Set up Device Security and XSOAR for Cisco Meraki Cloud

1. Log in to Device Security and from there access Cisco Meraki Cloud settings in Cortex XSOAR.

   1. Log in to Device Security and then click IntegrationsIntegration ManagementManage Integrations.
   2. Device Security uses Cortex XSOAR to integrate with Cisco Meraki Cloud, and the settings you must configure to integrate with it are in the Cortex XSOAR interface. To access these settings, click Launch Cortex XSOAR.
      The Cortex XSOAR interface opens in a new browser window.
   3. Click Settings in the left navigation menu, search for Cisco Meraki Cloud to locate it among other instances.

2. Configure the Cisco Meraki Cloud integration instance.

   1. Click Add instance to open the settings panel.
   2. Enter the following and leave the other settings as they are:
      Name: Use the default name of the instance or enter a new one.
      Server URL: For all regions except China, use the default URL: https://api.meraki.com. For deployments in China, replace the default entry with: https://api.meraki.cn.
      API Key: Enter the API key you previously copied from the Meraki Cloud dashboard and saved.
      Learn Wired Clients: Select to import wired client devices. Enabled by default.
      Learn Wireless Clients: Select to import wireless client devices. Enabled by default.
      Learn Network Devices: Select to import Meraki network devices, such as switches and access points. Enabled by default.
      Include Only Online Clients: Select to import only clients that are currently online. By default, this is unselected and Cortex XSOAR imports all clients seen within the configured time span.
      Optional Networks: If you want to retrieve clients only from specific networks, specify the networks here. To specify multiple networks, separate each one with a comma.
      Optional Time Span: The time span for which Cortex XSOAR queries for client information. The maximum time span that you can set is 30 days. The default time span is 7 days.
      Optional SSIDs To Include: To limit the client import to specific SSIDs, enter the SSID names separated by commas. When empty, clients from all SSIDs are imported.
      Optional SSIDs To Exclude: To exclude clients from specific SSIDs, enter the SSID names separated by commas. When empty, clients from all SSIDs are imported.

   3. When finished, click Test.
      If the test is successful, a Success message appears. If not, check that the settings were entered correctly and then test the configuration again.

   4. After the test succeeds, click Done to save your changes, close the settings panel, and activate the instance.
3. Create jobs for Cortex XSOAR to import data from Cisco Meraki Cloud into Device Security.

   Device Security updates attributes for devices that are in its database and whose MAC addresses match those returned by Cisco Meraki Cloud. Also, if Device Security learns about devices that aren’t yet in its database, it creates new database entries for them and uses their MAC addresses as device identifiers. Any reported devices without MAC addresses are rejected.

   You must create a separate job for each playbook. Repeat the following steps for each playbook you want to configure.

   1. Click New Job at the top of the Jobs page.
   2. In the New Job panel that appears, enter the following and leave the other settings at their default values:
      Recurring: Select this if you want to periodically poll Cisco Meraki Cloud for data.
      Every: Enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. (If you don’t select any days, the job runs every day.)
      Name: Enter a name for the job.
      Playbook: Select the playbook depending on the type of job you’re configuring:

      • Import Cisco Meraki Assets to PANW IoT — Import wired and wireless client device data from Cisco Meraki Cloud.
      • Import Cisco Meraki Networks to PANW IoT — Import network attributes and VLAN information from Cisco Meraki Cloud into Device Security.
      Integration Instance Name: Paste the Cisco Meraki Cloud instance name you previously copied.
   3. Click Create new job.
      The job appears in the Jobs list.
4. Enable the job and run it.

   1. Check the Job Status for the job you created. If it’s Disabled, select its check box and then click Enable.
   2. After you enable it, keep the check box selected and Run now. The Run Status changes from Idle to Running.
      XSOAR begins querying Cisco Meraki Cloud for data about the devices in the networks in each organization. After this initial run, the job will run periodically at the defined interval.
5. When done, return to Device Security and check the status of the Cisco Meraki Cloud integration.

   An integration instance can be in one of the following four states, which Device Security displays in the Status column on the Integrations page:

   • Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
   • Error means that the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
   • Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
   • Active means that the integration was configured and enabled and is functioning properly.

   When you see that its status is Active, the setup is complete. At the defined interval, Cortex XSOAR queries Cisco Meraki Cloud for data about the devices in the networks. It then forwards the device data to Device Security for display on the Devices and Device Details pages.