Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Cisco Umbrella

The JSA DSM for Cisco Umbrella collects DNS logs from Cisco Umbrella storage by using an Amazon S3 compatible API.

To integrate Cisco Umbrella with JSA, complete the following steps:

  1. If automatic updates are not configured, download the most recent version of the following RPMs on your JSA console.

    • Protocol Common RPM

    • Amazon AWS REST API Protocol RPM

    • Cisco Cloud Web Security DSM RPM

    • Cisco Umbrella DSM RPM

  2. Configure Cisco Umbrella to Communicate with JSA.

  3. Add a Cisco Umbrella log source on the JSA Console. The following table describes the parameters that require specific values for Cisco Umbrella event collection:

    Table 1: Amazon AWS S3 REST API Log Source Parameters

    Parameter

    Value

    Log source type

    Cisco Umbrella

    Protocol configuration

    Amazon AWS S3 REST API

    Log Source Identifier

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco Umbrella log source, you might want to identify the first log source as ciscoumbrella1, the second log source as ciscoumbrella2, and the third log source as ciscoumbrella3.

    Signature Version

    Select AWSSIGNATUREV2 or AWSSIGNATURE4.

    AWSSIGNATUREV2 does not support all Amazon AWS regions. If you are using a region that supports only AWSSIGNATUREV4, you must choose AWSSIGNATUREV4 from the list.

    Note:

    Note: If you need to create a log source to retrieve events from multiple regions, you must choose AWSSIGNATUREV4.

    Region Name (Signature V4 only)

    The region that is associated with the Amazon S3 bucket.

    Bucket Name

    The name of the AWS S3 bucket where the log files are stored. For example, the bucket name might be cisco-managed-us-west-1.

    Endpoint URL

    https://s3.amazonaws.com/<bucketname>

    The Endpoint URL can be different depending on the device configurations.

    Authentication Method

    • Access Key ID / Secret Key - - Standard authentication that can be used from anywhere.

    • EC2 Instance IAM Role - If your JSA managed host is running in an AWS EC2 instance, choosing this option will use the IAM Role from the instance metadata assigned to the instance for authentication and no keys are required. This method will only work for managed hosts that are running within an AWS EC2 container.

    Access Key ID

    The public access key that is required to access the AWS S3 bucket.

    Secret Key

    The public access key that is required to access the AWS S3 bucket.

    Directory Prefix

    <path>/

    The location of the root directory on the Cisco Umbrella storage bucket from where the Cisco Umbrella logs are retrieved. For example, the root directory location might be dnslogs/.

    File Pattern

    .*?\.csv\.gz

    Event Format

    Select Cisco Umbrella CSV from the list. The log source retrieves CSV formatted events.

    Use Proxy

    If JSA accesses the Amazon Web Service by using a proxy, enable the check box.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Username and Proxy Password fields.

    Automatically Acquire Server Certificate(s)

    If you select Yes, JSA automatically downloads the server certificate and begin trusting the target server. This option can be used to initialize a newly created log source, obtain certificates, and replace expired certificates.

    Recurrence

    How often the Amazon AWS S3 REST API Protocol connects to the Amazon cloud API, checks for new files, and retrieves them if they exist. Every access to an AWS S3 bucket incurs a cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost.

    Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 1 minute. The time interval can include values in hours (H), minutes (M), or days (D). For example: 2H = 2 hours, 15M = 15 minutes.

    EPS Throttle

    The maximum number of events per second.

    The default is 5000.

Configure Cisco Umbrella to Communicate with JSA

JSA collects Cisco Umbrella events from an Amazon S3 bucket. You need to configure your Cisco Umbrella to forward events to JSA.

Cisco Umbrella DSM Specifications

The following table identifies the specifications for the Cisco Umbrella DSM:

Table 2: Cisco Umbrella DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Umbrella

RPM filename

DSM-Cisco Umbrella-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Amazon AWS S3 REST API

Event format

Cisco Umbrella CSV

Recorded event types

Audit

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https://umbrella.cisco.com)

Cisco Umbrella Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides a sample event message for the Carbon Black Protection DSM:

Table 3: Cisco Umbrella Sample Syslog Message

Event name

Low level category

Sample log message

NOERROR

18081 (DNS In Progress)

{"sourceFile":"test_2017-11-17-15-30-dcd8. csv.gz","EventType":"DNSLog","Timestamp": "2017-11-17 15:30:27","MostGranularIdenti ty":"Test","Identities":"Test","Internal Ip":"<IP address>","ExternalIp"

:"<External_IP_address>address>","Action": "Allowed",

"QueryType":"28 (AAAA)","ResponseCode":"NOERROR",

"Domain" :"abc.aws.amazon.com.",

"Categories": "Ecommerce/Shopping"}

Table 4: Cisco Umbrella Sample Event Message

Event name

Low level category

Sample log message

NOERROR

18081 (DNS In Progress)

"2015-01-16 17:48:41","Active DirectoryUserName","ActiveDirectoryUser Name,

ADSite,Network

","<IP_address1>","<IP_address2>

","Allowed","1 (A)", "NOERROR","domain-visited.com.", "Chat,Photo Sharing,Social Network ing,Allow List"