS Signature Matched (Egress)
description: Cisco Meraki detection for IDS signature matched (egress). Detects IDS/IPS signature matches on egress traffic on Meraki MX.
tags:
- mitre.t1190
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.direction: '*egress*'
string_condition_1:
vendorParsed.signature|exists: true
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IDS Signature Matched (Ingress).yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: IDS Signature Matched (Ingress)
description: Cisco Meraki detection for IDS signature matched (ingress). Detects IDS/IPS signature matches on ingress traffic on Meraki MX.
tags:
- mitre.t1190
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.direction: '*ingress*'
string_condition_1:
vendorParsed.signature|exists: true
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/IPsec-SA Established (Pre MX 15.12).yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: IPsec-SA Established (Pre MX 15.12)
description: Cisco Meraki detection for IPsec-SA established (pre MX 15.12). Detects legacy IKEv1 Phase 2 (IPsec-SA) establishment events on Meraki MX firmware prior to 15.12.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*IPsec-SA*'
string_condition_1:
vendorParsed.msg: '*established*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/ISAKMP-SA Established (Pre MX 15.12).yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: ISAKMP-SA Established (Pre MX 15.12)
description: Cisco Meraki detection for ISAKMP-SA established (pre MX 15.12). Detects legacy IKEv1 Phase 1 (ISAKMP-SA) establishment events on Meraki MX firmware prior to 15.12.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*ISAKMP-SA*'
string_condition_1:
vendorParsed.msg: '*established*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/L3 Firewall Rule Matched.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: L3 Firewall Rule Matched
description: Cisco Meraki detection for L3 firewall rule matched. Detects Meraki MX Layer 3 firewall rule match events (allow/deny).
tags:
- mitre.t1071
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.pattern: '*allow*'
string_condition_1:
vendorParsed.pattern: '*deny*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 or string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Malicious File Blocked by AMP.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Malicious File Blocked by AMP
description: Cisco Meraki detection for Malicious file blocked by AMP. Detects Meraki AMP events where a file is classified as malicious and blocked.
tags:
- mitre.t1204
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.disposition: '*malicious*'
string_condition_1:
vendorParsed.action: '*block*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
16 changes: 16 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Rogue SSID Detected.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
title: Rogue SSID Detected
description: Cisco Meraki detection for Rogue SSID detected. Detects Meraki wireless events indicating an unauthorized/rogue SSID has been detected.
tags:
- mitre.t1557
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.type: '*rogue_ssid_detected*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0
level: info
taxonomy: tm-v1
16 changes: 16 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/SSID Spoofing Detected.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
title: SSID Spoofing Detected
description: Cisco Meraki detection for SSID spoofing detected. Detects Meraki wireless events where a device is broadcasting an organization SSID name without authorization.
tags:
- mitre.t1557
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.type: '*ssid_spoofing_detected*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Spanning-tree Guard State Change.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Spanning-tree Guard State Change
description: Cisco Meraki detection for Spanning-tree guard state change. Detects Meraki switch events where an unexpected STP BPDU triggers a guard state change/port block.
tags:
- mitre.t1498
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*STP BPDU*'
string_condition_1:
vendorParsed.msg: '*blocked*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
16 changes: 16 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/VPN Connectivity Change.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
title: VPN Connectivity Change
description: Cisco Meraki detection for VPN connectivity change. Detects Meraki MX events indicating a site-to-site VPN connectivity status change.
tags:
- mitre.t1572
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.type: '*vpn_connectivity_change*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Virtual Router Collision.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Virtual Router Collision
description: Cisco Meraki detection for Virtual router collision. Detects Meraki events indicating VRRP packets with incompatible or conflicting configuration (virtual router collision).
tags:
- mitre.t1557
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.msg: '*VRRP*'
string_condition_1:
vendorParsed.msg: '*incompatible configuration*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1
18 changes: 18 additions & 0 deletions tm-v1-sigma-rules/third_party_logs/Cisco/Meraki/Wireless Packet Flood Detected.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
title: Wireless Packet Flood Detected
description: Cisco Meraki detection for Wireless packet flood detected. Detects Meraki wireless events consistent with packet flood/DoS activity.
tags:
- mitre.t1498
logsource:
category: THIRD_PARTY_LOG
product: Cisco
definition: THIRDPARTY_THIRDPARTY
detection:
string_condition_0:
vendorParsed.type: '*device_packet_flood*'
string_condition_1:
vendorParsed.state: '*start*'
productName:
pname: 'Meraki'
condition: productName and string_condition_0 and string_condition_1
level: info
taxonomy: tm-v1