Cisco Umbrella

  • Updated on Dec 10, 2025
  • Published on May 15, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Proxy Logs

cisco_umbrella_proxy_logs

CSV without header

S3

IP Logs

cisco_umbrella_ip_logs

CSV without header

S3

DNS Logs

cisco_umbrella_dns_logs

CSV without header

S3

Suggested Pre-Integration Checklist:

Confirm Umbrella package includes:

  1. DNS Security

  2. Intelligent Proxy

  3. Secure Web Gateway (for full proxy visibility)

Validate presence of expected log folders in S3:

  1. dnslogs/ → DNS queries

  2. proxylogs/ → Intelligent Proxy and Proxy traffic

The advantages and disadvantages of limited log ingestion:

  1. DNS-only ingestion provides domain-level visibility but lacks full URL and user-level context.

  2. Proxy logs enable deeper inspection of HTTP/HTTPS traffic and improve threat detection

Highlight cost implications of upgrading Umbrella packages:

  1. Upgrades may require organizational approval and coordination with Cisco or resellers

  2. Pricing varies based on user count, contract terms, and selected features

Overview

imageThis article details how to ingest logs from Cisco Umbrella into Hunters.

Cisco Umbrella is a cloud-based security service provided by Cisco Systems. It is designed to protect organizations from various internet-based threats by providing secure DNS (Domain Name System) and web filtering capabilities.

Prerequisite check for the Cisco Umbrella subscription level

There are different Umbrella packages produce different logs:

  • DNS Security Advantageonly DNS logs (DNS Advantage, DNS Essentials, SIG Essentials, SIG Advantage, etc.)

    • Cisco Umbrella has a lower-tier package, DNS Security Essentials, which offers only “core DNS-layer security” — i.e. filtering/blocking at DNS level

  • Intelligent Proxy + Secure Web Gatewayrequired for proxy logs

    • Higher/upgraded packages (under the “SIG” umbrella) — e.g. SIG Essentials and SIG Advantage — provide full web-proxy/secure-web-gateway capabilities, including full proxying, SSL decryption/inspection, URL-level filtering, firewall (cloud-delivered firewall), CASB, etc.

Enabling S3-listing (streaming logs to AWS-S3 bucket) depends to licensing:

  • Upgrading Umbrella licenses may require additional cost.

  • Hunters cannot enable proxy/dns/ip logs on the customer's behalf.

  • Cisco or a reseller handles upgrades.

Supported data types

Proxy Logs

Table name: cisco_umbrella_proxy_logs

Shows HTTP traffic that has passed through an Umbrella proxy (either the Secure Web Gateway or Selective Proxy). In addition to showing whether the traffic was blocked, it shows the size of the requests and a user agent.

Log folder name in S3 and their benefits

please create a folder named ‘/dnslogs’ that would contain DNS queries logs (Included in DNS Advantage).

Missing log types affect detection coverage - with DNS-only logs, visibility is limited to domain resolution events.

IP Logs

Table name: cisco_umbrella_ip_logs

Similiar to Proxy Logs, just shows traffic that is handled by Umbrella's IP Layer Enforcement feature.

DNS Logs

Table name: cisco_umbrella_dns_logs

Shows DNS requests to Umbrella's DNS servers, can be used to identify known (and new!) malicious domains.

Log folder name in S3 and their benefits

please create a folder named ‘/proxylogs’ that would contain HTTP/HTTPS proxy logs (Requires Intelligent Proxy / Secure Web Gateway).
Missing log types affect detection coverage - with Proxy logs, Hunters gets URLs, users, HTTP methods, categories, etc., which improves detection.

Send data to Hunters

Hunters supports the ingestion of Cisco Umbrella logs via an intermediary AWS S3 bucket.

To connect Cisco Umbrella logs:

  1. Export your logs from Cisco Umbrella to an AWS S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

📘 Learn more

  • More information about Cisco Umbrella's content and capabilities may be found here.

  • More ingestion relevant documentation can be found here.

Expected format

Logs are expected in a CSV without header format.

Sample Proxy log

"2021-12-14 13:09:14","Kate","1.1.1.1","1.1.1.2","1.1.1.3","text/plain","ALLOWED","URL","","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/897.32 (KHTML, like Gecko) Chrome/12.0.842.32 Safari/987.22","235","","356","11","123ce97659ab9321098fe81728abbc9981588909","Business Services,Infrastructure","","","","","","Anyconnect Roaming Client",""

Sample IP log

"2021-12-07 15:53:43","LAPTOP-X","1.1.1.1","2222","1.1.1.2","3333","","Anyconnect Roaming Client"

Sample DNS log

"2021-12-14 12:29:52","Nick","Nick","1.1.1.1","1.1.1.2","Allowed","1 (A)","NOERROR","String","Application","Anyconnect Roaming Client","Anyconnect Roaming Client",""