Overview

This article details how to ingest logs of Cisco Umbrella into Hunters XDR.

Supported APIs and data types

  • Proxy Logs: Shows HTTP traffic that has passed through an Umbrella proxy (either the Secure Web Gateway or Selectie Proxy). In addition to showing whether the traffic was blocked, it shows the size of the requests and a user agent.

    "2021-12-14 13:09:14","Kate","1.1.1.1","1.1.1.2","1.1.1.3","text/plain","ALLOWED","URL","","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/897.32 (KHTML, like Gecko) Chrome/12.0.842.32 Safari/987.22","235","","356","11","123ce97659ab9321098fe81728abbc9981588909","Business Services,Infrastructure","","","","","","Anyconnect Roaming Client",""
    CODE
  • IP Logs: Similiar to Proxy Logs, just shows traffic that is handled by Umbrella's IP Layer Enforcement feature.

    "2021-12-07 15:53:43","LAPTOP-X","1.1.1.1","2222","1.1.1.2","3333","","Anyconnect Roaming Client"
    CODE
  • DNS Logs: Shows DNS requests to Umbrella's DNS servers, can be used to identify known (and new!) malicious domains.

    "2021-12-14 12:29:52","Nick","Nick","1.1.1.1","1.1.1.2","Allowed","1 (A)","NOERROR","String","Application","Anyconnect Roaming Client","Anyconnect Roaming Client",""
    CODE

Sending data to Hunters

Prerequisites

In order to set up a S3 bucket for Umbrella's data, please follow this guide, and configure the bucket according to this tutorial.

More information about Cisco Umbrella's content and capabilities may be found here and for more ingestion relevant documentation here.

Setting up the Data Flow

After you have configured an S3 bucket to be accessible by Hunters and started exporting your Umbrella logs, supply Hunters with the bucket details via a support ticket, and the data flow will be setup by our team.