Cisco Umbrella

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Proxy Logs

✅

✅

cisco_umbrella_proxy_logs

CSV without header

S3

IP Logs

✅

✅

cisco_umbrella_ip_logs

CSV without header

S3

DNS Logs

✅

✅

cisco_umbrella_dns_logs

CSV without header

S3


Overview

imageThis article details how to ingest logs from Cisco Umbrella into Hunters.

Cisco Umbrella is a cloud-based security service provided by Cisco Systems. It is designed to protect organizations from various internet-based threats by providing secure DNS (Domain Name System) and web filtering capabilities.

Supported data types

Proxy Logs

Table name: cisco_umbrella_proxy_logs

Shows HTTP traffic that has passed through an Umbrella proxy (either the Secure Web Gateway or Selective Proxy). In addition to showing whether the traffic was blocked, it shows the size of the requests and a user agent.

IP Logs

Table name: cisco_umbrella_ip_logs

Similiar to Proxy Logs, just shows traffic that is handled by Umbrella's IP Layer Enforcement feature.

DNS Logs

Table name: cisco_umbrella_dns_logs

Shows DNS requests to Umbrella's DNS servers, can be used to identify known (and new!) malicious domains.

Send data to Hunters

Hunters supports the ingestion of Cisco Umbrella logs via an intermediary AWS S3 bucket.

To connect Cisco Umbrella logs:

  1. Export your logs from Cisco Umbrella to an AWS S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

📘 Learn more

  • More information about Cisco Umbrella's content and capabilities may be found here.

  • More ingestion relevant documentation can be found here.

Expected format

Logs are expected in a CSV without header format.

Sample Proxy log

"2021-12-14 13:09:14","Kate","1.1.1.1","1.1.1.2","1.1.1.3","text/plain","ALLOWED","URL","","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/897.32 (KHTML, like Gecko) Chrome/12.0.842.32 Safari/987.22","235","","356","11","123ce97659ab9321098fe81728abbc9981588909","Business Services,Infrastructure","","","","","","Anyconnect Roaming Client",""

Sample IP log

"2021-12-07 15:53:43","LAPTOP-X","1.1.1.1","2222","1.1.1.2","3333","","Anyconnect Roaming Client"

Sample DNS log

"2021-12-14 12:29:52","Nick","Nick","1.1.1.1","1.1.1.2","Allowed","1 (A)","NOERROR","String","Application","Anyconnect Roaming Client","Anyconnect Roaming Client",""