Cisco Umbrella Logs
Connecting Cisco Umbrella logs to your Panther Console
Overview
Panther supports ingesting Cisco Umbrella logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Cisco Umbrella logs to Panther
To connect these logs into Panther:
Set up your Data Transport in the Panther Console.
Follow Panther’s documentation for configuring the Data Transport option you will use:
Configure Cisco Umbrella to push logs to the Data Transport source.
See Cisco's documentation for instructions on pushing logs to your selected Data Transport source.
Panther-built Detections
See Panther's built in detections for Cisco Umbrella in panther-analysis on Github.
Supported log types
CiscoUmbrella.CloudFirewall
Cloud Firewall logs show traffic that has been handled by network tunnels.
Reference: Cisco documentation on Log Formats and Versioning
schema: CiscoUmbrella.CloudFirewall
description: Cloud Firewall logs show traffic that has been handled by network tunnels.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs
fields:
- name: timestamp
required: true
description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: originId
description: The unique identity of the network tunnel.
type: string
- name: identity
description: The name of the network tunnel.
type: string
- name: identityType
description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'.
type: string
- name: direction
description: The direction of the packet. It is destined either towards the internet or to the customer's network.
type: string
- name: ipProtocol
description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.
type: bigint
- name: packetSize
description: The size of the packet that Umbrella CDFW received.
type: bigint
- name: sourceIp
description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
type: string
indicators:
- ip
- name: sourcePort
description: The internal port number of the user-generated traffic towards the CDFW.
type: int
- name: destinationIp
description: The destination IP address of the user-generated traffic towards the CDFW.
type: string
indicators:
- ip
- name: destinationPort
description: The destination port number of the user-generated traffic towards the CDFW.
type: int
- name: dataCenter
description: The name of the Umbrella Data Center that processed the user-generated traffic.
type: string
- name: ruleId
description: The ID of the rule that processed the user traffic.
type: string
- name: verdict
description: The final verdict whether to allow or block the traffic based on the rule.
type: stringCiscoUmbrella.DNS
DNS logs show traffic that has reached our DNS resolvers.
Reference: Cisco documentation on DNS Logs.
schema: CiscoUmbrella.DNS
description: DNS logs show traffic that has reached our DNS resolvers.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs
fields:
- name: timestamp
required: true
description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: policyIdentity
description: The first identity that matched the request in order of granularity.
type: string
- name: identities
description: All identities associated with this request.
type: array
element:
type: string
- name: internalIp
description: The internal IP address that made the request.
type: string
indicators:
- ip
- name: externalIp
description: The external IP address that made the request.
type: string
indicators:
- ip
- name: action
description: Whether the request was allowed or blocked.
type: string
- name: queryType
description: The type of DNS request that was made. For more information, see Common DNS Request Types.
type: string
- name: responseCode
description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
type: string
- name: domain
description: The domain that was requested.
type: string
indicators:
- domain
- name: categories
description: The security or content categories that the destination matches.
type: array
element:
type: string
- name: policyIdentityType
description: The first identity type matched with this request in order of granularity. Available in version 3 and above.
type: string
- name: identityTypes
description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
type: array
element:
type: string
- name: blockedCategories
description: The categories that resulted in the destination being blocked. Available in version 4 and above.
type: array
element:
type: stringCiscoUmbrella.IP
IP logs show traffic that has been handled by the IP Layer Enforcement feature.
Reference: Cisco documentation on IP Logs.
schema: CiscoUmbrella.IP
description: IP logs show traffic that has been handled by the IP Layer Enforcement feature.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs
fields:
- name: timestamp
required: true
description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: identity
description: The first identity that matched the request.
type: string
- name: sourceIp
description: The IP of the computer making the request.
type: string
indicators:
- ip
- name: sourcePort
description: The port the request was made on.
type: int
- name: destinationIp
description: The destination IP requested.
type: string
indicators:
- ip
- name: destinationPort
description: The destination port the request was made on.
type: int
- name: categories
description: Which security categories, if any, matched against the destination IP address/port requested.
type: array
element:
type: string
- name: identityTypes
description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
type: array
element:
type: stringCiscoUmbrella.Proxy
Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy.
Reference: Cisco documentation on Selection Proxy Logs.
schema: CiscoUmbrella.Proxy
description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs
fields:
- name: timestamp
description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: identity
description: The first identity that matched the request.
type: string
- name: identities
description: Which identities, in order of granularity, made the request through the intelligent proxy.
type: array
element:
type: string
- name: internalIp
description: The internal IP address of the computer making the request.
type: string
indicators:
- ip
- name: externalIp
description: The egress IP address of the network where the request originated.
type: string
indicators:
- ip
- name: destinationIp
description: The destination IP address of the request.
type: string
indicators:
- ip
- name: contentType
description: The type of web content, typically text/html.
type: string
- name: verdict
description: Whether the destination was blocked or allowed.
type: string
- name: url
description: The URL requested.
type: string
indicators:
- url
- name: referrer
description: The referring domain or URL.
type: string
indicators:
- url
- hostname
- name: userAgent
description: The browser agent that made the request.
type: string
- name: statusCode
description: The HTTP status code; should always be 200 or 201.
type: int
- name: requestSize
description: Request size in bytes.
type: bigint
- name: responseSize
description: Response size in bytes.
type: bigint
- name: responseBodySize
description: Response body size in bytes.
type: bigint
- name: sha
description: SHA256 hex digest of the response content.
type: string
indicators:
- sha256
- name: categories
description: The security categories for this request, such as Malware.
type: array
element:
type: string
- name: avDetections
description: The detection name according to the antivirus engine used in file inspection.
type: array
element:
type: string
- name: puas
description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
type: array
element:
type: string
- name: ampDisposition
description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
type: string
- name: ampMalwareName
description: If Malicious, the name of the malware according to AMP.
type: string
- name: ampScore
description: The score of the malware from AMP. This field is not currently used and will be blank.
type: string
- name: identityType
description: The type of identity that made the request. For example, Roaming Computer, Network, and so on.
type: string
- name: blockedCategories
description: The categories that resulted in the destination being blocked. Available in version 4 and above.
type: array
element:
type: stringLast updated