Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Cisco Umbrella

The JSA DSM for Cisco Umbrella collects DNS logs from Cisco Umbrella storage by using an Amazon S3 compatible API.

To integrate Cisco Umbrella with JSA, complete the following steps:

  1. If automatic updates are not configured, download the most recent version of the following RPMs on your JSA console.

    • Protocol Common RPM

    • Amazon AWS REST API Protocol RPM

    • Cisco Cloud Web Security DSM RPM

    • Cisco Umbrella DSM RPM

  2. Configure Cisco Umbrella to Communicate with JSA.

  3. Add a Cisco Umbrella log source on the JSA Console. The following table describes the parameters that require specific values for Cisco Umbrella event collection:

    Table 1: Amazon AWS S3 REST API Log Source Parameters

    Parameter

    Value

    Log source type

    Cisco Umbrella

    Protocol configuration

    Amazon AWS S3 REST API

    Log Source Identifier

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco Umbrella log source, you might want to identify the first log source as ciscoumbrella1, the second log source as ciscoumbrella2, and the third log source as ciscoumbrella3.

    Region Name (Signature V4 only)

    The region that is associated with the Amazon S3 bucket.

    Bucket Name

    The name of the AWS S3 bucket where the log files are stored. For example, the bucket name might be cisco-managed-us-west-1.

    S3 Endpoint URL

    https://s3.amazonaws.com/<bucketname>

    The endpoint URL that is used to query the AWS S3 REST API.

    The endpoint URL can be different depending on the device configurations.

    Note:

    You must have an Endpoint URL to configure a Cisco managed AWS S3 bucket and a customer-managed AWS S3 bucket.

    Directory Prefix

    <path>/

    The location of the root directory on the Cisco Umbrella storage bucket from where the Cisco Umbrella logs are retrieved. For example, the root directory location might be dnslogs/.

    File Pattern

    .*?\.csv\.gz

    Event Format

    Select Cisco Umbrella CSV from the list. The log source retrieves CSV formatted events.

    For a complete list of Amazon AWS S3 REST API protocol parameters and their values, see Amazon AWS S3 REST API Protocol Configuration Options.

Configure Cisco Umbrella to Communicate with JSA

JSA collects Cisco Umbrella events from an Amazon S3 bucket. You must configure your Cisco Umbrella to forward events to JSA.

To configure Cisco Umbrella, see Cisco documentation.

Note:

You must have an Endpoint URL to configure a Cisco managed AWS S3 bucket and a customer managed AWS S3 bucket.

Cisco Umbrella DSM Specifications

The following table identifies the specifications for the Cisco Umbrella DSM:

Table 2: Cisco Umbrella DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Umbrella

RPM filename

DSM-Cisco Umbrella-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Amazon AWS S3 REST API

Event format

Cisco Umbrella CSV

Recorded event types

Audit

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https://umbrella.cisco.com)

Cisco Umbrella Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides a sample event message for the Carbon Black Protection DSM:

Table 3: Cisco Umbrella Sample Syslog Message

Event name

Low level category

Sample log message

NOERROR

18081 (DNS In Progress)

{"sourceFile":"test_2017-11-17-15-30-dcd8.
csv.gz","EventType":"DNSLog","Timestamp":
"2017-11-17 15:30:27","MostGranularIdenti
ty":"Test","Identities":"Test","Internal
Ip":"<IP_address>","ExternalIp":
"<External_IP_address>","Action":
"Allowed","QueryType":"28
(AAAA)","ResponseCode":"NOERROR","Domain"
:"abc.aws.amazon.com.","Categories":
"Ecommerce/Shopping"}
Table 4: Cisco Umbrella Sample Event Message

Event name

Low level category

Sample log message

NOERROR

18081 (DNS In Progress)

"2015-01-16 17:48:41","Active
DirectoryUserName","ActiveDirectoryUser
Name,ADSite,Network","<IP_address1>",
"<IP_address2>","Allowed","1 (A)",
"NOERROR","domain-visited.com.",
"Chat,Photo Sharing,Social Network
ing,Allow List"