Cisco Secure Access
Copy link

Cisco Secure Access is the successor to Cisco Umbrella, consolidating Umbrella’s DNS, web proxy, cloud firewall, and IPS capabilities alongside new security services including Remote Access VPN (RAVPN), Zero Trust Network Access, and Data Loss Prevention (DLP).

The event types that SIEM (InsightIDR) parses from this event source are:

  • Cloud Firewall events
  • IPS events
  • RAVPN events
  • Web events

Cisco Secure Access product logs can contain information about hosts and accounts, in addition to the source address. When you set up Cisco Secure Access as an event source, you will have the ability to specify the primary attribution source.

To set up the Cisco Secure Access event source:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure SIEM (InsightIDR) to receive data from the event source.
  3. Test the configuration.

You can also:

Requirements
Copy link

Before you start the configuration:

⚠️

Cisco-managed support buckets not supported

Rapid7 supports ingestion from customer-managed Amazon S3 buckets only. Cisco-managed buckets are not supported as an event source for Cisco Secure Access.

Configure SIEM (InsightIDR) to receive data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Cisco Secure Access
Copy link

  1. From the Command Home, go to Data Connectors > Data Collectors.
  2. Go to the Event Sources tab, then select Add Event Source.
  3. Do one of the following:
    • Search for Cisco Secure Access in the event sources search bar.
    • In the Product Type filter, select DNS.
  4. Select the Cisco Secure Access event source tile.

Task 2: Set up your collection method
Copy link

  1. Name the event source. This will become the name of the log that contains the event data in Log Search.
  2. Enter the name of the Amazon S3 bucket that stores your Cisco Secure Access log data in the Amazon S3 Bucket Name field.
    • This field can’t be edited after you save the event source.
  3. Optionally choose to send unparsed data.
  4. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  5. Select Save and Download Template.

The event source is saved in SIEM and an AWS CloudFormation template is downloaded to your browser with the file name aws_s3.yml.

Run the template in AWS CloudFormation
Copy link

To run the template in AWS CloudFormation:

  1. Log in to AWS CloudFormation .
  2. Go to Stacks.
  3. Click Create Stack > With new resources (standard).
  4. Under Prepare Template, select Choose an existing template.
  5. Under Specify template, select Upload a template file.
  6. Click Choose file.
  7. Locate and select the aws_s3.yml file you downloaded in the Configure SIEM (InsightIDR) to collect data from the event source section.
  8. Click Next.
  9. Enter a name for your stack.
  10. Under Parameters, provide the User API key you recorded in the requirements section.
  11. Click Next.
  12. Under Behavior on provisioning failure, select Roll back all stack resources.
  13. Click Next.
  14. Review the details and click Submit to launch your stack.

CloudFormation will then proceed to create all the resources defined in the template. See AWS’s documentation on monitoring stack progress  and status of the stack creation.

ℹ️

Visit the third-party vendor's documentation

For the most accurate information on creating a stack in AWS CloudFormation, we recommend that you visit AWS’s documentation on creating a stack from the CloudFormation console .

Test the configuration
Copy link

To test that event data is flowing into SIEM (InsightIDR) through the cloud-to-cloud connection:

  1. View the raw logs.
    1. From the Data Collection Management page, click the Event Sources tab.
    2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to SIEM (InsightIDR).
  2. Use Log Search to find the log entries.
    1. From the left menu, go to Log Search.
    2. In the Log Search filter, search for the new event source you created.
  3. Select the log sets and the log names under each log set. Cisco Secure Access logs flow into these log sets:
    • DNS Query Documents: Contains DNS events.
    • Firewall Documents: Contains Cloud Firewall events.
    • IDS Documents: Contains IPS events.
    • Web Proxy Documents: Contains Web events.
  4. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into SIEM (InsightIDR) in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs
Copy link

Example DNS Event (16 fields)
Copy link

"2026-05-14 13:18:43","User E (usere@company.com)","User E (usere@company.com),DEVICE-ID-5","192.168.10.50","203.0.113.1","Allowed","12 (PTR)","NXDOMAIN","244.196.255.80.in-addr.arpa.","Software/Technology,Computers and Internet","AD Users","AD Users,Anyconnect Roaming Client","","540975","","8242300"

Example Firewall Event (36 - 39 fields)
Copy link

"2026-05-14 13:06:52","[211039844]","User A (usera@company.com)","AD Users","C2S","17","0","172.17.10.5","56440","10.128.20.30","389","prod_aws_eu-west-2_1_0","563300","ALLOW","","[]","[1718391597]","[1718391597]","1","1","397","360","[39-42]","","aws-eu-west-2","","39519","true","","[]","1","[]","[]","8242300","",""

Example IPS Event (32 - 33 fields)
Copy link

"2026-04-29 08:17:52","Site Name","Network Tunnels","1","16606","SERVER-OTHER Apache Log4j logging remote code execution attempt","168736","HIGH","Attempted User Privilege Gain","cve-2021-44228,cve-2021-44832,cve-2021-45046,cve-2021-45105","TCP","12345","10.126.50.100","35140","172.17.200.50","15611","Would Block","IDS","168736","C2S","762048","PROFILE","aws-eu-west-2","","","prod_aws_eu-west-2_1_0","8242300","","","SECURE_ACCESS_CLOUD","",""

Example RAVPN Event (32 - 33 fields)
Copy link

"2026-05-14 13:59:53","enforcer-1","ap-east-1","CONNECTED","session-1","7","user@company.com","8242300","365","eu","","3767","TLS","OnDemand","123.123.123.123","172.17.100.50","2026-05-14T01:59:50Z","","win 10.0.x","5.1.x","ASA-5-109201","","","","","none","","","[]","","5","NOTIFICATION",""

Example Web Event (57 fields)
Copy link

"2026-05-14 13:38:13","User H (userh@company.com)","10.170.10.10","123.123.123.123","123.12.123.12","application/zstd","ALLOWED","https://www.googletagmanager.com/gtm.js?id=GTM-123","https://invest.company.com/","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36 Edg/148.0.0.0","200","","126378","125681","abc123sha256","Software/Technology,Computers and Internet","","","UNKNOWN","","0","AD Users","","User H (userh@company.com),DEVICE-8,Location","AD Users,Anyconnect Roaming Client,Networks","GET","ALLOWED","","gtm.js","14431160","540975","","","","","","","","","","mps-sigproxy","PROD_AWS_US-EAST-1_1_0N","true","www.googletagmanager.com","false","false","","","8242300","","","151.186.10.10","",""