Cisco Umbrella
Cisco Umbrella is a DNS, firewall, secure web gateway and cloud access security broker (CASB) event source that collects information about services, incidents and threats found on your network.
The event types that InsightIDR parses from this event source are:
- IP events
- AnyConnect events
- DNS events
- Cloud Firewall events
- Proxy events
Cisco Umbrella product logs can contain information about hosts and accounts, in addition to the source address. When you set up Cisco Umbrella as an event source, you will have the ability to specify the primary attribution source.
There are two ways to send data from your Cisco Umbrella account to InsightIDR; event collection through the Cloud or through an on-premises Rapid7 Collector.
Cloud event sources are being phased in from December 2023
InsightIDR is adding cloud event collection capabilities to a select number of supported event sources; this one is included. This will be a phased release, so if your environment is not yet displaying the Run on Cloud option, please be patient–your environment will update shortly.
To set up the Cisco Umbrella event source, complete these steps:
- Read the requirements and complete any prerequisite steps.
- Configure Cisco Umbrella to send data to InsightIDR.
- Configure InsightIDR to receive data from the event source
- Test the configuration.
You can also:
Requirements
Before you start the configuration:
- To receive logs from Cisco Umbrella in InsightIDR, you must configure an Amazon S3 Bucket to store the logs. Follow the instructions in the Cisco Umbrella documentation at: https://docs.umbrella.com/deployment-umbrella/docs/log-management#logging-to-amazon-s3.
- Read about the supported regions for Amazon S3 in our Data Archiving documentation.
- If you have a Cisco managed bucket, your bucket's URL might look something like this:
my-managed-bucket/abcd1234. In this example, the Amazon S3 bucket name ismy-managed-bucketand the key prefix isabcd1234/. Learn more about key prefixes by visiting the AWS documentation at: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html.
Access Keys in AWS
In AWS, access keys consist of two parts: an access key ID, for example, AKIAIOSFODNN7EXAMPLE and a secret access key, for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY. You must use both the access key ID and secret access key together to authenticate your requests.
Configure Cisco Umbrella to send data to InsightIDR
To allow InsightIDR to receive data from Cisco Umbrella, you must configure the settings in your Cisco account to provide access to its data.
- Log in to the Cisco Umbrella console and go to Settings > Log Management.
- Select the option to use either your own Amazon S3 bucket or the Cisco-managed S3 bucket.
- Select your region and click Save. The console takes a few moments to activate.
- Record the Bucket Name, Access Key, and Secret Key from the confirmation message to enter later in InsightIDR.
- Select Got It and click Continue. A confirmation message informs you that Cisco is sending logs to the Amazon S3 bucket.
Configure InsightIDR to receive data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
Task 1: Select Cisco Umbrella
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Cisco Umbrella in the event sources search bar.
- In the Product Type filter, select DNS.
- Select the Cisco Umbrella event source tile.
Task 2: Set up your collection method
There are two methods of collecting data from Cisco Umbrella; through a cloud connection or through a Collector.
New credentials are required for cloud event sources
You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.
Use the Cloud Connection method
- In the Add Event Source panel, select Run On Cloud.
- Name the event source. This will become the name of the log that contains the event data in Log Search. If you do not name the event source, the log name defaults to Cisco Umbrella.
- Optionally, select the option to send unparsed data.
- Select an attribution source.
- Enter the name of the Amazon S3 Bucket that you created, but remove the s3:// prefix. For example, if your bucket is s3://your.bucket.url enter only your.bucket.url.
- Optionally, enter an Amazon S3 Key Prefix. A key prefix allows you to specify the folder the logs are stored in. If your folder is named
abcd1234, enter the key prefixabcd1234/with/after the folder name. If the logs are not stored in a folder, leave this field empty. - Click Add a New Connection.
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In the Bucket Region field, enter the region of the Amazon S3 bucket. For the precise format of this value, review the table of supported regions.
- In the AWS Access Key ID field, add a new credential:
- Name your credential.
- Describe your credential.
- Select the credential type.
- Enter the Secret Key, which is the Access Key you obtained in Configure Cisco Umbrella to send data to InsightIDR.
- Specify the product access for this credential.
- In the AWS Secret Access Key field, add a new credential:
- Name your credential.
- Describe your credential.
- Select the credential type.
- Enter the Secret Key, which is the Secret Key you obtained in Configure Cisco Umbrella to send data to InsightIDR.
- Specify the product access for this credential.
- Click Save Connection.
- Click Save.
Use the Collector method
- In the Add Event Source panel, select Run On Collector.
- Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Cisco Umbrella.
- Select your collector.
- Set the timezone to UTC, as Cisco Umbrella always uses the UTC time zone for logging.
- Select an attribution source.
- Optionally, choose to send unparsed logs.
- Select an AWS Authentication option. We recommend that you select IAM User Credential.
- Select your existing credentials or, optionally, create a new credential.
- Enter the Amazon S3 Bucket Name. Do not include
s3://in the bucket name.- For example, if your Amazon S3 bucket is
s3://your.bucket.url, include onlyyour.bucket.url. - Cisco Managed: Your bucket would look something like this:
my-managed-bucket/abcd1234. Your Amazon S3 bucket name would then bemy-managed-bucket.
- For example, if your Amazon S3 bucket is
- Enter the S3 Key Prefix.
- The Key Prefix allows you to specify from what folder the logs should be collected. Learn more about prefixes at: https://docs.aws.amazon.com/AWSImportExport/latest/DG/ManipulatingS3KeyNames.html. If you do not have any folders or subdirectories where the logs are stored, keep this field blank.
- Cisco Managed: Your bucket would look something like this:
my-managed-bucket/abcd1234, then your Key Prefix would then beabcd1234. Note that the/goes at the end of the prefix, and not the beginning.
- Select the Bucket Region Name.
- Enter the refresh rate in minutes. A recommended rate is 10 minutes.
- Click Save.
Supported Amazon S3 Bucket Regions
The value you enter for the Cisco Amazon S3 bucket region must follow a specific shortened format. For example, if the bucket region is US_WEST_N_CALIFORNIA, you must enter the corresponding short name, us-west-1.
| Amazon S3 Region | Short Name | URL |
|---|---|---|
| AF_CAPE_TOWN (Africa (Cape Town)) | af-south-1 | https://s3-af-south-1.amazonaws.com |
| AP_HONG_KONG (Asia Pacific (Hong Kong)) | ap-east-1 | https://s3-ap-east-1.amazonaws.com |
| AP_JAKARTA (Asia Pacific (Jakarta)) | ap-southeast-3 | https://s3-ap-southeast-3.amazonaws.com |
| AP_MUMBAI (Asia Pacific (Mumbai)) | ap-south-1 | https://s3-ap-south-1.amazonaws.com |
| AP_OSAKA (Asia Pacific (Osaka)) | ap-northeast-3 | https://s3-ap-northeast-3.amazonaws.com |
| AP_SEOUL (Asia Pacific (Seoul)) | ap-northeast-2 | https://s3-ap-northeast-2.amazonaws.com |
| AP_SINGAPORE (Asia Pacific (Singapore)) | ap-southeast-1 | https://s3-ap-southeast-1.amazonaws.com |
| AP_SYDNEY (Asia Pacific (Sydney)) | ap-southeast-2 | https://s3-ap-southeast-2.amazonaws.com |
| AP_TOKYO (Asia Pacific (Tokyo)) | ap-northeast-1 | https://s3-ap-northeast-1.amazonaws.com |
| CA_CENTRAL (Canada (Central)) | ca-central-1 | https://s3-ca-central-1.amazonaws.com |
| EU_FRANKFURT (EU (Frankfurt)) | eu-central-1 | https://s3-eu-central-1.amazonaws.com |
| EU_IRELAND (EU (Ireland)) | eu-west-1 | https://s3-eu-west-1.amazonaws.com |
| EU_LONDON (EU (London)) | eu-west-2 | https://s3-eu-west-2.amazonaws.com |
| EU_MILAN (EU (Milan)) | eu-south-1 | https://s3-eu-south-1.amazonaws.com |
| EU_PARIS (EU (Paris)) | eu-west-3 | https://s3-eu-west-3.amazonaws.com |
| EU_STOCKHOLM (EU (Stockholm)) | eu-north-1 | https://s3-eu-north-1.amazonaws.com |
| ME_BAHRAIN (Middle East (Bahrain)) | me-south-1 | https://s3-me-south-1.amazonaws.com |
| MME_UAE (Middle East (UAE)) | me-central-1 | https://s3-me-south-1.amazonaws.com |
| SA_SAO_PAULO (South America (Sao Paulo)) | sa-east-1 | https://s3-sa-east-1.amazonaws.com |
| US_EAST_GOV (US East (GovCloud)) | us-gov-east-1 | https://s3-us-gov-east-1.amazonaws.com |
| US_EAST_GOV_FIPS (US East (FIPS GovCloud)) | us-gov-east-1 | https://s3-fips-us-gov-east-1.amazonaws.com |
| US_EAST_OHIO (US East (Ohio)) | us-east-2 | https://s3-us-east-2.amazonaws.com |
| US_EAST_VIRGINIA (US Standard) | us-east-1 | https://s3.amazonaws.com |
| US_WEST_GOV (US West (GovCloud)) | us-gov-west-1 | https://s3-us-gov-west-1.amazonaws.com |
| US_WEST_GOV_FIPS (US West (FIPS GovCloud)) | us-gov-west-1 | https://s3-fips-us-gov-west-1.amazonaws.com |
| US_WEST_N_CALIFORNIA (US West (N. California)) | us-west-1 | https://s3-us-west-1.amazonaws.com |
| US_WEST_OREGON (US West (Oregon)) | us-west-2 | https://s3-us-west-2.amazonaws.com |
Test the configuration
The event types that InsightIDR parses from this event source are:
- IP events
- AnyConnect events
- DNS events
- Cloud Firewall events
- Proxy events
To test that event data is flowing into InsightIDR through the cloud-to-cloud connection:
- View the raw logs.
- From the Data Collection Management page, click the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
- Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
- From the left menu, go to Log Search.
- In the Log Search filter, search for the new event source you created.
- Select the log sets and the log names under each log set. Cisco Umbrella logs flow into these log sets:
- DNS Query Documents: Contains DNS events.
- Web Proxy Documents: Contains proxy events.
- Advanced Malware Documents: Contains IP events.
- Firewall Documents: Contains Cloud Firewall events.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.
Sample logs
To help you visualize the event logs that this event source generates, here are some sample logs:
Example DNS Event
Example Proxy Event (22 fields)
Example Proxy Event (23 fields)
Example IP Event
Example Cloud Firewall Event
Troubleshooting
If you experience issues with the Duo Security event source, try the solutions provided in this section.
- S3 Error: AccessDenied, Access Denied
- Unexpected Request Code 301
- Unable to Find Valid Certification Path to Requested Target
S3 Error: AccessDenied, Access Denied
If you see this error on your Cisco Umbrella event source, you may have entered some information incorrectly (specifically the S3 Bucket and the Key Prefix). First, verify that the information was entered correctly from the Cisco Umbrella configuration. If you still see this error, delete and reconfigure the event source.
Second, verify that the AmazonS3ReadOnlyAccess managed policy is attached to the IAM credentials that are configured in the event source connection. This is necessary to be able to read from the bucket. For more information, visit https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ReadOnlyAccess.html.
If this error is still present after you have confirmed that all the information is correct, test your credentials for AWS using the AWS Command Line Interface (CLI). See the instructions on configuring your AWS CLI at: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html.
Non-Cisco Managed Customers
If you are experiencing the error above, try adding a trailing / to your S3 prefix.
Integration warning: unexpected error in the integration pipeline
If you encounter this error while configuring a cloud connection, ensure that you entered the correct short name in the Bucket Region field. Do not enter long name for the S3 bucket region.
To find the short name value you must enter, review the table in the Supported Amazon S3 bucket regions section.
Unexpected Request Code 301
If you encounter this error, ensure that you are using the correct S3 bucket region.
Unable to Find Valid Certification Path to Requested Target
If you encounter this error, there is an issue with your certificate likely caused by a web proxy performing SSL/TLS inspection.
You can perform the following in attempt to resolve this issue:
- Reconfigure the appropriate proxy to allow traffic to the S3 address where your bucket is located.
- Check that Cisco Umbrella has allowed traffic to the S3 address where your bucket is located.
- Check that Cisco Umbrella is not blocking traffic to your desired S3 bucket location.