Cisco Umbrella

Cisco Umbrella is a DNS, firewall, secure web gateway and cloud access security broker (CASB) event source that collects information about services, incidents and threats found on your network.

Cisco Umbrella product logs can contain information about hosts and accounts, in addition to the source address. When setting up Cisco Umbrella as an event source, you will have the ability to specify attribution options.

To set up Cisco Umbrella, you’ll need to:

  1. Review “Before you Begin” and note any requirements
  2. Configure Cisco Umbrella to send data to your Collector, and
  3. Verify the configuration works.

You can also:

Before You Begin

In order to see Cisco Umbrella logs in InsightIDR, you must configure the AWS S3 Bucket to send messages to InsightIDR. Detailed information about this process can be found here: https://support.umbrella.com/hc/en-us/articles/231248448-Cisco-Umbrella-Log-Management-in-Amazon-S3.

In your Cisco Umbrella console, go to Settings > Log Management and complete the following steps:

  1. Select the option to use your own S3 bucket, or the Cisco managed S3 bucket.
  2. Select your Region and select Save.
  1. The console will take a few moments to activate. Copy the Bucket Name, Access Key, and Secret Key from the confirmation message for later use in InsightIDR.
  1. Select the Got It! checkbox and press Continue.

You will see another confirmation message that Cisco is sending logs to the S3 bucket.

Supported Regions

S3 Region

URL

US_STANDARD

https://s3.amazonaws.com

US_WEST_OREGON

https://s3-us-west-2.amazonaws.com

US_EAST_OHIO

https://s3-us-east-2.amazonaws.com

US_WEST_N_CALIFORNIA

https://s3-us-west-1.amazonaws.com

CA_CENTRAL

https://s3-ca-central-1.amazonaws.com

EU_IRELAND

https://s3-eu-west-1.amazonaws.com

EU_LONDON

https://s3-eu-west-2.amazonaws.com

EU_PARIS

https://s3-eu-west-3.amazonaws.com

EU_FRANKFURT

https://s3.eu-central-1.amazonaws.com

AP_MUMBAI

https://s3-ap-south-1.amazonaws.com

AP_SEOUL

https://s3-ap-northeast-2.amazonaws.com

AP_SINGAPORE

https://s3-ap-southeast-1.amazonaws.com

AP_SYDNEY

https://s3-ap-southeast-2.amazonaws.com

AP_TOKYO

https://s3-ap-northeast-1.amazonaws.com

SA_SAO_PAULO

https://s3-sa-east-1.amazonaws.com

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the DNS icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Set the timezone to UTC as Cisco Umbrella always uses the UTC time zone for logging.
  6. Select an attribution source.
  7. Optionally choose to send unfiltered logs.
  8. Select your existing credentials or optionally create a new credential.
  9. Enter the S3 Bucket Name. Do not include s3:// in the bucket name.
    • For example, if your s3 bucket was s3://your.bucket.url you should only include your.bucket.url

Cisco Managed: your bucket would look something like this: my-managed-bucket/abcd1234. Your S3 Bucket Name would then only be my-managed-bucket.

  1. Enter the S3 Key Prefix.

Cisco Managed: your bucket would look something like this: my-managed-bucket/abcd1234, then your Key Prefix would then be abcd1234/. Note that the / goes at the end of the prefix, and not the beginning.

  1. Select the Bucket Region Name.
  2. Enter the refresh rate in minutes. A recommended rate is 10 minutes.
  3. Click Save. Event Source Setup Panel

Attribution source options

Cisco Umbrella product logs can contain information about hosts and accounts. When setting up Cisco Umbrella as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify your configuration

  1. From the left menu, click Log Search to view your raw logs and ensure events are making it to the Collector. Cisco Umbrella logs flow into different log sets depending on the event:
    • DNS events generate DNS Query Documents
    • Proxy events generate Web Proxy Documents
    • IP events generate Advanced Malware Documents
    • Cloud Firewall events generate Firewall Documents
  2. Perform a Log Search to make sure Cisco Umbrella events are coming through.

Sample logs

Example DNS Event

1
"\"2020-05-12 14:24:50\",\"Rapid.Seven (Rapid.Seven@gmail.\",\"Rapid.Seven (Rapid.Seven@gmail.,VPN,HQ,HQ\",\"20.21.103.71\",\"174.237.215.230\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"rapid.seven.yahoo.com.\",\"Search Engines,Infrastructure\",\"AD Users\",\"AD Users,Internal Networks,Sites,Networks\",\"\""

Example Proxy Event (22 fields)

1
"\"2020-06-16 05:06:14\",\"RPD07 (RPD07@rapid7.com)\",\"170.10.200.60\",\"80.240.220.170\",\"100.160.180.70\",\"\",\"ALLOWED\",\"http://some-location.com/hello.txt\",\"\",\"Microsoft-CryptoAPI/10.0\",\"200\",\"211\",\"1240\",\"\",\"\",\"Software/Technology,Business Services,Infrastructure\",\"\",\"\",\"\",\"\",\"\",\"AD Users\""

Example Proxy Event (23 fields)

1
"\"2020-06-16 13:38:26\",\"RPD-7-10001337\",\"190.160.1.170\",\"70.170.40.50\",\"20.40.200.20\",\"text/plain\",\"ALLOWED\",\"http://some-location.com/hello.txt\",\"\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0\",\"200\",\"\",\"377\",\"8\",\"81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75abc1234568fd5\",\"Infrastructure\",\"\",\"\",\"\",\"\",\"\",\"Anyconnect Roaming Client\",\"\""

Example IP Event

1
"\"2020-04-22 22:54:21\",\"R7's MacBook Pro\",\"100.109.104.218\",\"46292\",\"64.251.89.57\",\"554\",\"Malware\",\"Roaming Computers\""

Example Cloud Firewall Event

1
"\"2019-01-14 18:03:46\",\"[322140933]\",\"Passive Monitor\",\"CDFW Tunnel Device\",\"OUTBOUND\",\"1\",\"84\",\"173.18.4.5\",\"46292\",\"147.113.255.130\",\"554\",\"ams1.edc\",\"12\",\"ALLOW\""

Troubleshooting

If you are experiencing issues with Cisco Umbrella, you can use one of the following solutions:

  • S3 Error: AccessDenied, Access Denied
  • Unexpected Request Code 301
  • Unable to Find Valid Certification Path to Requested Target

S3 Error: AccessDenied, Access Denied

If you see this error on your Cisco Umbrella event source, you may have entered some information incorrectly (specifically the S3 Bucket and the Key Prefix). First, verify that the information was entered correctly from the Cisco Umbrella configuration. If you still see this error, delete and reconfigure the event source.

If this error is still present after you have confirmed that all the information is correct, test your credentials for AWS using the AWS Command Line Interface (CLI). See the following AWS resource for instructions on configuring your AWS CLI:

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

Non-Cisco Managed Customers

If you are experiencing the error above, try adding a trailing / to your S3 prefix.

Unexpected Request Code 301

If you encounter this error, check that you are using the correct S3 Bucket region.

Unable to Find Valid Certification Path to Requested Target

If you encounter this error, there is an issue with your certificate likely caused by a web proxy performing SSL/TLS inspection.

You can perform the following in attempt to resolve this issue:

  • Reconfigure the appropriate proxy to allow traffic to the S3 address where your bucket is located.
  • Check that Cisco Umbrella has allowed traffic to the S3 address where your bucket is located.
  • Check that Cisco Umbrella is not blocking traffic to your desired S3 bucket location.