# Cisco Umbrella Logs ## Overview Panther supports ingesting [Cisco Umbrella](https://docs.umbrella.com/) logs via common [Data Transport](https://docs.panther.com/data-onboarding/data-transports) options. ## How to onboard Cisco Umbrella logs to Panther To connect these logs into Panther: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for “Cisco Umbrella,” then click its tile. 4. In the **Transport Mechanism** drop-down, select the Data Transport method you wish to use for this integration.\ ![An arrow is drawn from a tile labeled "Cisco Umbrella" to a "Transport Mechanism" field. To its right is a "Start Setup" button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-dc715ebb172d6d7b30e94a1d0099061a733eb4ae%2FScreenshot%202024-09-13%20at%2011.00.42%20AM.png?alt=media) 5. Click **Start Setup**. 6. Follow Panther's instructions for configuring the selected [Data Transport](https://docs.panther.com/data-onboarding/data-transports) method, such as: * [AWS S3](https://docs.panther.com/data-onboarding/data-transports/aws/s3) * [AWS SQS](https://docs.panther.com/data-onboarding/data-transports/aws/sqs) 7. Configure Cisco Umbrella to push logs to the Data Transport source. See [Cisco Umbrella's documentation](https://docs.umbrella.com/) for instructions on pushing logs to your selected Data Transport source. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Cisco Umbrella in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/cisco_umbrella_dns_rules). ## Supported log types ### CiscoUmbrella.CloudFirewall Cloud Firewall logs show traffic that has been handled by network tunnels. Reference: [Cisco documentation on Log Formats and Versioning](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs) ```yaml schema: CiscoUmbrella.CloudFirewall description: Cloud Firewall logs show traffic that has been handled by network tunnels. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs fields: - name: timestamp required: true description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: originId description: The unique identity of the network tunnel. type: string - name: identity description: The name of the network tunnel. type: string - name: identityType description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'. type: string - name: direction description: The direction of the packet. It is destined either towards the internet or to the customer's network. type: string - name: ipProtocol description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP. type: bigint - name: packetSize description: The size of the packet that Umbrella CDFW received. type: bigint - name: sourceIp description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. type: string indicators: - ip - name: sourcePort description: The internal port number of the user-generated traffic towards the CDFW. type: int - name: destinationIp description: The destination IP address of the user-generated traffic towards the CDFW. type: string indicators: - ip - name: destinationPort description: The destination port number of the user-generated traffic towards the CDFW. type: int - name: dataCenter description: The name of the Umbrella Data Center that processed the user-generated traffic. type: string - name: ruleId description: The ID of the rule that processed the user traffic. type: string - name: verdict description: The final verdict whether to allow or block the traffic based on the rule. type: string ``` ### CiscoUmbrella.DNS DNS logs show traffic that has reached our DNS resolvers. Reference: [Cisco documentation on DNS Logs.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs) ```yaml schema: CiscoUmbrella.DNS description: DNS logs show traffic that has reached our DNS resolvers. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs fields: - name: timestamp required: true description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: policyIdentity description: The first identity that matched the request in order of granularity. type: string - name: identities description: All identities associated with this request. type: array element: type: string - name: internalIp description: The internal IP address that made the request. type: string indicators: - ip - name: externalIp description: The external IP address that made the request. type: string indicators: - ip - name: action description: Whether the request was allowed or blocked. type: string - name: queryType description: The type of DNS request that was made. For more information, see Common DNS Request Types. type: string - name: responseCode description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). type: string - name: domain description: The domain that was requested. type: string indicators: - domain - name: categories description: The security or content categories that the destination matches. type: array element: type: string - name: policyIdentityType description: The first identity type matched with this request in order of granularity. Available in version 3 and above. type: string - name: identityTypes description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. type: array element: type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string ``` ### CiscoUmbrella.IP IP logs show traffic that has been handled by the IP Layer Enforcement feature. Reference: [Cisco documentation on IP Logs.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs) ```yaml schema: CiscoUmbrella.IP description: IP logs show traffic that has been handled by the IP Layer Enforcement feature. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs fields: - name: timestamp required: true description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: identity description: The first identity that matched the request. type: string - name: sourceIp description: The IP of the computer making the request. type: string indicators: - ip - name: sourcePort description: The port the request was made on. type: int - name: destinationIp description: The destination IP requested. type: string indicators: - ip - name: destinationPort description: The destination port the request was made on. type: int - name: categories description: Which security categories, if any, matched against the destination IP address/port requested. type: array element: type: string - name: identityTypes description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. type: array element: type: string ``` ### CiscoUmbrella.Proxy Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy. Reference: [Cisco documentation on Selection Proxy Logs.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs) ```yaml schema: CiscoUmbrella.Proxy description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs fields: - name: timestamp description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: identity description: The first identity that matched the request. type: string - name: identities description: Which identities, in order of granularity, made the request through the intelligent proxy. type: array element: type: string - name: internalIp description: The internal IP address of the computer making the request. type: string indicators: - ip - name: externalIp description: The egress IP address of the network where the request originated. type: string indicators: - ip - name: destinationIp description: The destination IP address of the request. type: string indicators: - ip - name: contentType description: The type of web content, typically text/html. type: string - name: verdict description: Whether the destination was blocked or allowed. type: string - name: url description: The URL requested. type: string indicators: - url - name: referrer description: The referring domain or URL. type: string indicators: - url - hostname - name: userAgent description: The browser agent that made the request. type: string - name: statusCode description: The HTTP status code; should always be 200 or 201. type: int - name: requestSize description: Request size in bytes. type: bigint - name: responseSize description: Response size in bytes. type: bigint - name: responseBodySize description: Response body size in bytes. type: bigint - name: sha description: SHA256 hex digest of the response content. type: string indicators: - sha256 - name: categories description: The security categories for this request, such as Malware. type: array element: type: string - name: avDetections description: The detection name according to the antivirus engine used in file inspection. type: array element: type: string - name: puas description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. type: array element: type: string - name: ampDisposition description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. type: string - name: ampMalwareName description: If Malicious, the name of the malware according to AMP. type: string - name: ampScore description: The score of the malware from AMP. This field is not currently used and will be blank. type: string - name: identityType description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/ciscoumbrella.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.