Cisco Umbrella Proxy
Overview
Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so that protection can be extended to devices, remote users, and distributed locations anywhere. CISCO Umbrella is a leading provider of network security and recursive DNS services.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Web logs |
HTTP traffic is analyzed in detail |
Web proxy |
proxy logs show the request state (passed, rejected...) |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": " \"2020-06-12 14:31:38\",\"abc\",\"1.1.1.1\",\"2.2.2.2\",\"3.3.3.3\",\"\",\"ALLOWED\",\"https://discordapp.com/api/v6/science\",\"url\",\"domain name\",\"204\",\"471\",\"\",\"\",\"\",\"Chat,Instant Messaging,Application\",\"\",\"\",\"\",\"\",\"\",\"Roaming Computers\",\"\"",
"event": {
"outcome": "success"
},
"@timestamp": "2020-06-12T14:31:38Z",
"action": {
"name": "request",
"outcome": "success",
"outcome_reason": "allowed",
"target": "network-traffic"
},
"destination": {
"address": "discordapp.com",
"domain": "discordapp.com",
"ip": "3.3.3.3"
},
"host": {
"hostname": "abc",
"name": "abc"
},
"http": {
"request": {
"bytes": 471,
"referrer": "url"
},
"response": {
"status_code": 204
}
},
"related": {
"hosts": [
"abc",
"discordapp.com"
],
"ip": [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
},
"source": {
"address": "2.2.2.2",
"ip": "2.2.2.2",
"nat": {
"ip": "1.1.1.1"
}
},
"url": {
"domain": "discordapp.com",
"full": "https://discordapp.com/api/v6/science",
"original": "https://discordapp.com/api/v6/science",
"path": "/api/v6/science",
"port": 443,
"registered_domain": "discordapp.com",
"scheme": "https",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "domain name",
"os": {
"name": "Other"
}
}
}
{
"message": " \"2020-06-12 14:30:59\",\"hostname\",\"\",\"1.1.1.1\",\"2.2.2.2\",\"image/gif\",\"ALLOWED\",\"url{\"\"RequestID\"\":\"\"fp-afd.azurefd.us\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"cold\"\",\"\"Result\"\":653,\"\"T\"\":3},{\"\"RequestID\"\":\"\"fp-afd.azurefd.us\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"warm\"\",\"\"Result\"\":307,\"\"T\"\":3},{\"\"RequestID\"\":\"\"something.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"cold\"\",\"\"Result\"\":140,\"\"T\"\":3},{\"\"RequestID\"\":\"\"something.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"warm\"\",\"\"Result\"\":31,\"\"T\"\":3},{\"\"RequestID\"\":\"\"l-ring.msedge.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"cold\"\",\"\"Result\"\":76,\"\"T\"\":3},{\"\"RequestID\"\":\"\"l-ring.msedge.net\"\",\"\"Object\"\":\"\"trans.gif\"\",\"\"Conn\"\":\"\"warm\"\",\"\"Result\"\":19,\"\"T\"\":3}]\",\"\",\" \",\"200\",\"\",\"319\",\"42\",\"123\",\"Software/Technology,Infrastructure\",\"\",\"\",\"\",\"\",\"\"",
"event": {
"outcome": "success"
},
"@timestamp": "2020-06-12T14:30:59Z",
"action": {
"name": "request",
"outcome": "success",
"outcome_reason": "allowed",
"target": "network-traffic"
},
"destination": {
"address": "2.2.2.2",
"ip": "2.2.2.2"
},
"host": {
"hostname": "hostname",
"name": "hostname"
},
"http": {
"response": {
"body": {
"bytes": 42
},
"bytes": 319,
"mime_type": "image/gif",
"status_code": 200
}
},
"related": {
"hosts": [
"hostname"
],
"ip": [
"1.1.1.1",
"2.2.2.2"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"url": {
"full": "url{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":653,\"T\":3},{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":307,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":140,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":31,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":76,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":19,\"T\":3}]",
"original": "url{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":653,\"T\":3},{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":307,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":140,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":31,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":76,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":19,\"T\":3}]",
"path": "url{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":653,\"T\":3},{\"RequestID\":\"fp-afd.azurefd.us\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":307,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":140,\"T\":3},{\"RequestID\":\"something.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":31,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"cold\",\"Result\":76,\"T\":3},{\"RequestID\":\"l-ring.msedge.net\",\"Object\":\"trans.gif\",\"Conn\":\"warm\",\"Result\":19,\"T\":3}]"
}
}
{
"message": "\"2024-03-03 \n20:28:52\",\"PC17062\",\"192.168.1.1\",\"1.1.1.1\",\"2.2.2.2\",\"text/plain\",\"ALLOWED\",\"htt\nps://login.microsoftonline.com/common/oauth2/token\",\"\",\"Mozilla/5.0 (Windows NT 10.0; Win64; \nx64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 \nEdge/18.19045\",\"200\",\"2724\",\"7590\",\"6734\",\"675fd30ab2b4f86b620a7dca35e68d2464240b0b15e6d27b09e\n02eca273757a1\",\"SaaS and B2B\",\"\",\"\",\"\",\"\",\"\",\"Anyconnect Roaming \nClient\",\"\",\"PC17062\",\"Anyconnect Roaming Client\",\"POST\",\"\",\"\",\"token\",\"8295932\",\"\",\"\",\"\",\"\",\"\"\n",
"event": {
"outcome": "success"
},
"@timestamp": "2024-03-03T20:28:52Z",
"action": {
"name": "request",
"outcome": "success",
"outcome_reason": "allowed",
"target": "network-traffic"
},
"destination": {
"address": "login.microsoftonline.com",
"domain": "login.microsoftonline.com",
"ip": "2.2.2.2"
},
"host": {
"hostname": "PC17062",
"name": "PC17062"
},
"http": {
"request": {
"bytes": 2724
},
"response": {
"body": {
"bytes": 6734
},
"bytes": 7590,
"mime_type": "text/plain",
"status_code": 200
}
},
"related": {
"hosts": [
"PC17062",
"login.microsoftonline.com"
],
"ip": [
"1.1.1.1",
"192.168.1.1",
"2.2.2.2"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
"nat": {
"ip": "192.168.1.1"
}
},
"url": {
"domain": "login.microsoftonline.com",
"full": "https://login.microsoftonline.com/common/oauth2/token",
"original": "https://login.microsoftonline.com/common/oauth2/token",
"path": "/common/oauth2/token",
"port": 443,
"registered_domain": "microsoftonline.com",
"scheme": "https",
"subdomain": "login",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Edge",
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045",
"os": {
"name": "Windows",
"version": "10"
},
"version": "18.19045"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
action.target |
keyword |
The target of the action |
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
host.hostname |
keyword |
Hostname of the host. |
host.name |
keyword |
Name of the host. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.referrer |
keyword |
Referrer for this HTTP request. |
http.response.body.bytes |
long |
Size in bytes of the response body. |
http.response.bytes |
long |
Total size in bytes of the response (body and headers). |
http.response.mime_type |
keyword |
Mime type of the body of the response. |
http.response.status_code |
long |
HTTP response status code. |
source.ip |
ip |
IP address of the source. |
source.nat.ip |
ip |
Source NAT ip |
url.full |
wildcard |
Full unparsed URL. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
url.path |
wildcard |
Path of the request, such as "/search". |
user_agent.original |
keyword |
Unparsed user_agent string. |
Configure
This section will guide you to configure the forwarding of Cisco Umbrella logs to Sekoia.io by means of AWS S3 buckets.
Prerequities
- Administrator access to the Cisco Umbrella console
- Access to Sekoia.io Intakes and Playbook pages with write permissions
- Access to AWS S3 and AWS SQS
Create an AWS S3 Bucket
To create a new AWS S3 Bucket, please refer to this guide.
- On the AWS S3, go to
Buckets
and select our bucket. - Select
Permissions
tab and go toBucket Policy
section - Click
Edit
and paste the JSON Bucket policy from Cisco Umbrella - In the Policy, replace the
bucketname
placeholde by the name of our bucket. - Click
Save changes
.
Important
Keep in mind to conserve the /*
when defining in the policy.
Configure Cisco Umbrella
- Log on the Cisco Umbrella console
- Go to
Admin
>Log Management
- In the
Amazon S3
section, selectUse your company-managed Amazon S3 bucket
-
In
Amazon S3 bucket
, type the name of your bucket and clickVerify
. -
On your AWS console, go in your bucket.
- In the
Objects
tab, click onREADME_FROM_UMBRELLA.txt
then click onOpen
- Copy the token from the readme
- On the Cisco Umbrella console, in the field
Token Number
, paste the token and clickSave
Note
After clicking Verify
, the message Great! We successfully verified your Amazon S3 bucket
must be displayed
Note
After clicking Save
, the message We’re sending data to your S3 storage
must be displayed
Important
According to the type of the logs, the objects will be prefixed with dnslogs/
for DNS logs, proxylogs
for proxy logs, iplogs
for ip logs, ...
Create a SQS queue
The collect will rely on S3 Event Notifications (SQS) to get new S3 objects.
- Create a queue in the SQS service by following this guide
- In the Access Policy step, choose the advanced configuration and adapt this configuration sample with your own SQS Amazon Resource Name (ARN) (the main change is the Service directive allowing S3 bucket access):
{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__owner_statement", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "SQS:SendMessage", "Resource": "arn:aws:sqs:XXX:XXX" } ] }
Important
Keep in mind that you have to create the SQS queue in the same region as the S3 bucket you want to watch.
Create a S3 Event notification
Use the following guide to create S3 Event Notification. Once created:
- In the General configuration, type
dnslogs/
as the Prefix - Select the notification for object creation in the Event type section
- As the destination, choose the SQS service
- Select the queue you created in the previous section
Create the intake
Go to the intake page and create a new intake from the format Cisco Umbrella Proxy
.
Pull events
To start to pull events, you have to:
- Go to the playbook page and create a new playbook with the AWS Fetch new logs on S3 connector
- Set up the module configuration with the AWS Access Key, the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created
- Start the playbook and enjoy your events