Cisco Umbrella Proxy
Overview
Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so that protection can be extended to devices, remote users, and distributed locations anywhere. CISCO Umbrella is a leading provider of network security and recursive DNS services.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web logs |
HTTP traffic is analyzed in detail |
Web proxy |
proxy logs show the request state (passed, rejected...) |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": " \"2020-06-12 14:31:38\",\"abc\",\"1.1.1.1\",\"2.2.2.2\",\"3.3.3.3\",\"\",\"ALLOWED\",\"https://discordapp.com/api/v6/science\",\"url\",\"domain name\",\"204\",\"471\",\"\",\"\",\"\",\"Chat,Instant Messaging,Application\",\"\",\"\",\"\",\"\",\"\",\"Roaming Computers\",\"\"",
"event": {
"outcome": "success"
},
"@timestamp": "2020-06-12T14:31:38Z",
"action": {
"name": "request",
"outcome": "success",
"outcome_reason": "allowed",
"target": "network-traffic"
},
"destination": {
"address": "discordapp.com",
"domain": "discordapp.com",
"ip": "3.3.3.3"
},
"host": {
"hostname": "abc",
"name": "abc"
},
"http": {
"request": {
"bytes": 471,
"referrer": "url"
},
"response": {
"status_code": 204
}
},
"related": {
"hosts": [
"abc",
"discordapp.com"
],
"ip": [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
},
"source": {
"address": "2.2.2.2",
"ip": "2.2.2.2",
"nat": {
"ip": "1.1.1.1"
}
},
"url": {
"domain": "discordapp.com",
"full": "https://discordapp.com/api/v6/science",
"original": "https://discordapp.com/api/v6/science",
"path": "/api/v6/science",
"port": 443,
"registered_domain": "discordapp.com",
"scheme": "https",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "domain name",
"os": {
"name": "Other"
}
}
}
{
"message": " \"2020-06-12 14:30:59\",\"hostname\",\"\",\"1.1.1.1\",\"2.2.2.2\",\"image/gif\",\"ALLOWED\",\"url{\"\"RequestID\"\":\"\"fp-afd.azurefd.us\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"cold\"\",\"\"Result\"\":653,\"\"T\"\":3},{\"\"RequestID\"\":\"\"fp-afd.azurefd.us\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"warm\"\",\"\"Result\"\":307,\"\"T\"\":3},{\"\"RequestID\"\":\"\"something.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"cold\"\",\"\"Result\"\":140,\"\"T\"\":3},{\"\"RequestID\"\":\"\"something.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"warm\"\",\"\"Result\"\":31,\"\"T\"\":3},{\"\"RequestID\"\":\"\"l-ring.msedge.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"cold\"\",\"\"Result\"\":76,\"\"T\"\":3},{\"\"RequestID\"\":\"\"l-ring.msedge.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"warm\"\",\"\"Result\"\":19,\"\"T\"\":3}]\",\"\",\" \",\"200\",\"\",\"319\",\"42\",\"123\",\"Software/Technology,Infrastructure\",\"\",\"\",\"\",\"\",\"\"",
"event": {
"outcome": "success"
},
"@timestamp": "2020-06-12T14:30:59Z",
"action": {
"name": "request",
"outcome": "success",
"outcome_reason": "allowed",
"target": "network-traffic"
},
"destination": {
"address": "2.2.2.2",
"ip": "2.2.2.2"
},
"host": {
"hostname": "hostname",
"name": "hostname"
},
"http": {
"response": {
"body": {
"bytes": 42
},
"bytes": 319,
"mime_type": "image/gif",
"status_code": 200
}
},
"related": {
"hosts": [
"hostname"
],
"ip": [
"1.1.1.1",
"2.2.2.2"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"url": {
"full": "url{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":653,\"T\":3},{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":307,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":140,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":31,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":76,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":19,\"T\":3}]",
"original": "url{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":653,\"T\":3},{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":307,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":140,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":31,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":76,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":19,\"T\":3}]",
"path": "url{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":653,\"T\":3},{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":307,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":140,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":31,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":76,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":19,\"T\":3}]"
}
}
{
"message": "\"2024-03-03 \n20:28:52\",\"PC17062\",\"192.168.1.1\",\"1.1.1.1\",\"2.2.2.2\",\"text/plain\",\"ALLOWED\",\"htt\nps://login.microsoftonline.com/common/oauth2/token\",\"\",\"Mozilla/5.0 (Windows NT 10.0; Win64; \nx64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 \nEdge/18.19045\",\"200\",\"2724\",\"7590\",\"6734\",\"675fd30ab2b4f86b620a7dca35e68d2464240b0b15e6d27b09e\n02eca273757a1\",\"SaaS and B2B\",\"\",\"\",\"\",\"\",\"\",\"Anyconnect Roaming \nClient\",\"\",\"PC17062\",\"Anyconnect Roaming Client\",\"POST\",\"\",\"\",\"token\",\"8295932\",\"\",\"\",\"\",\"\",\"\"\n",
"event": {
"outcome": "success"
},
"@timestamp": "2024-03-03T20:28:52Z",
"action": {
"name": "request",
"outcome": "success",
"outcome_reason": "allowed",
"target": "network-traffic"
},
"destination": {
"address": "login.microsoftonline.com",
"domain": "login.microsoftonline.com",
"ip": "2.2.2.2"
},
"host": {
"hostname": "PC17062",
"name": "PC17062"
},
"http": {
"request": {
"bytes": 2724
},
"response": {
"body": {
"bytes": 6734
},
"bytes": 7590,
"mime_type": "text/plain",
"status_code": 200
}
},
"related": {
"hosts": [
"PC17062",
"login.microsoftonline.com"
],
"ip": [
"1.1.1.1",
"192.168.1.1",
"2.2.2.2"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
"nat": {
"ip": "192.168.1.1"
}
},
"url": {
"domain": "login.microsoftonline.com",
"full": "https://login.microsoftonline.com/common/oauth2/token",
"original": "https://login.microsoftonline.com/common/oauth2/token",
"path": "/common/oauth2/token",
"port": 443,
"registered_domain": "microsoftonline.com",
"scheme": "https",
"subdomain": "login",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Edge",
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045",
"os": {
"name": "Windows",
"version": "10"
},
"version": "18.19045"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
action.target |
keyword |
The target of the action |
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
host.hostname |
keyword |
Hostname of the host. |
host.name |
keyword |
Name of the host. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.referrer |
keyword |
Referrer for this HTTP request. |
http.response.body.bytes |
long |
Size in bytes of the response body. |
http.response.bytes |
long |
Total size in bytes of the response (body and headers). |
http.response.mime_type |
keyword |
Mime type of the body of the response. |
http.response.status_code |
long |
HTTP response status code. |
source.ip |
ip |
IP address of the source. |
source.nat.ip |
ip |
Source NAT ip |
url.full |
wildcard |
Full unparsed URL. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
url.path |
wildcard |
Path of the request, such as "/search". |
user_agent.original |
keyword |
Unparsed user_agent string. |
Configure
This setup guide will show you how to forward logs produced by CISCO Umbrella service to Sekoia.io by means of an Rsyslog transport channel.
Collect proxylogs files and send them to rsyslog
After configuring Umbrella Log Management with AWS S3, the logs you download will be gzipped CSVs in appropriate subfolder with the following naming format:
proxylogs/<year>-<month>-<day>/<year>-<month>-<day>-<hour>-<minute>.csv.gz
To send these logs to Sekoia.io, we suggest the use of the logger Unix command. For each unzipped file, use the following command line:
logger -t proxylogs -f <YYYY>-<MM>-<DD>-<hh>-<mm>-<xxxx>.csv
Configure the Rsyslog server
Please consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.