Configure Cisco Umbrella to push logs to the Data Transport source. See Cisco Umbrella's documentation for instructions on pushing logs to your selected Data Transport source.
schema:CiscoUmbrella.CloudFirewalldescription:Cloud Firewall logs show traffic that has been handled by network tunnels.referenceURL:https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logsfields: - name:timestamprequired:truedescription:The timestamp of the request transaction in UTC (2015-01-16 17:48:41).type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S'isEventTime:true - name:originIddescription:The unique identity of the network tunnel.type:string - name:identitydescription:The name of the network tunnel.type:string - name:identityTypedescription:The type of identity that made the request. Should always be 'CDFW Tunnel Device'.type:string - name:directiondescription:The direction of the packet. It is destined either towards the internet or to the customer's network.type:string - name:ipProtocoldescription:The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.type:bigint - name:packetSizedescription:The size of the packet that Umbrella CDFW received.type:bigint - name:sourceIpdescription:The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.type:stringindicators: - ip - name:sourcePortdescription:The internal port number of the user-generated traffic towards the CDFW.type:int - name:destinationIpdescription:The destination IP address of the user-generated traffic towards the CDFW.type:stringindicators: - ip - name:destinationPortdescription:The destination port number of the user-generated traffic towards the CDFW.type:int - name:dataCenterdescription:The name of the Umbrella Data Center that processed the user-generated traffic.type:string - name:ruleIddescription:The ID of the rule that processed the user traffic.type:string - name:verdictdescription:The final verdict whether to allow or block the traffic based on the rule.type:string
CiscoUmbrella.DNS
DNS logs show traffic that has reached our DNS resolvers.
schema:CiscoUmbrella.DNSdescription:DNS logs show traffic that has reached our DNS resolvers.referenceURL:https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logsfields: - name:timestamprequired:truedescription:When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S'isEventTime:true - name:policyIdentitydescription:The first identity that matched the request in order of granularity.type:string - name:identitiesdescription:All identities associated with this request.type:arrayelement:type:string - name:internalIpdescription:The internal IP address that made the request.type:stringindicators: - ip - name:externalIpdescription:The external IP address that made the request.type:stringindicators: - ip - name:actiondescription:Whether the request was allowed or blocked.type:string - name:queryTypedescription:The type of DNS request that was made. For more information, see Common DNS Request Types.type:string - name:responseCodedescription:The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).type:string - name:domaindescription:The domain that was requested.type:stringindicators: - domain - name:categoriesdescription:The security or content categories that the destination matches.type:arrayelement:type:string - name:policyIdentityTypedescription:The first identity type matched with this request in order of granularity. Available in version 3 and above.type:string - name:identityTypesdescription:The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.type:arrayelement:type:string - name:blockedCategoriesdescription:The categories that resulted in the destination being blocked. Available in version 4 and above.type:arrayelement:type:string
CiscoUmbrella.IP
IP logs show traffic that has been handled by the IP Layer Enforcement feature.
schema:CiscoUmbrella.IPdescription:IP logs show traffic that has been handled by the IP Layer Enforcement feature.referenceURL:https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logsfields: - name:timestamprequired:truedescription:The timestamp of the request transaction in UTC (2015-01-16 17:48:41).type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S'isEventTime:true - name:identitydescription:The first identity that matched the request.type:string - name:sourceIpdescription:The IP of the computer making the request.type:stringindicators: - ip - name:sourcePortdescription:The port the request was made on.type:int - name:destinationIpdescription:The destination IP requested.type:stringindicators: - ip - name:destinationPortdescription:The destination port the request was made on.type:int - name:categoriesdescription:Which security categories, if any, matched against the destination IP address/port requested.type:arrayelement:type:string - name:identityTypesdescription:The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.type:arrayelement:type:string
CiscoUmbrella.Proxy
Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy.
schema:CiscoUmbrella.Proxydescription:Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.referenceURL:https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logsfields: - name:timestampdescription:The timestamp of the request transaction in UTC (2015-01-16 17:48:41).type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S'isEventTime:true - name:identitydescription:The first identity that matched the request.type:string - name:identitiesdescription:Which identities, in order of granularity, made the request through the intelligent proxy.type:arrayelement:type:string - name:internalIpdescription:The internal IP address of the computer making the request.type:stringindicators: - ip - name:externalIpdescription:The egress IP address of the network where the request originated.type:stringindicators: - ip - name:destinationIpdescription:The destination IP address of the request.type:stringindicators: - ip - name:contentTypedescription:The type of web content, typically text/html.type:string - name:verdictdescription:Whether the destination was blocked or allowed.type:string - name:urldescription:The URL requested.type:stringindicators: - url - name:referrerdescription:The referring domain or URL.type:stringindicators: - url - hostname - name:userAgentdescription:The browser agent that made the request.type:string - name:statusCodedescription:The HTTP status code; should always be 200 or 201.type:int - name:requestSizedescription:Request size in bytes.type:bigint - name:responseSizedescription:Response size in bytes.type:bigint - name:responseBodySizedescription:Response body size in bytes.type:bigint - name:shadescription:SHA256 hex digest of the response content.type:stringindicators: - sha256 - name:categoriesdescription:The security categories for this request, such as Malware.type:arrayelement:type:string - name:avDetectionsdescription:The detection name according to the antivirus engine used in file inspection.type:arrayelement:type:string - name:puasdescription:A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.type:arrayelement:type:string - name:ampDispositiondescription:The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.type:string - name:ampMalwareNamedescription:If Malicious, the name of the malware according to AMP.type:string - name:ampScoredescription:The score of the malware from AMP. This field is not currently used and will be blank.type:string - name:identityTypedescription:The type of identity that made the request. For example, Roaming Computer, Network, and so on.type:string - name:blockedCategoriesdescription:The categories that resulted in the destination being blocked. Available in version 4 and above.type:arrayelement:type:string
