Cisco Umbrella Web Proxy¶
About¶
Cisco Umbrella’s SWG is a full proxy that logs and inspects your organization’s web traffic to deliver full visibility, URL and application-level controls, and advanced threat protection.
Product Details¶
Vendor URL: Cisco Umbrella
Product Type: Web Proxy
Product Tier: Tier II
Integration Method: API
Log Guide: Web Log Formats
Parser Details¶
Log Format: CSV
Expected Normalization Rate: near 100%
Data Label: UMBRELLA_WEBPROXY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| column2 / identity | principal.hostname |
| column2 / identity | principal.location.name |
| column2 / identity | principal.location.city |
| column2 / identity | principal.user.userid |
| column3 / internalIp | principal.ip |
| column4 / externalIp | observer.ip |
| column5 / destinationIp | target.ip |
| column6 / contentType | target.application |
| column7 / verdict | security_result.action |
| column8 / url | target.url |
| column9 / referer | network.http.referral_url |
| column10 / userAgent | network.http.user_agent |
| column11 / statusCode | network.http.response_code |
| column12 / requestSize | network.sent_bytes |
| column13 / responseSize | network.received_bytes |
| column22 / identityType | principal.domain.tech.group_identifiers |
| column23 / blockedCategories | security_result.summary |
| column23 / blockedCategories | security_result.threat_name |
| column25 / requestIdentityType | principal.user.attribute.roles |
| column26 / requestMethod | network.http.method |
| column29 / fileName | target.file.names |
| column31 / ruleID | security_result.rule_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Generic | GENERIC_EVENT |
| Network events | NETWORK_HTTP |
Log Samples¶
"2024-08-15 04:22:33","Jane, Smith (jsmith@example.org)","0.0.0.0","10.0.0.0","10.0.0.0","text/plain","ALLOWED","https://play.google.com/log","https://www.google.com/","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0","200","957","653","131","1234567890abcdeghijklmnop12345678","Ecommerce/Shopping,Movies,Software/Technology,Application,Computers and Internet","","","","","","AD Users","","Jane, Smith (jsmith@example.org),ABC123.corp.example.org,Default Site,SHS Internal 10.0.0.0/8,Stamford Health IP","AD Users,AD Computers,Sites,Internal Networks,Networks","POST","","","log","1346632","",""
Sample Parsing¶
metadata.event_type = "NETWORK_HTTP"
metadata.log_type = "UMBRELLA_WEBPROXY"
metadata.product_name = "Umbrella"
metadata.vendor_name = "Cisco"
network.application_protocol = "HTTPS"
network.http.method = "POST"
network.http.referral_url = "https://www.google.com/"
network.http.response_code = 200
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
network.received_bytes = 653
network.sent_bytes = 957
observer.ip = "10.0.0.0"
principal.asset.hostname = "ABC123.corp.example.org,Default Site,SHS Internal 10.0.0.0/8,Stamford Health IP"
principal.domain.tech.group_identifiers = "AD Users"
principal.ip = "10.0.0.0"
principal.user.attribute.roles.description = "AD Users,AD Computers,Sites,Internal Networks,Networks"
principal.user.email_addresses = "jsmith@example.org"
principal.user.user_display_name = "Jane, Smith"
principal.user.userid = "Jane, Smith (jsmith@example.org)"
security_result.about.file.sha256 = "1234567890abcdeghijklmnop12345678"
security_result.action = "ALLOW"
security_result.category_details = "Ecommerce/Shopping,Movies,Software/Technology,Application,Computers and Internet"
security_result.category = "NETWORK_CATEGORIZED_CONTENT"
security_result.summary = "Traffic allowed"
target.application = "text/plain"
target.file.names = "log"
target.ip = "10.0.0.0"
target.url = "https://play.google.com/log"