Cisco Umbrella Logs

Connecting Cisco Umbrella logs to your Panther Console
Overview
Panther supports ingesting Cisco Umbrella logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Cisco Umbrella logs to Panther
To connect these logs into Panther:
1.Set up your Data Transport in the Panther Console.
Follow Panther’s documentation for configuring the Data Transport option you will use:
​AWS S3 bucket​
​AWS SQS​
2.Configure Cisco Umbrella to push logs to the Data Transport source.
See Cisco's documentation for instructions on pushing logs to your selected Data Transport source.
Panther-built Detections
See Panther's built in detections for Cisco Umbrella in panther-analysis on Github.
Supported log types
CiscoUmbrella.CloudFirewall
Cloud Firewall logs show traffic that has been handled by network tunnels. 
Reference: Cisco documentation on Log Formats and Versioning​
schema: CiscoUmbrella.CloudFirewall
description: Cloud Firewall logs show traffic that has been handled by network tunnels.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs
fields:
 - name: timestamp
 required: true
 description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S'
 isEventTime: true
 - name: originId
 description: The unique identity of the network tunnel.
 type: string
 - name: identity
 description: The name of the network tunnel.
 type: string
 - name: identityType
 description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'.
 type: string
 - name: direction
 description: The direction of the packet. It is destined either towards the internet or to the customer's network.
 type: string
 - name: ipProtocol
 description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.
 type: bigint
 - name: packetSize
 description: The size of the packet that Umbrella CDFW received.
 type: bigint
 - name: sourceIp
 description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
 type: string
 indicators:
 - ip
 - name: sourcePort
 description: The internal port number of the user-generated traffic towards the CDFW.
 type: int
 - name: destinationIp
 description: The destination IP address of the user-generated traffic towards the CDFW.
 type: string
 indicators:
 - ip
 - name: destinationPort
 description: The destination port number of the user-generated traffic towards the CDFW.
 type: int
 - name: dataCenter
 description: The name of the Umbrella Data Center that processed the user-generated traffic.
 type: string
 - name: ruleId
 description: The ID of the rule that processed the user traffic.
 type: string
 - name: verdict
 description: The final verdict whether to allow or block the traffic based on the rule.
 type: string
CiscoUmbrella.DNS
DNS logs show traffic that has reached our DNS resolvers. 
Reference: Cisco documentation on DNS Logs.​
schema: CiscoUmbrella.DNS
description: DNS logs show traffic that has reached our DNS resolvers.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs
fields:
 - name: timestamp
 required: true
 description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S'
 isEventTime: true
 - name: policyIdentity
 description: The first identity that matched the request in order of granularity.
 type: string
 - name: identities
 description: All identities associated with this request.
 type: array
 element:
 type: string
 - name: internalIp
 description: The internal IP address that made the request.
 type: string
 indicators:
 - ip
 - name: externalIp
 description: The external IP address that made the request.
 type: string
 indicators:
 - ip
 - name: action
 description: Whether the request was allowed or blocked.
 type: string
 - name: queryType
 description: The type of DNS request that was made. For more information, see Common DNS Request Types.
 type: string
 - name: responseCode
 description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
 type: string
 - name: domain
 description: The domain that was requested.
 type: string
 indicators:
 - domain
 - name: categories
 description: The security or content categories that the destination matches.
 type: array
 element:
 type: string
 - name: policyIdentityType
 description: The first identity type matched with this request in order of granularity. Available in version 3 and above.
 type: string
 - name: identityTypes
 description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
 type: array
 element:
 type: string
 - name: blockedCategories
 description: The categories that resulted in the destination being blocked. Available in version 4 and above.
 type: array
 element:
 type: string
​
CiscoUmbrella.IP
IP logs show traffic that has been handled by the IP Layer Enforcement feature. 
Reference: Cisco documentation on IP Logs.​
schema: CiscoUmbrella.IP
description: IP logs show traffic that has been handled by the IP Layer Enforcement feature.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs
fields:
 - name: timestamp
 required: true
 description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S'
 isEventTime: true
 - name: identity
 description: The first identity that matched the request.
 type: string
 - name: sourceIp
 description: The IP of the computer making the request.
 type: string
 indicators:
 - ip
 - name: sourcePort
 description: The port the request was made on.
 type: int
 - name: destinationIp
 description: The destination IP requested.
 type: string
 indicators:
 - ip
 - name: destinationPort
 description: The destination port the request was made on.
 type: int
 - name: categories
 description: Which security categories, if any, matched against the destination IP address/port requested.
 type: array
 element:
 type: string
 - name: identityTypes
 description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
 type: array
 element:
 type: string
CiscoUmbrella.Proxy
Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy. 
Reference: Cisco documentation on Selection Proxy Logs.​
schema: CiscoUmbrella.Proxy
description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs
fields:
 - name: timestamp
 description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S'
 isEventTime: true
 - name: identity
 description: The first identity that matched the request.
 type: string
 - name: identities
 description: Which identities, in order of granularity, made the request through the intelligent proxy.
 type: array
 element:
 type: string
 - name: internalIp
 description: The internal IP address of the computer making the request.
 type: string
 indicators:
 - ip
 - name: externalIp
 description: The egress IP address of the network where the request originated.
 type: string
 indicators:
 - ip
 - name: destinationIp
 description: The destination IP address of the request.
 type: string
 indicators:
 - ip
 - name: contentType
 description: The type of web content, typically text/html.
 type: string
 - name: verdict
 description: Whether the destination was blocked or allowed.
 type: string
 - name: url
 description: The URL requested.
 type: string
 indicators:
 - url
 - name: referrer
 description: The referring domain or URL.
 type: string
 indicators:
 - url
 - hostname
 - name: userAgent
 description: The browser agent that made the request.
 type: string
 - name: statusCode
 description: The HTTP status code; should always be 200 or 201.
 type: int
 - name: requestSize
 description: Request size in bytes.
 type: bigint
 - name: responseSize
 description: Response size in bytes.
 type: bigint
 - name: responseBodySize
 description: Response body size in bytes.
 type: bigint
 - name: sha
 description: SHA256 hex digest of the response content.
 type: string
 indicators:
 - sha256
 - name: categories
 description: The security categories for this request, such as Malware.
 type: array
 element:
 type: string
 - name: avDetections
 description: The detection name according to the antivirus engine used in file inspection.
 type: array
 element:
 type: string
 - name: puas
 description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
 type: array
 element:
 type: string
 - name: ampDisposition
 description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
 type: string
 - name: ampMalwareName
 description: If Malicious, the name of the malware according to AMP.
 type: string
 - name: ampScore
 description: The score of the malware from AMP. This field is not currently used and will be blank.
 type: string
 - name: identityType
 description: The type of identity that made the request. For example, Roaming Computer, Network, and so on.
 type: string
 - name: blockedCategories
 description: The categories that resulted in the destination being blocked. Available in version 4 and above.
 type: array
 element:
 type: string
Carbon Black Logs (Beta)
Cloudflare Logs
Last modified 2mo ago