Cisco Umbrella

Cisco Umbrella is a DNS, firewall, secure web gateway and cloud access security broker (CASB) event source that collects information about services, incidents and threats found on your network.

Before You Begin

In order to see Cisco Umbrella logs in InsightIDR, you must configure the AWS S3 Bucket to send messages to InsightIDR. Detailed information about this process can be found here: https://support.umbrella.com/hc/en-us/articles/231248448-Cisco-Umbrella-Log-Management-in-Amazon-S3.

In your Cisco Umbrella console, go to Settings > Log Management and complete the following steps:

  1. Select the option to use your own S3 bucket, or the Cisco managed S3 bucket.
  2. Select your Region and select Save.
  1. The console will take a few moments to activate. Copy the Bucket Name, Access Key, and Secret Key from the confirmation message for later use in InsightIDR.
  1. Select the Got It! checkbox and press Continue.

You will see another confirmation message that Cisco is sending logs to the S3 bucket.

Supported Regions

S3 Region

URL

US_STANDARD

https://s3.amazonaws.com

US_WEST_OREGON

https://s3-us-west-2.amazonaws.com

US_EAST_OHIO

https://s3-us-east-2.amazonaws.com

US_WEST_N_CALIFORNIA

https://s3-us-west-1.amazonaws.com

CA_CENTRAL

https://s3-ca-central-1.amazonaws.com

EU_IRELAND

https://s3-eu-west-1.amazonaws.com

EU_LONDON

https://s3-eu-west-2.amazonaws.com

EU_PARIS

https://s3-eu-west-3.amazonaws.com

EU_FRANKFURT

https://s3.eu-central-1.amazonaws.com

AP_MUMBAI

https://s3-ap-south-1.amazonaws.com

AP_SEOUL

https://s3-ap-northeast-2.amazonaws.com

AP_SINGAPORE

https://s3-ap-southeast-1.amazonaws.com

AP_SYDNEY

https://s3-ap-southeast-2.amazonaws.com

AP_TOKYO

https://s3-ap-northeast-1.amazonaws.com

SA_SAO_PAULO

https://s3-sa-east-1.amazonaws.com

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the DNS icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select your existing credentials or optionally create a new credential.
  8. Enter the S3 Bucket Name. Do not include s3:// in the bucket name.
    • For example, if your s3 bucket was s3://your.bucket.url you should only include your.bucket.url

Cisco Managed: your bucket would look something like this: my-managed-bucket/abcd1234. Your S3 Bucket Name would then only be my-managed-bucket.

  1. Enter the S3 Key Prefix.

Cisco Managed: your bucket would look something like this: my-managed-bucket/abcd1234, then your Key Prefix would then be abcd1234/. Note that the / goes at the end of the prefix, and not the beginning.

  1. Select the Bucket Region Name.
  2. Enter the refresh rate in minutes. A recommended rate is 10 minutes.
  3. Click Save.

Verify your configuration

  1. From the left menu, click Log Search to view your raw logs and ensure events are making it to the Collector. Cisco Umbrella logs flow into different log sets depending on the event:
    • DNS events generate DNS Query Documents
    • Proxy events generate Web Proxy Documents
    • IP events generate Advanced Malware Documents
    • Cloud Firewall events generate Firewall Documents
  2. Perform a Log Search to make sure Cisco Umbrella events are coming through.

Sample logs

Example DNS Event

1
"\"2020-05-12 14:24:50\",\"Rapid.Seven (Rapid.Seven@gmail.\",\"Rapid.Seven (Rapid.Seven@gmail.,VPN,HQ,HQ\",\"20.21.103.71\",\"174.237.215.230\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"rapid.seven.yahoo.com.\",\"Search Engines,Infrastructure\",\"AD Users\",\"AD Users,Internal Networks,Sites,Networks\",\"\""

Example Proxy Event (22 fields)

1
"\"2020-06-16 05:06:14\",\"RPD07 (RPD07@rapid7.com)\",\"170.10.200.60\",\"80.240.220.170\",\"100.160.180.70\",\"\",\"ALLOWED\",\"http://some-location.com/hello.txt\",\"\",\"Microsoft-CryptoAPI/10.0\",\"200\",\"211\",\"1240\",\"\",\"\",\"Software/Technology,Business Services,Infrastructure\",\"\",\"\",\"\",\"\",\"\",\"AD Users\""

Example Proxy Event (23 fields)

1
"\"2020-06-16 13:38:26\",\"RPD-7-10001337\",\"190.160.1.170\",\"70.170.40.50\",\"20.40.200.20\",\"text/plain\",\"ALLOWED\",\"http://some-location.com/hello.txt\",\"\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0\",\"200\",\"\",\"377\",\"8\",\"81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75abc1234568fd5\",\"Infrastructure\",\"\",\"\",\"\",\"\",\"\",\"Anyconnect Roaming Client\",\"\""

Example IP Event

1
"\"2020-04-22 22:54:21\",\"R7's MacBook Pro\",\"100.109.104.218\",\"46292\",\"64.251.89.57\",\"554\",\"Malware\",\"Roaming Computers\""

Example Cloud Firewall Event

1
"\"2019-01-14 18:03:46\",\"[322140933]\",\"Passive Monitor\",\"CDFW Tunnel Device\",\"OUTBOUND\",\"1\",\"84\",\"173.18.4.5\",\"46292\",\"147.113.255.130\",\"554\",\"ams1.edc\",\"12\",\"ALLOW\""

Troubleshooting

If you are experiencing issues with Cisco Umbrella, you can use one of the following solutions:

  • S3 Error: AccessDenied, Access Denied
  • Unexpected Request Code 301
  • Unable to Find Valid Certification Path to Requested Target

S3 Error: AccessDenied, Access Denied

If you see this error on your Cisco Umbrella event source, you may have entered some information incorrectly (specifically the S3 Bucket and the Key Prefix). First, verify that the information was entered correctly from the Cisco Umbrella configuration. If you still see this error, delete and reconfigure the event source.

If this error is still present after you have confirmed that all the information is correct, test your credentials for AWS using the AWS Command Line Interface (CLI). See the following AWS resource for instructions on configuring your AWS CLI:

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

Non-Cisco Managed Customers

If you are experiencing the error above, try adding a trailing / to your S3 prefix.

Unexpected Request Code 301

If you encounter this error, check that you are using the correct S3 Bucket region.

Unable to Find Valid Certification Path to Requested Target

If you encounter this error, there is an issue with your certificate likely caused by a web proxy performing SSL/TLS inspection.

You can perform the following in attempt to resolve this issue:

  • Reconfigure the appropriate proxy to whitelist traffic to the S3 address where your bucket is located.
  • Check that Cisco Umbrella has whitelisted traffic to the S3 address where your bucket is located.
  • Check that Cisco Umbrella is not blocking traffic to your desired S3 bucket location.