Cisco Umbrella Logs

schema: CiscoUmbrella.CloudFirewall
description: Cloud Firewall logs show traffic that has been handled by network tunnels.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs
fields:
    - name: timestamp
      required: true
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: originId
      description: The unique identity of the network tunnel.
      type: string
    - name: identity
      description: The name of the network tunnel.
      type: string
    - name: identityType
      description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'.
      type: string
    - name: direction
      description: The direction of the packet. It is destined either towards the internet or to the customer's network.
      type: string
    - name: ipProtocol
      description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.
      type: bigint
    - name: packetSize
      description: The size of the packet that Umbrella CDFW received.
      type: bigint
    - name: sourceIp
      description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
      type: string
      indicators:
        - ip
    - name: sourcePort
      description: The internal port number of the user-generated traffic towards the CDFW.
      type: int
    - name: destinationIp
      description: The destination IP address of the user-generated traffic towards the CDFW.
      type: string
      indicators:
        - ip
    - name: destinationPort
      description: The destination port number of the user-generated traffic towards the CDFW.
      type: int
    - name: dataCenter
      description: The name of the Umbrella Data Center that processed the user-generated traffic.
      type: string
    - name: ruleId
      description: The ID of the rule that processed the user traffic.
      type: string
    - name: verdict
      description: The final verdict whether to allow or block the traffic based on the rule.
      type: string

schema: CiscoUmbrella.DNS
description: DNS logs show traffic that has reached our DNS resolvers.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs
fields:
    - name: timestamp
      required: true
      description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: policyIdentity
      description: The first identity that matched the request in order of granularity.
      type: string
    - name: identities
      description: All identities associated with this request.
      type: array
      element:
        type: string
    - name: internalIp
      description: The internal IP address that made the request.
      type: string
      indicators:
        - ip
    - name: externalIp
      description: The external IP address that made the request.
      type: string
      indicators:
        - ip
    - name: action
      description: Whether the request was allowed or blocked.
      type: string
    - name: queryType
      description: The type of DNS request that was made. For more information, see Common DNS Request Types.
      type: string
    - name: responseCode
      description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
      type: string
    - name: domain
      description: The domain that was requested.
      type: string
      indicators:
        - domain
    - name: categories
      description: The security or content categories that the destination matches.
      type: array
      element:
        type: string
    - name: policyIdentityType
      description: The first identity type matched with this request in order of granularity. Available in version 3 and above.
      type: string
    - name: identityTypes
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
      type: array
      element:
        type: string
    - name: blockedCategories
      description: The categories that resulted in the destination being blocked. Available in version 4 and above.
      type: array
      element:
        type: string

schema: CiscoUmbrella.IP
description: IP logs show traffic that has been handled by the IP Layer Enforcement feature.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs
fields:
    - name: timestamp
      required: true
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: identity
      description: The first identity that matched the request.
      type: string
    - name: sourceIp
      description: The IP of the computer making the request.
      type: string
      indicators:
        - ip
    - name: sourcePort
      description: The port the request was made on.
      type: int
    - name: destinationIp
      description: The destination IP requested.
      type: string
      indicators:
        - ip
    - name: destinationPort
      description: The destination port the request was made on.
      type: int
    - name: categories
      description: Which security categories, if any, matched against the destination IP address/port requested.
      type: array
      element:
        type: string
    - name: identityTypes
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
      type: array
      element:
        type: string

schema: CiscoUmbrella.Proxy
description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs
fields:
    - name: timestamp
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: identity
      description: The first identity that matched the request.
      type: string
    - name: identities
      description: Which identities, in order of granularity, made the request through the intelligent proxy.
      type: array
      element:
        type: string
    - name: internalIp
      description: The internal IP address of the computer making the request.
      type: string
      indicators:
        - ip
    - name: externalIp
      description: The egress IP address of the network where the request originated.
      type: string
      indicators:
        - ip
    - name: destinationIp
      description: The destination IP address of the request.
      type: string
      indicators:
        - ip
    - name: contentType
      description: The type of web content, typically text/html.
      type: string
    - name: verdict
      description: Whether the destination was blocked or allowed.
      type: string
    - name: url
      description: The URL requested.
      type: string
      indicators:
        - url
    - name: referrer
      description: The referring domain or URL.
      type: string
      indicators:
        - url
        - hostname
    - name: userAgent
      description: The browser agent that made the request.
      type: string
    - name: statusCode
      description: The HTTP status code; should always be 200 or 201.
      type: int
    - name: requestSize
      description: Request size in bytes.
      type: bigint
    - name: responseSize
      description: Response size in bytes.
      type: bigint
    - name: responseBodySize
      description: Response body size in bytes.
      type: bigint
    - name: sha
      description: SHA256 hex digest of the response content.
      type: string
      indicators:
        - sha256
    - name: categories
      description: The security categories for this request, such as Malware.
      type: array
      element:
        type: string
    - name: avDetections
      description: The detection name according to the antivirus engine used in file inspection.
      type: array
      element:
        type: string
    - name: puas
      description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
      type: array
      element:
        type: string
    - name: ampDisposition
      description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
      type: string
    - name: ampMalwareName
      description: If Malicious, the name of the malware according to AMP.
      type: string
    - name: ampScore
      description: The score of the malware from AMP. This field is not currently used and will be blank.
      type: string
    - name: identityType
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on.
      type: string
    - name: blockedCategories
      description: The categories that resulted in the destination being blocked. Available in version 4 and above.
      type: array
      element:
        type: string