Cisco Umbrella
The JSA DSM for Cisco Umbrella collects DNS logs from Cisco Umbrella storage by using an Amazon S3 compatible API.
To integrate Cisco Umbrella with JSA, complete the following steps:
If automatic updates are not configured, download the most recent version of the following RPMs on your JSA console.
Protocol Common RPM
Amazon AWS REST API Protocol RPM
Cisco Cloud Web Security DSM RPM
Cisco Umbrella DSM RPM
-
Add a Cisco Umbrella log source on the JSA Console. The following table describes the parameters that require specific values for Cisco Umbrella event collection:
Table 1: Amazon AWS S3 REST API Log Source Parameters Parameter
Value
Log source type
Cisco Umbrella
Protocol configuration
Amazon AWS S3 REST API
Log Source Identifier
The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco Umbrella log source, you might want to identify the first log source as ciscoumbrella1, the second log source as ciscoumbrella2, and the third log source as ciscoumbrella3.
Region Name (Signature V4 only)
The region that is associated with the Amazon S3 bucket.
Bucket Name
The name of the AWS S3 bucket where the log files are stored. For example, the bucket name might be cisco-managed-us-west-1.
S3 Endpoint URL
https://s3.amazonaws.com/<bucketname>
The endpoint URL that is used to query the AWS S3 REST API.
The endpoint URL can be different depending on the device configurations.
Note:You must have an Endpoint URL to configure a Cisco managed AWS S3 bucket and a customer-managed AWS S3 bucket.
Directory Prefix
<path>/
The location of the root directory on the Cisco Umbrella storage bucket from where the Cisco Umbrella logs are retrieved. For example, the root directory location might be dnslogs/.
File Pattern
.*?\.csv\.gz
Event Format
Select Cisco Umbrella CSV from the list. The log source retrieves CSV formatted events.
For a complete list of Amazon AWS S3 REST API protocol parameters and their values, see Amazon AWS S3 REST API Protocol Configuration Options.
Configure Cisco Umbrella to Communicate with JSA
JSA collects Cisco Umbrella events from an Amazon S3 bucket. You must configure your Cisco Umbrella to forward events to JSA.
To configure Cisco Umbrella, see Cisco documentation.
You must have an Endpoint URL to configure a Cisco managed AWS S3 bucket and a customer managed AWS S3 bucket.
Cisco Umbrella DSM Specifications
The following table identifies the specifications for the Cisco Umbrella DSM:
Specification |
Value |
---|---|
Manufacturer |
Cisco |
DSM name |
Cisco Umbrella |
RPM filename |
DSM-Cisco Umbrella-JSA_version-build_number.noarch.rpm |
Supported versions |
N/A |
Protocol |
Amazon AWS S3 REST API |
Event format |
Cisco Umbrella CSV |
Recorded event types |
Audit |
Automatically discovered? |
No |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Cisco Umbrella Sample Event Messages
Use these sample event messages as a way of verifying a successful integration with JSA.
The following table provides a sample event message for the Carbon Black Protection DSM:
Event name |
Low level category |
Sample log message |
---|---|---|
NOERROR |
18081 (DNS In Progress) |
{"sourceFile":"test_2017-11-17-15-30-dcd8. csv.gz","EventType":"DNSLog","Timestamp": "2017-11-17 15:30:27","MostGranularIdenti ty":"Test","Identities":"Test","Internal Ip":"<IP_address>","ExternalIp": "<External_IP_address>","Action": "Allowed","QueryType":"28 (AAAA)","ResponseCode":"NOERROR","Domain" :"abc.aws.amazon.com.","Categories": "Ecommerce/Shopping"} |
Event name |
Low level category |
Sample log message |
---|---|---|
NOERROR |
18081 (DNS In Progress) |
"2015-01-16 17:48:41","Active DirectoryUserName","ActiveDirectoryUser Name,ADSite,Network","<IP_address1>", "<IP_address2>","Allowed","1 (A)", "NOERROR","domain-visited.com.", "Chat,Photo Sharing,Social Network ing,Allow List" |