On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

MX Security Events to Incidents

Workflow #0061

This workflow fetches security events for the last hour from Meraki for a specific organization. If there are any Malware Downloaded or IDS Priority 1 events, a sighting and incident are created in Threat Response and a Webex message is sent.

Contributed by: Christopher van der Made

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.


Change Log

Date Notes
Apr 25, 2022 - Initial release
Sep 7, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Create Incident
    • Threat Response - Create Relationship
    • Threat Response - Create Sighting
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Meraki MX Firewall
  • (Optional) Cisco Webex

Workflow Steps

  1. Fetch global variables
  2. Calculate the time 1 hour ago
  3. Make sure the Webex room exists
  4. Fetch security events from Meraki
  5. Check if the events were retrieved successfully:
  6. If not, end the workflow
  7. If they were:
    • Loop through each event checking if it’s an event type we care about
    • If it is, strip the ports from the IPs, create the Threat Response objects, and send a Webex message


  • Set the Meraki Organization ID local variable to the ID of the organization you want to fetch security events for
  • Provide the workflow your Meraki API key by either:
    • Storing your token in a global variable and using the Fetch Global Variables group at the beginning of the workflow to update the Meraki API Key local variable; or
    • Disable the Fetch Global Variables group and add your token directly to the Meraki API Key local variable
  • See this page for information on configuring the workflow for Webex


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Cisco Meraki HTTP Endpoint Protocol: HTTPS
Host: api.meraki.com
Path: /api
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page