Overview

This article details how to ingest logs of Cisco Umbrella into Hunters XDR.

Supported APIs and data types

  • Proxy Logs: Shows HTTP traffic that has passed through an Umbrella proxy (either the Secure Web Gateway or Selectie Proxy). In addition to showing whether the traffic was blocked, it shows the size of the requests and a user agent.

  • IP Logs: Similiar to Proxy Logs, just shows traffic that is handled by Umbrella's IP Layer Enforcement feature.

  • DNS Logs: Shows DNS requests to Umbrella's DNS servers, can be used to identify known (and new!) malicious domains.

Sending data to Hunters

Prerequisites

In order to set up a S3 bucket for Umbrella's data, please follow this guide, and configure the bucket according to this tutorial.

More information about Cisco Umbrella's content and capabilities may be found here and for more ingestion relevant documentation here.

Creating a Data Flow

After you have configured an S3 bucket to be accessible by Hunters and started exporting your Umbrella logs, login into the Hunters Portal, go to the "Data Flows" section in the left bar, and click the "Add Data Flows" button.

  1. In the Product box, select Cisco Umbrella

  2. Paste the Role ARN from the setup tutorial in the Hunters' "Add Data Flow" wizard.

  3. For each data type, put down the bucket name, the prefix containing all the logs from that datatype (And only them), and choose the format CSV with no header

  4. Click the "Test Connection" button.

  5. After the test has passed, click the "Submit" button and the data flow will be created.