Cisco Umbrella Logs
Connecting Cisco Umbrella logs to your Panther Console
Overview
Panther supports ingesting Cisco Umbrella logs via common Data Transport options.
How to onboard Cisco Umbrella logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Cisco Umbrella,” then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring the selected Data Transport method, such as:
Configure Cisco Umbrella to push logs to the Data Transport source. See Cisco Umbrella's documentation for instructions on pushing logs to your selected Data Transport source.
Panther-managed detections
See Panther-managed rules for Cisco Umbrella in the panther-analysis GitHub repository.
Supported log types
CiscoUmbrella.CloudFirewall
Cloud Firewall logs show traffic that has been handled by network tunnels.
Reference: Cisco documentation on Log Formats and Versioning
schema: CiscoUmbrella.CloudFirewall
description: Cloud Firewall logs show traffic that has been handled by network tunnels.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs
fields:
- name: timestamp
required: true
description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: originId
description: The unique identity of the network tunnel.
type: string
- name: identity
description: The name of the network tunnel.
type: string
- name: identityType
description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'.
type: string
- name: direction
description: The direction of the packet. It is destined either towards the internet or to the customer's network.
type: string
- name: ipProtocol
description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.
type: bigint
- name: packetSize
description: The size of the packet that Umbrella CDFW received.
type: bigint
- name: sourceIp
description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
type: string
indicators:
- ip
- name: sourcePort
description: The internal port number of the user-generated traffic towards the CDFW.
type: int
- name: destinationIp
description: The destination IP address of the user-generated traffic towards the CDFW.
type: string
indicators:
- ip
- name: destinationPort
description: The destination port number of the user-generated traffic towards the CDFW.
type: int
- name: dataCenter
description: The name of the Umbrella Data Center that processed the user-generated traffic.
type: string
- name: ruleId
description: The ID of the rule that processed the user traffic.
type: string
- name: verdict
description: The final verdict whether to allow or block the traffic based on the rule.
type: stringCiscoUmbrella.DNS
DNS logs show traffic that has reached our DNS resolvers.
Reference: Cisco documentation on DNS Logs.
schema: CiscoUmbrella.DNS
description: DNS logs show traffic that has reached our DNS resolvers.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs
fields:
- name: timestamp
required: true
description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: policyIdentity
description: The first identity that matched the request in order of granularity.
type: string
- name: identities
description: All identities associated with this request.
type: array
element:
type: string
- name: internalIp
description: The internal IP address that made the request.
type: string
indicators:
- ip
- name: externalIp
description: The external IP address that made the request.
type: string
indicators:
- ip
- name: action
description: Whether the request was allowed or blocked.
type: string
- name: queryType
description: The type of DNS request that was made. For more information, see Common DNS Request Types.
type: string
- name: responseCode
description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
type: string
- name: domain
description: The domain that was requested.
type: string
indicators:
- domain
- name: categories
description: The security or content categories that the destination matches.
type: array
element:
type: string
- name: policyIdentityType
description: The first identity type matched with this request in order of granularity. Available in version 3 and above.
type: string
- name: identityTypes
description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
type: array
element:
type: string
- name: blockedCategories
description: The categories that resulted in the destination being blocked. Available in version 4 and above.
type: array
element:
type: stringCiscoUmbrella.IP
IP logs show traffic that has been handled by the IP Layer Enforcement feature.
Reference: Cisco documentation on IP Logs.
schema: CiscoUmbrella.IP
description: IP logs show traffic that has been handled by the IP Layer Enforcement feature.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs
fields:
- name: timestamp
required: true
description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: identity
description: The first identity that matched the request.
type: string
- name: sourceIp
description: The IP of the computer making the request.
type: string
indicators:
- ip
- name: sourcePort
description: The port the request was made on.
type: int
- name: destinationIp
description: The destination IP requested.
type: string
indicators:
- ip
- name: destinationPort
description: The destination port the request was made on.
type: int
- name: categories
description: Which security categories, if any, matched against the destination IP address/port requested.
type: array
element:
type: string
- name: identityTypes
description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
type: array
element:
type: stringCiscoUmbrella.Proxy
Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy.
Reference: Cisco documentation on Selection Proxy Logs.
schema: CiscoUmbrella.Proxy
description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs
fields:
- name: timestamp
description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: identity
description: The first identity that matched the request.
type: string
- name: identities
description: Which identities, in order of granularity, made the request through the intelligent proxy.
type: array
element:
type: string
- name: internalIp
description: The internal IP address of the computer making the request.
type: string
indicators:
- ip
- name: externalIp
description: The egress IP address of the network where the request originated.
type: string
indicators:
- ip
- name: destinationIp
description: The destination IP address of the request.
type: string
indicators:
- ip
- name: contentType
description: The type of web content, typically text/html.
type: string
- name: verdict
description: Whether the destination was blocked or allowed.
type: string
- name: url
description: The URL requested.
type: string
indicators:
- url
- name: referrer
description: The referring domain or URL.
type: string
indicators:
- url
- hostname
- name: userAgent
description: The browser agent that made the request.
type: string
- name: statusCode
description: The HTTP status code; should always be 200 or 201.
type: int
- name: requestSize
description: Request size in bytes.
type: bigint
- name: responseSize
description: Response size in bytes.
type: bigint
- name: responseBodySize
description: Response body size in bytes.
type: bigint
- name: sha
description: SHA256 hex digest of the response content.
type: string
indicators:
- sha256
- name: categories
description: The security categories for this request, such as Malware.
type: array
element:
type: string
- name: avDetections
description: The detection name according to the antivirus engine used in file inspection.
type: array
element:
type: string
- name: puas
description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
type: array
element:
type: string
- name: ampDisposition
description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
type: string
- name: ampMalwareName
description: If Malicious, the name of the malware according to AMP.
type: string
- name: ampScore
description: The score of the malware from AMP. This field is not currently used and will be blank.
type: string
- name: identityType
description: The type of identity that made the request. For example, Roaming Computer, Network, and so on.
type: string
- name: blockedCategories
description: The categories that resulted in the destination being blocked. Available in version 4 and above.
type: array
element:
type: stringLast updated
Was this helpful?