Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Proxy Logs | ✅ | ✅ | cisco_umbrella_proxy_logs | CSV without header | S3 | ||
IP Logs | ✅ | ✅ | cisco_umbrella_ip_logs | CSV without header | S3 | ||
DNS Logs | ✅ | ✅ | cisco_umbrella_dns_logs | CSV without header | S3 |
Overview
This article details how to ingest logs from Cisco Umbrella into Hunters.
Cisco Umbrella is a cloud-based security service provided by Cisco Systems. It is designed to protect organizations from various internet-based threats by providing secure DNS (Domain Name System) and web filtering capabilities.
Supported data types
Proxy Logs
Table name: cisco_umbrella_proxy_logs
Shows HTTP traffic that has passed through an Umbrella proxy (either the Secure Web Gateway or Selective Proxy). In addition to showing whether the traffic was blocked, it shows the size of the requests and a user agent.
IP Logs
Table name: cisco_umbrella_ip_logs
Similiar to Proxy Logs, just shows traffic that is handled by Umbrella's IP Layer Enforcement feature.
DNS Logs
Table name: cisco_umbrella_dns_logs
Shows DNS requests to Umbrella's DNS servers, can be used to identify known (and new!) malicious domains.
Send data to Hunters
Hunters supports the ingestion of Cisco Umbrella logs via an intermediary AWS S3 bucket.
To connect Cisco Umbrella logs:
Export your logs from Cisco Umbrella to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
📘 Learn more
Expected format
Logs are expected in a CSV without header format.
Sample Proxy log
"2021-12-14 13:09:14","Kate","1.1.1.1","1.1.1.2","1.1.1.3","text/plain","ALLOWED","URL","","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/897.32 (KHTML, like Gecko) Chrome/12.0.842.32 Safari/987.22","235","","356","11","123ce97659ab9321098fe81728abbc9981588909","Business Services,Infrastructure","","","","","","Anyconnect Roaming Client",""
Sample IP log
"2021-12-07 15:53:43","LAPTOP-X","1.1.1.1","2222","1.1.1.2","3333","","Anyconnect Roaming Client"
Sample DNS log
"2021-12-14 12:29:52","Nick","Nick","1.1.1.1","1.1.1.2","Allowed","1 (A)","NOERROR","String","Application","Anyconnect Roaming Client","Anyconnect Roaming Client",""