Skip to content

Cisco Umbrella

Cisco Umbrella protects enterprises by categorizing domains and providing feedback on whether or not a website is malicious.

  • Recommended Method: Amazon S3 Bucket

Data Types

  • UMBRELLA_DNS
  • UMBRELLA_WEBPROXY
  • UMBRELLA_FIREWALL
  • UMBRELLA_IP
  • CISCO_UMBRELLA_AUDIT

Caveats / Known Limitations

  • Cyderes recommends the customer host the S3 bucket instead of the vendor so that Cyderes can setup an SQS notifications.

Configuration

Reference: https://docs.umbrella.com/deployment-umbrella/docs/cisco-managed-s3-bucket

  • Follow the directions in the reference article

umbrella1

  • Next, follow these steps to create a Feed in Google SecOps and enable ingestion of Cisco Umbrella logs from the newly created bucket:

  • Navigate to SIEM Settings > Feeds.

  • Click Add New Feed.
  • On the following page, select Configure a single feed.
  • From the Source type dropdown, choose Amazon S3.
  • In the Log type dropdown, choose the appropriate log type based on the path you want to ingest logs from, such as Cisco Umbrella DNS or Cisco Umbrella Web Proxy.
  • Click Next.
  • Using your AWS S3 server access configuration, enter the required input parameters:
    • Region
    • S3 URI
    • Source deletion option
    • Select AWS access key and secret
    • Access key ID
    • Secret access key
  • Click Next, then click Submit to complete the setup.