Supported APIs and data types
- Proxy Logs: Shows HTTP traffic that has passed through an Umbrella proxy (either the Secure Web Gateway or Selectie Proxy). In addition to showing whether the traffic was blocked, it shows the size of the requests and a user agent.
- IP Logs: Similiar to Proxy Logs, just shows traffic that is handled by Umbrella's IP Layer Enforcement feature.
- DNS Logs: Shows DNS requests to Umbrella's DNS servers, can be used to identify known (and new!) malicious domains.
Sending data to Hunters
Creating a Dataflow
After you have configured an S3 bucket to be accessiable by Hunters and started exporting your Umbrella logs, login into the Hunters Portal, go to the "Data Flows" section in the left bar, and click the "Add Data Flows" button.
- In the Product box, select Cisco Umbrella
- Paste the Role ARN from the setup tutorial in the Hunters' "Add Data Flow" wizard.
- For each data type, put down the bucket name, the prefix containing all the logs from that datatype (And only them), and choose the format CSV with no header
- Click the "Test Connection" button.
- After the test has passed, click the "Submit" button and the dataflow will be created.