Skip to main content
Cisco Meraki Documentation

Security Center

Overview

The Security Center provides a centralized view of security filtering events. This includes both IDS/IPS and Advanced Malware Protection (AMP) events. Information and insights to a network administrator are provided through a variety of different components, each focusing on different analytics and uses. This document outlines each of those components and the information they present.

Navigation and Control

The top of the Security Center page allows control over the data being viewed. From this section of the page, it is possible to:

  • Change the time range of events displayed:

Screen Shot 2019-04-09 at 5.02.34 PM.png

  • Filter events by scope, type, disposition, and action:

Screen Shot 2019-04-09 at 5.04.18 PM.png

  • Search through events by client identifier, URI, SHA256 file hash, or IDS/IPS rule ID:

Screen Shot 2016-04-01 at 1.19.07 PM.png

  • Toggle between the Summary and Events view:

Screen Shot 2016-04-01 at 1.19.13 PM.png

It is also possible to filter event data down to a single client or event. Clicking on a client, IP, or threat will pop up an info card that provides more information and links, including the ability to filter the Security Center view based on the item selected.

security info card .jpg

An example info card for an IDS/IPS signature is included below. Selecting Show only this signature will only show events related to that signature. These filters will be displayed below the navigation and control panel and can be dismissed by clicking the X on the right-hand side:

Screen Shot 2016-04-01 at 1.30.39 PM.png

It is possible to apply multiple filters. In the example above, events will be filtered by the IDS/IPS signature and the client device. Only events matching both filters are displayed in this case. 

 

Information can also be found in Inspect packet view. After clicking, this option allows you to download the specific packet in .pcap format an analyze it. 

clipboard_ea1faf646a032394ce4a7564021645541.png

Summary View

The summary view of the Security Center provides a variety of visual components to understand the security events on the network.

Retrospective Malware Detections

This component provides alerts about downloaded files that have changed to a malicious disposition.

Screen Shot 2016-04-01 at 1.11.04 PM.png

Please see this article for more information about AMP dispositions and retrospection.

Events over time

The Events over time component shows the number of events matching configured filters, over a specified interval of time, ranging from two hours to two weeks:

Screen Shot 2019-04-09 at 5.06.30 PM.png

Clicking on a day will filter the data within the Security Center to display only events for the selected day.

Screen Shot 2016-04-01 at 5.25.20 PM.png

Most affected clients

This section provides a breakdown of the subset of clients that have generated the most events for the selected filters.

Screen Shot 2016-04-01 at 4.57.53 PM.png

Top sources of threats

This section provides both a map and a table summary of the most common IP addresses associated with threats matching the configured filters.

The map provides a visual view into the trajectory of these threats, from the network location to the geo-located source of the IP address associated with the threat.

The location of the MX must be configured for the map to display properly. This can be done by navigating to Security & SD-WAN > Monitor > Appliance status or Network-wide > Monitor > Map & floor plans.

 

2016-04-01.png

Screen Shot 2016-04-01 at 2.14.41 PM.png

Most prevalent threats

This component provides a list of the most frequent threats matching the selected filters. These can be the most common IDS/IPS signatures that have been detected, the most frequently scanned or blocked file through the AMP engine, or a combination of both.

Screen Shot 2016-04-01 at 2.17.40 PM.png

Most affected operating systems

This table summarizes the events matching the selected filters by the client operating system. The events are aggregated based on the operating system of the client devices in the security events and are displayed in the table by the number of events associated with that operating system.

Screen Shot 2016-04-01 at 2.18.04 PM.png

Events View

The Events view provides the same data as the summary view in a text-based log. It is still possible to filter this data in the same ways as the summary view:

Screen Shot 2016-04-01 at 5.44.45 PM.png

Reporting

Data collected in the Security Center can be reported via e-mail to specified recipients by clicking the e-mail icon on the top-right corner of the Dashboard page. The frequency and format of such reports may also be defined. 

 

clipboard_efbe3699a864956208121bee7b09b9e5c.png 

Reports are not generated when there are no events logged in the Security Center

Alternatively, the Security Center's data can be exported via a .csv file.

Organization-wide

The Organization > Security Center Dashboard page allows you to inspect events from across all of your networks at once, and drill down into them as needed. From here you may access the Summary Report page for the selected network, or filter the result by only showing the selected network.

  • Was this article helpful?