An investment management financial services company has increased their remote workers from 400 to 2,700 agents supported primarily by the Cisco Meraki Z3 Cloud Managed Teleworker Gateway.
The firm requires stringent access controls of the devices (only corporate IP Phones and laptops) connected to the gateway. The security analyst(s) must quarantine the teleworker if unauthorized devices are discovered on the teleworker gateway.
What it does
The Meraki app for Splunk Phantom was enhanced to include a 'bind network' function, allowing the security operations team to specify the target network and the name of the quarantine template to apply to the teleworker.
How I built it
The Meraki app for Splunk Phantom uses the Meraki dashboard API to locate end-user devices within one or more organizations, networks / devices, and to bind a configuration template to a specified network. By using the REST API of Splunk Phantom, security incidents (containers and artifacts) can be created and playbooks are programmatically initiated invoking the Meraki app functionality.
It is assumed the organization can identify the presence of unauthorized devices by way of log analysis or a host PC agent distributed scan. From these tools, the source MAC address and other supporting information are populated into a Common Event Format (CEF) record. The CEF data is part of the Phantom container and artifact generated by a program using the Phantom Ingest SDK.
Splunk Phantom will invoke a playbook which executes the Meraki app after the container is created on Phantom. The first step is to locate the name of the network where the source MAC address is found. The second step is to bind a quarantine network template to the targeted network name. The results of these operations are returned to Phantom and logged. This workflow can execute without human intervention to the point of end-user notification and remediation.
Challenges I ran into
Network with types camera cannot be bound to templates.
Accomplishments that I'm proud of
The quarantine template can be applied without human intervention.
What I learned
The Splunk Phantom instance is deployed as an AWS instance, this app demonstrates integration of cloud managed services.
What's next for Meraki app for Splunk Phantom
Deployment by the WWT Meraki managed services team.