Cisco Umbrella is a DNS, firewall, secure web gateway and cloud access security broker (CASB) event source that collects information about services, incidents and threats found on your network.
Cisco Umbrella product logs can contain information about hosts and accounts, in addition to the source address. When setting up Cisco Umbrella as an event source, you will have the ability to specify attribution options.
To set up Cisco Umbrella, you’ll need to:
- Review “Before you Begin”.
- Configure Cisco Umbrella to send data to your Collector.
- Verify the configuration works.
You can also either:
Before You Begin
In order to see Cisco Umbrella logs in InsightIDR, you must configure the AWS S3 Bucket to send messages to InsightIDR. Detailed information about this process can be found here: https://docs.umbrella.com/deployment-umbrella/docs/log-management.
In your Cisco Umbrella console, go to Settings > Log Management and complete the following steps:
- Select the option to use your own S3 bucket, or the Cisco managed S3 bucket.
- Select your Region and select Save.
- The console will take a few moments to activate. Copy the Bucket Name, Access Key, and Secret Key from the confirmation message for later use in InsightIDR.
- Select the Got It! checkbox and press Continue.
You will see another confirmation message that Cisco is sending logs to the S3 bucket.
How to Configure This Event Source
- From the left menu, select Data Collection.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the DNS icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Set the timezone to UTC as Cisco Umbrella always uses the UTC time zone for logging.
- Select an attribution source.
- Optionally choose to send unparsed logs.
- Select an AWS Authentication option. We recommend that you select IAM User Credential.
- Select your existing credentials or optionally create a new credential.
- Enter the Amazon S3 Bucket Name. Do not include
s3://in the bucket name.
- For example, if your Amazon S3 bucket is
s3://your.bucket.urlyou should only include
Cisco Managed: your bucket would look something like this:
my-managed-bucket/abcd1234. Your Amazon S3 bucket name would then be
- Enter the S3 Key Prefix.
- Key Prefix allows you to specify from what folder the logs should be collected. Learn more about prefixes here: https://docs.aws.amazon.com/AWSImportExport/latest/DG/ManipulatingS3KeyNames.html. If you do not have any folders or subdirectories where the logs are stored, keep this field blank.
Cisco Managed: your bucket would look something like this:
my-managed-bucket/abcd1234, then your Key Prefix would then be
abcd1234/. Note that the
/ goes at the end of the prefix, and not the beginning.
- Select the Bucket Region Name.
- Enter the refresh rate in minutes. A recommended rate is 10 minutes.
- Click Save.
Attribution source options
Cisco Umbrella product logs can contain information about hosts and accounts. When setting up Cisco Umbrella as an event source, you will have the ability to specify the following attribution options:
- Use IDR engine if possible; if not, use event log
By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.
- Use event log if possible; if not, use IDR engine
By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.
- Use IDR engine only
By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.
- Use event log only
By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.
Verify your configuration
- From the left menu, click Log Search to view your raw logs and ensure events are making it to the Collector. Cisco Umbrella logs flow into different log sets depending on the event:
- DNS events generate DNS Query Documents
- Proxy events generate Web Proxy Documents
- IP events generate Advanced Malware Documents
- Cloud Firewall events generate Firewall Documents
- Perform a Log Search to make sure Cisco Umbrella events are coming through.
Example DNS Event
1"\"2020-05-12 14:24:50\",\"Rapid.Seven (Rapid.Seven@gmail.\",\"Rapid.Seven (Rapid.Seven@gmail.,VPN,HQ,HQ\",\"18.104.22.168\",\"22.214.171.124\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"rapid.seven.yahoo.com.\",\"Search Engines,Infrastructure\",\"AD Users\",\"AD Users,Internal Networks,Sites,Networks\",\"\""
Example Proxy Event (22 fields)
1"\"2020-06-16 05:06:14\",\"RPD07 (RPD07@rapid7.com)\",\"126.96.36.199\",\"188.8.131.52\",\"184.108.40.206\",\"\",\"ALLOWED\",\"http://some-location.com/hello.txt\",\"\",\"Microsoft-CryptoAPI/10.0\",\"200\",\"211\",\"1240\",\"\",\"\",\"Software/Technology,Business Services,Infrastructure\",\"\",\"\",\"\",\"\",\"\",\"AD Users\""
Example Proxy Event (23 fields)
1"\"2020-06-16 13:38:26\",\"RPD-7-10001337\",\"220.127.116.11\",\"18.104.22.168\",\"22.214.171.124\",\"text/plain\",\"ALLOWED\",\"http://some-location.com/hello.txt\",\"\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0\",\"200\",\"\",\"377\",\"8\",\"81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75abc1234568fd5\",\"Infrastructure\",\"\",\"\",\"\",\"\",\"\",\"Anyconnect Roaming Client\",\"\""
Example IP Event
1"\"2020-04-22 22:54:21\",\"R7's MacBook Pro\",\"100.109.104.218\",\"46292\",\"126.96.36.199\",\"554\",\"Malware\",\"Roaming Computers\""
Example Cloud Firewall Event
1"\"2019-01-14 18:03:46\",\"\",\"Passive Monitor\",\"CDFW Tunnel Device\",\"OUTBOUND\",\"1\",\"84\",\"188.8.131.52\",\"46292\",\"184.108.40.206\",\"554\",\"ams1.edc\",\"12\",\"ALLOW\""
If you are experiencing issues with Cisco Umbrella, you can use one of the following solutions:
- S3 Error: AccessDenied, Access Denied
- Unexpected Request Code 301
- Unable to Find Valid Certification Path to Requested Target
S3 Error: AccessDenied, Access Denied
If you see this error on your Cisco Umbrella event source, you may have entered some information incorrectly (specifically the S3 Bucket and the Key Prefix). First, verify that the information was entered correctly from the Cisco Umbrella configuration. If you still see this error, delete and reconfigure the event source.
If this error is still present after you have confirmed that all the information is correct, test your credentials for AWS using the AWS Command Line Interface (CLI). See the following AWS resource for instructions on configuring your AWS CLI:
Non-Cisco Managed Customers
If you are experiencing the error above, try adding a trailing
/ to your S3 prefix.
Unexpected Request Code 301
If you encounter this error, check that you are using the correct S3 Bucket region.
Unable to Find Valid Certification Path to Requested Target
If you encounter this error, there is an issue with your certificate likely caused by a web proxy performing SSL/TLS inspection.
You can perform the following in attempt to resolve this issue:
- Reconfigure the appropriate proxy to allow traffic to the S3 address where your bucket is located.
- Check that Cisco Umbrella has allowed traffic to the S3 address where your bucket is located.
- Check that Cisco Umbrella is not blocking traffic to your desired S3 bucket location.