Cisco Umbrella Logs

Connecting Cisco Umbrella logs to your Panther Console

Overview

Panther supports ingesting Cisco Umbrella logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Cisco Umbrella logs to Panther

To connect these logs into Panther:

  1. Set up your Data Transport in the Panther Console.

    • Follow Panther’s documentation for configuring the Data Transport option you will use:

  2. Configure Cisco Umbrella to push logs to the Data Transport source.

    • See Cisco's documentation for instructions on pushing logs to your selected Data Transport source.

Panther-built Detections

See Panther's built in detections for Cisco Umbrella in panther-analysis on Github.

Supported log types

Required fields in all tables are in bold.

CiscoUmbrella.CloudFirewall

Cloud Firewall logs show traffic that has been handled by network tunnels.

Reference: Cisco documentation on Log Formats and Versioning

Column

Type

Description

timestamp

timestamp

The timestamp of the request transaction in UTC (2015-01-16 17:48:41).

originId

string

The unique identity of the network tunnel.

identity

string

The name of the network tunnel.

identityType

string

The type of identity that made the request. Should always be 'CDFW Tunnel Device'.

direction

string

The direction of the packet. It is destined either towards the internet or to the customer's network.

ipProtocol

int

The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.

packetSize

int

The size of the packet that Umbrella CDFW received.

sourceIp

string

The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.

sourcePort

int

The internal port number of the user-generated traffic towards the CDFW.

destinationIp

string

The destination IP address of the user-generated traffic towards the CDFW.

destinationPort

int

The destination port number of the user-generated traffic towards the CDFW.

dataCenter

string

The name of the Umbrella Data Center that processed the user-generated traffic.

ruleId

string

The ID of the rule that processed the user traffic.

verdict

string

The final verdict whether to allow or block the traffic based on the rule.

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

CiscoUmbrella.DNS

DNS logs show traffic that has reached our DNS resolvers.

Reference: Cisco documentation on DNS Logs.

Column

Type

Description

timestamp

timestamp

When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.

policyIdentity

string

The first identity that matched the request.

identities

[string]

All identities associated with this request.

internalIp

string

The internal IP address that made the request.

externalIp

string

The external IP address that made the request.

action

string

Whether the request was allowed or blocked.

queryType

string

The type of DNS request that was made. For more information, see Common DNS Request Types.

responseCode

string

The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).

domain

string

The domain that was requested.

categories

[string]

The security or content categories that the destination matches.

policyIdentityType

string

The first identity type matched with this request. Available in version 3 and above.

identityTypes

[string]

The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.

blockedCategories

[string]

The categories that resulted in the destination being blocked. Available in version 4 and above.

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

CiscoUmbrella.IP

IP logs show traffic that has been handled by the IP Layer Enforcement feature.

Reference: Cisco documentation on IP Logs.

Column

Type

Description

timestamp

timestamp

The timestamp of the request transaction in UTC (2015-01-16 17:48:41).

identity

string

The first identity that matched the request.

sourceIp

string

The IP of the computer making the request.

sourcePort

int

The port the request was made on.

destinationIp

string

The destination IP requested.

destinationPort

int

The destination port the request was made on.

categories

[string]

Which security categories, if any, matched against the destination IP address/port requested.

identityTypes

[string]

The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

CiscoUmbrella.Proxy

Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy.

Reference: Cisco documentation on Selection Proxy Logs.

Column

Type

Description

timestamp

timestamp

The timestamp of the request transaction in UTC (2015-01-16 17:48:41).

identity

string

The first identity that matched the request.

identities

[string]

Which identities, in order of granularity, made the request through the intelligent proxy.

internalIp

string

The internal IP address of the computer making the request.

externalIp

string

The egress IP address of the network where the request originated.

destinationIp

string

The destination IP address of the request.

contentType

string

The type of web content, typically text/html.

verdict

string

Whether the destination was blocked or allowed.

url

string

The URL requested.

referrer

string

The referring domain or URL.

userAgent

string

The browser agent that made the request.

statusCode

int

The HTTP status code; should always be 200 or 201.

requestSize

bigint

Request size in bytes.

responseSize

bigint

Response size in bytes.

responseBodySize

bigint

Response body size in bytes.

sha

string

SHA256 hex digest of the response content.

categories

[string]

The security categories for this request, such as Malware.

avDetections

[string]

The detection name according to the antivirus engine used in file inspection.

puas

[string]

A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.

ampDisposition

string

The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.

ampMalwareName

string

If Malicious, the name of the malware according to AMP.

ampScore

string

The score of the malware from AMP. This field is not currently used and will be blank.

identityType

string

The type of identity that made the request. For example, Roaming Computer, Network, and so on.

blockedCategories

[string]

The categories that resulted in the destination being blocked. Available in version 4 and above.

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated