Security Center – MX and MG Best Practices – Cisco Meraki

The primary difference between the organization-level Security Center and the network-level Security Center is the level of reporting available, similar to the difference between the Alert Hub and the Organization Alerts page discussed previously. Both pages display details about detected security events, such as threat details, affected clients, and more, whether that be at the per-network level or organization/cross-network level, respectively. Figure 5-28 shows an example view of the organization-level Security Center page, identified as such by the presence of the Most Affected Networks section, which lists the total event counts for each network in the organization and is only present on the organization-level Security Center report.

Figure 5-28 Overview of the Organization > Security Center Page Showing Summary of All Security Events for All Networks over Last Two Weeks

By default, the Security Center only displays malicious threat detection events, but you can use the Filter drop-down menu to also view clean events and unknown disposition events. This is particularly useful for confirming the operation of AMP or IDS/IPS, or for reviewing events that may have had their disposition retroactively updated after initially being reported as malicious.

Most Prevalent Threats

Threat detection is based on Cisco TALOS signature categories and will report based on the security level configured for IDS/IPS on the Security & SD-WAN > Threat Detection page for a given network. Whether configured for detection or prevention, detected threats will be reported (see Figure 5-29) as long as the detected threat is in the selected TALOS ruleset.

Figure 5-29 Summary Report Showing the Most Prevalent Threats Across Devices in a Network

Most Affected Clients

The Most Affected Clients view displays specific clients that have been most often flagged as involved in security events for the selected report timeframe. Figure 5-30 shows the most affected clients from the Organization > Security Center page, as evidenced by the client entries spanning multiple networks.

Figure 5-30 Most Affected Clients in a Chosen Network, Shown in the Network-wide Security Center for That Network

From here, each client can be directly pulled up in detail to view more information about either the specific client or the specific threat signatures involved.