Cisco Umbrella Logs

Connecting Cisco Umbrella logs to your Panther Console

Overview

Panther supports ingesting Cisco Umbrella logs via common Data Transport options.

How to onboard Cisco Umbrella logs to Panther

To connect these logs into Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Cisco Umbrella,” then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring the selected Data Transport method, such as:
- AWS S3
- AWS SQS
Configure Cisco Umbrella to push logs to the Data Transport source. See Cisco Umbrella's documentation for instructions on pushing logs to your selected Data Transport source.

Panther-managed detections

See Panther-managed rules for Cisco Umbrella in the panther-analysis GitHub repository.

Supported log types

CiscoUmbrella.CloudFirewall

Cloud Firewall logs show traffic that has been handled by network tunnels.

Reference: Cisco documentation on Log Formats and Versioning

schema: CiscoUmbrella.CloudFirewall
description: Cloud Firewall logs show traffic that has been handled by network tunnels.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs
fields:
    - name: timestamp
      required: true
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: originId
      description: The unique identity of the network tunnel.
      type: string
    - name: identity
      description: The name of the network tunnel.
      type: string
    - name: identityType
      description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'.
      type: string
    - name: direction
      description: The direction of the packet. It is destined either towards the internet or to the customer's network.
      type: string
    - name: ipProtocol
      description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.
      type: bigint
    - name: packetSize
      description: The size of the packet that Umbrella CDFW received.
      type: bigint
    - name: sourceIp
      description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
      type: string
      indicators:
        - ip
    - name: sourcePort
      description: The internal port number of the user-generated traffic towards the CDFW.
      type: int
    - name: destinationIp
      description: The destination IP address of the user-generated traffic towards the CDFW.
      type: string
      indicators:
        - ip
    - name: destinationPort
      description: The destination port number of the user-generated traffic towards the CDFW.
      type: int
    - name: dataCenter
      description: The name of the Umbrella Data Center that processed the user-generated traffic.
      type: string
    - name: ruleId
      description: The ID of the rule that processed the user traffic.
      type: string
    - name: verdict
      description: The final verdict whether to allow or block the traffic based on the rule.
      type: string

CiscoUmbrella.DNS

DNS logs show traffic that has reached our DNS resolvers.

Reference: Cisco documentation on DNS Logs.

schema: CiscoUmbrella.DNS
description: DNS logs show traffic that has reached our DNS resolvers.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs
fields:
    - name: timestamp
      required: true
      description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: policyIdentity
      description: The first identity that matched the request in order of granularity.
      type: string
    - name: identities
      description: All identities associated with this request.
      type: array
      element:
        type: string
    - name: internalIp
      description: The internal IP address that made the request.
      type: string
      indicators:
        - ip
    - name: externalIp
      description: The external IP address that made the request.
      type: string
      indicators:
        - ip
    - name: action
      description: Whether the request was allowed or blocked.
      type: string
    - name: queryType
      description: The type of DNS request that was made. For more information, see Common DNS Request Types.
      type: string
    - name: responseCode
      description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
      type: string
    - name: domain
      description: The domain that was requested.
      type: string
      indicators:
        - domain
    - name: categories
      description: The security or content categories that the destination matches.
      type: array
      element:
        type: string
    - name: policyIdentityType
      description: The first identity type matched with this request in order of granularity. Available in version 3 and above.
      type: string
    - name: identityTypes
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
      type: array
      element:
        type: string
    - name: blockedCategories
      description: The categories that resulted in the destination being blocked. Available in version 4 and above.
      type: array
      element:
        type: string

CiscoUmbrella.IP

IP logs show traffic that has been handled by the IP Layer Enforcement feature.

Reference: Cisco documentation on IP Logs.

schema: CiscoUmbrella.IP
description: IP logs show traffic that has been handled by the IP Layer Enforcement feature.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs
fields:
    - name: timestamp
      required: true
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: identity
      description: The first identity that matched the request.
      type: string
    - name: sourceIp
      description: The IP of the computer making the request.
      type: string
      indicators:
        - ip
    - name: sourcePort
      description: The port the request was made on.
      type: int
    - name: destinationIp
      description: The destination IP requested.
      type: string
      indicators:
        - ip
    - name: destinationPort
      description: The destination port the request was made on.
      type: int
    - name: categories
      description: Which security categories, if any, matched against the destination IP address/port requested.
      type: array
      element:
        type: string
    - name: identityTypes
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
      type: array
      element:
        type: string

CiscoUmbrella.Proxy

Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy.

Reference: Cisco documentation on Selection Proxy Logs.

schema: CiscoUmbrella.Proxy
description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs
fields:
    - name: timestamp
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: identity
      description: The first identity that matched the request.
      type: string
    - name: identities
      description: Which identities, in order of granularity, made the request through the intelligent proxy.
      type: array
      element:
        type: string
    - name: internalIp
      description: The internal IP address of the computer making the request.
      type: string
      indicators:
        - ip
    - name: externalIp
      description: The egress IP address of the network where the request originated.
      type: string
      indicators:
        - ip
    - name: destinationIp
      description: The destination IP address of the request.
      type: string
      indicators:
        - ip
    - name: contentType
      description: The type of web content, typically text/html.
      type: string
    - name: verdict
      description: Whether the destination was blocked or allowed.
      type: string
    - name: url
      description: The URL requested.
      type: string
      indicators:
        - url
    - name: referrer
      description: The referring domain or URL.
      type: string
      indicators:
        - url
        - hostname
    - name: userAgent
      description: The browser agent that made the request.
      type: string
    - name: statusCode
      description: The HTTP status code; should always be 200 or 201.
      type: int
    - name: requestSize
      description: Request size in bytes.
      type: bigint
    - name: responseSize
      description: Response size in bytes.
      type: bigint
    - name: responseBodySize
      description: Response body size in bytes.
      type: bigint
    - name: sha
      description: SHA256 hex digest of the response content.
      type: string
      indicators:
        - sha256
    - name: categories
      description: The security categories for this request, such as Malware.
      type: array
      element:
        type: string
    - name: avDetections
      description: The detection name according to the antivirus engine used in file inspection.
      type: array
      element:
        type: string
    - name: puas
      description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
      type: array
      element:
        type: string
    - name: ampDisposition
      description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
      type: string
    - name: ampMalwareName
      description: If Malicious, the name of the malware according to AMP.
      type: string
    - name: ampScore
      description: The score of the malware from AMP. This field is not currently used and will be blank.
      type: string
    - name: identityType
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on.
      type: string
    - name: blockedCategories
      description: The categories that resulted in the destination being blocked. Available in version 4 and above.
      type: array
      element:
        type: string

PreviousCarbon Black Logs NextCloudflare Logs

Last updated 1 year ago

Was this helpful?

schema: CiscoUmbrella.CloudFirewall description: Cloud Firewall logs show traffic that has been handled by network tunnels. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs fields: - name: timestamp required: true description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: originId description: The unique identity of the network tunnel. type: string - name: identity description: The name of the network tunnel. type: string - name: identityType description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'. type: string - name: direction description: The direction of the packet. It is destined either towards the internet or to the customer's network. type: string - name: ipProtocol description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP. type: bigint - name: packetSize description: The size of the packet that Umbrella CDFW received. type: bigint - name: sourceIp description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. type: string indicators: - ip - name: sourcePort description: The internal port number of the user-generated traffic towards the CDFW. type: int - name: destinationIp description: The destination IP address of the user-generated traffic towards the CDFW. type: string indicators: - ip - name: destinationPort description: The destination port number of the user-generated traffic towards the CDFW. type: int - name: dataCenter description: The name of the Umbrella Data Center that processed the user-generated traffic. type: string - name: ruleId description: The ID of the rule that processed the user traffic. type: string - name: verdict description: The final verdict whether to allow or block the traffic based on the rule. type: string

schema: CiscoUmbrella.DNS description: DNS logs show traffic that has reached our DNS resolvers. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs fields: - name: timestamp required: true description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: policyIdentity description: The first identity that matched the request in order of granularity. type: string - name: identities description: All identities associated with this request. type: array element: type: string - name: internalIp description: The internal IP address that made the request. type: string indicators: - ip - name: externalIp description: The external IP address that made the request. type: string indicators: - ip - name: action description: Whether the request was allowed or blocked. type: string - name: queryType description: The type of DNS request that was made. For more information, see Common DNS Request Types. type: string - name: responseCode description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). type: string - name: domain description: The domain that was requested. type: string indicators: - domain - name: categories description: The security or content categories that the destination matches. type: array element: type: string - name: policyIdentityType description: The first identity type matched with this request in order of granularity. Available in version 3 and above. type: string - name: identityTypes description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. type: array element: type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string

schema: CiscoUmbrella.Proxy description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs fields: - name: timestamp description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: identity description: The first identity that matched the request. type: string - name: identities description: Which identities, in order of granularity, made the request through the intelligent proxy. type: array element: type: string - name: internalIp description: The internal IP address of the computer making the request. type: string indicators: - ip - name: externalIp description: The egress IP address of the network where the request originated. type: string indicators: - ip - name: destinationIp description: The destination IP address of the request. type: string indicators: - ip - name: contentType description: The type of web content, typically text/html. type: string - name: verdict description: Whether the destination was blocked or allowed. type: string - name: url description: The URL requested. type: string indicators: - url - name: referrer description: The referring domain or URL. type: string indicators: - url - hostname - name: userAgent description: The browser agent that made the request. type: string - name: statusCode description: The HTTP status code; should always be 200 or 201. type: int - name: requestSize description: Request size in bytes. type: bigint - name: responseSize description: Response size in bytes. type: bigint - name: responseBodySize description: Response body size in bytes. type: bigint - name: sha description: SHA256 hex digest of the response content. type: string indicators: - sha256 - name: categories description: The security categories for this request, such as Malware. type: array element: type: string - name: avDetections description: The detection name according to the antivirus engine used in file inspection. type: array element: type: string - name: puas description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. type: array element: type: string - name: ampDisposition description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. type: string - name: ampMalwareName description: If Malicious, the name of the malware according to AMP. type: string - name: ampScore description: The score of the malware from AMP. This field is not currently used and will be blank. type: string - name: identityType description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string