# Cisco Umbrella Logs ## Overview Panther supports ingesting [Cisco Umbrella](https://docs.umbrella.com/) logs via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options. ## How to onboard Cisco Umbrella logs to Panther To connect these logs into Panther: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for “Cisco Umbrella,” then click its tile. 4. In the **Transport Mechanism** drop-down, select the Data Transport method you wish to use for this integration.\ ![An arrow is drawn from a tile labeled "Cisco Umbrella" to a "Transport Mechanism" field. To its right is a "Start Setup" button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-dc715ebb172d6d7b30e94a1d0099061a733eb4ae%2FScreenshot%202024-09-13%20at%2011.00.42%20AM.png?alt=media) 5. Click **Start Setup**. 6. Follow Panther's instructions for configuring the selected [Data Transport](https://docs.panther.com/data-onboarding/data-transports) method, such as: * [AWS S3](https://docs.panther.com/data-onboarding/data-transports/aws/s3) * [AWS SQS](https://docs.panther.com/data-onboarding/data-transports/aws/sqs) 7. Configure Cisco Umbrella to push logs to the Data Transport source. See [Cisco Umbrella's documentation](https://docs.umbrella.com/) for instructions on pushing logs to your selected Data Transport source. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Cisco Umbrella in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/cisco_umbrella_dns_rules). ## Supported log types ### CiscoUmbrella.CloudFirewall Cloud Firewall logs show traffic that has been handled by network tunnels. Reference: [Cisco documentation on Log Formats and Versioning](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs) ```yaml schema: CiscoUmbrella.CloudFirewall description: Cloud Firewall logs show traffic that has been handled by network tunnels. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs fields: - name: timestamp required: true description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: originId description: The unique identity of the network tunnel. type: string - name: identity description: The name of the network tunnel. type: string - name: identityType description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'. type: string - name: direction description: The direction of the packet. It is destined either towards the internet or to the customer's network. type: string - name: ipProtocol description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP. type: bigint - name: packetSize description: The size of the packet that Umbrella CDFW received. type: bigint - name: sourceIp description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. type: string indicators: - ip - name: sourcePort description: The internal port number of the user-generated traffic towards the CDFW. type: int - name: destinationIp description: The destination IP address of the user-generated traffic towards the CDFW. type: string indicators: - ip - name: destinationPort description: The destination port number of the user-generated traffic towards the CDFW. type: int - name: dataCenter description: The name of the Umbrella Data Center that processed the user-generated traffic. type: string - name: ruleId description: The ID of the rule that processed the user traffic. type: string - name: verdict description: The final verdict whether to allow or block the traffic based on the rule. type: string ``` ### CiscoUmbrella.DNS DNS logs show traffic that has reached our DNS resolvers. Reference: [Cisco documentation on DNS Logs.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs) ```yaml schema: CiscoUmbrella.DNS description: DNS logs show traffic that has reached our DNS resolvers. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs fields: - name: timestamp required: true description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: policyIdentity description: The first identity that matched the request in order of granularity. type: string - name: identities description: All identities associated with this request. type: array element: type: string - name: internalIp description: The internal IP address that made the request. type: string indicators: - ip - name: externalIp description: The external IP address that made the request. type: string indicators: - ip - name: action description: Whether the request was allowed or blocked. type: string - name: queryType description: The type of DNS request that was made. For more information, see Common DNS Request Types. type: string - name: responseCode description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). type: string - name: domain description: The domain that was requested. type: string indicators: - domain - name: categories description: The security or content categories that the destination matches. type: array element: type: string - name: policyIdentityType description: The first identity type matched with this request in order of granularity. Available in version 3 and above. type: string - name: identityTypes description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. type: array element: type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string ``` ### CiscoUmbrella.IP IP logs show traffic that has been handled by the IP Layer Enforcement feature. Reference: [Cisco documentation on IP Logs.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs) ```yaml schema: CiscoUmbrella.IP description: IP logs show traffic that has been handled by the IP Layer Enforcement feature. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs fields: - name: timestamp required: true description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: identity description: The first identity that matched the request. type: string - name: sourceIp description: The IP of the computer making the request. type: string indicators: - ip - name: sourcePort description: The port the request was made on. type: int - name: destinationIp description: The destination IP requested. type: string indicators: - ip - name: destinationPort description: The destination port the request was made on. type: int - name: categories description: Which security categories, if any, matched against the destination IP address/port requested. type: array element: type: string - name: identityTypes description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. type: array element: type: string ``` ### CiscoUmbrella.Proxy Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy. Reference: [Cisco documentation on Selection Proxy Logs.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs) ```yaml schema: CiscoUmbrella.Proxy description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs fields: - name: timestamp description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: identity description: The first identity that matched the request. type: string - name: identities description: Which identities, in order of granularity, made the request through the intelligent proxy. type: array element: type: string - name: internalIp description: The internal IP address of the computer making the request. type: string indicators: - ip - name: externalIp description: The egress IP address of the network where the request originated. type: string indicators: - ip - name: destinationIp description: The destination IP address of the request. type: string indicators: - ip - name: contentType description: The type of web content, typically text/html. type: string - name: verdict description: Whether the destination was blocked or allowed. type: string - name: url description: The URL requested. type: string indicators: - url - name: referrer description: The referring domain or URL. type: string indicators: - url - hostname - name: userAgent description: The browser agent that made the request. type: string - name: statusCode description: The HTTP status code; should always be 200 or 201. type: int - name: requestSize description: Request size in bytes. type: bigint - name: responseSize description: Response size in bytes. type: bigint - name: responseBodySize description: Response body size in bytes. type: bigint - name: sha description: SHA256 hex digest of the response content. type: string indicators: - sha256 - name: categories description: The security categories for this request, such as Malware. type: array element: type: string - name: avDetections description: The detection name according to the antivirus engine used in file inspection. type: array element: type: string - name: puas description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. type: array element: type: string - name: ampDisposition description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. type: string - name: ampMalwareName description: If Malicious, the name of the malware according to AMP. type: string - name: ampScore description: The score of the malware from AMP. This field is not currently used and will be blank. type: string - name: identityType description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string ```