Cisco Umbrella Logs

Connecting Cisco Umbrella logs to your Panther Console

Overview

Panther supports ingesting Cisco Umbrella logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Cisco Umbrella logs to Panther

To connect these logs into Panther:

Set up your Data Transport in the Panther Console.
- Follow Panther’s documentation for configuring the Data Transport option you will use:
  - AWS S3 bucket
  - AWS SQS
Configure Cisco Umbrella to push logs to the Data Transport source.
- See Cisco's documentation for instructions on pushing logs to your selected Data Transport source.

Panther-built Detections

See Panther's built in detections for Cisco Umbrella in panther-analysis on Github.

Supported log types

CiscoUmbrella.CloudFirewall

Cloud Firewall logs show traffic that has been handled by network tunnels.

Reference: Cisco documentation on Log Formats and Versioning

schema: CiscoUmbrella.CloudFirewall
description: Cloud Firewall logs show traffic that has been handled by network tunnels.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs
fields:
    - name: timestamp
      required: true
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: originId
      description: The unique identity of the network tunnel.
      type: string
    - name: identity
      description: The name of the network tunnel.
      type: string
    - name: identityType
      description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'.
      type: string
    - name: direction
      description: The direction of the packet. It is destined either towards the internet or to the customer's network.
      type: string
    - name: ipProtocol
      description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP.
      type: bigint
    - name: packetSize
      description: The size of the packet that Umbrella CDFW received.
      type: bigint
    - name: sourceIp
      description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
      type: string
      indicators:
        - ip
    - name: sourcePort
      description: The internal port number of the user-generated traffic towards the CDFW.
      type: int
    - name: destinationIp
      description: The destination IP address of the user-generated traffic towards the CDFW.
      type: string
      indicators:
        - ip
    - name: destinationPort
      description: The destination port number of the user-generated traffic towards the CDFW.
      type: int
    - name: dataCenter
      description: The name of the Umbrella Data Center that processed the user-generated traffic.
      type: string
    - name: ruleId
      description: The ID of the rule that processed the user traffic.
      type: string
    - name: verdict
      description: The final verdict whether to allow or block the traffic based on the rule.
      type: string

CiscoUmbrella.DNS

DNS logs show traffic that has reached our DNS resolvers.

Reference: Cisco documentation on DNS Logs.

schema: CiscoUmbrella.DNS
description: DNS logs show traffic that has reached our DNS resolvers.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs
fields:
    - name: timestamp
      required: true
      description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: policyIdentity
      description: The first identity that matched the request in order of granularity.
      type: string
    - name: identities
      description: All identities associated with this request.
      type: array
      element:
        type: string
    - name: internalIp
      description: The internal IP address that made the request.
      type: string
      indicators:
        - ip
    - name: externalIp
      description: The external IP address that made the request.
      type: string
      indicators:
        - ip
    - name: action
      description: Whether the request was allowed or blocked.
      type: string
    - name: queryType
      description: The type of DNS request that was made. For more information, see Common DNS Request Types.
      type: string
    - name: responseCode
      description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
      type: string
    - name: domain
      description: The domain that was requested.
      type: string
      indicators:
        - domain
    - name: categories
      description: The security or content categories that the destination matches.
      type: array
      element:
        type: string
    - name: policyIdentityType
      description: The first identity type matched with this request in order of granularity. Available in version 3 and above.
      type: string
    - name: identityTypes
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
      type: array
      element:
        type: string
    - name: blockedCategories
      description: The categories that resulted in the destination being blocked. Available in version 4 and above.
      type: array
      element:
        type: string

CiscoUmbrella.IP

IP logs show traffic that has been handled by the IP Layer Enforcement feature.

Reference: Cisco documentation on IP Logs.

schema: CiscoUmbrella.IP
description: IP logs show traffic that has been handled by the IP Layer Enforcement feature.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs
fields:
    - name: timestamp
      required: true
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: identity
      description: The first identity that matched the request.
      type: string
    - name: sourceIp
      description: The IP of the computer making the request.
      type: string
      indicators:
        - ip
    - name: sourcePort
      description: The port the request was made on.
      type: int
    - name: destinationIp
      description: The destination IP requested.
      type: string
      indicators:
        - ip
    - name: destinationPort
      description: The destination port the request was made on.
      type: int
    - name: categories
      description: Which security categories, if any, matched against the destination IP address/port requested.
      type: array
      element:
        type: string
    - name: identityTypes
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
      type: array
      element:
        type: string

CiscoUmbrella.Proxy

Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway (SWG) or the Selective Proxy.

Reference: Cisco documentation on Selection Proxy Logs.

schema: CiscoUmbrella.Proxy
description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy.
referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs
fields:
    - name: timestamp
      description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S'
      isEventTime: true
    - name: identity
      description: The first identity that matched the request.
      type: string
    - name: identities
      description: Which identities, in order of granularity, made the request through the intelligent proxy.
      type: array
      element:
        type: string
    - name: internalIp
      description: The internal IP address of the computer making the request.
      type: string
      indicators:
        - ip
    - name: externalIp
      description: The egress IP address of the network where the request originated.
      type: string
      indicators:
        - ip
    - name: destinationIp
      description: The destination IP address of the request.
      type: string
      indicators:
        - ip
    - name: contentType
      description: The type of web content, typically text/html.
      type: string
    - name: verdict
      description: Whether the destination was blocked or allowed.
      type: string
    - name: url
      description: The URL requested.
      type: string
      indicators:
        - url
    - name: referrer
      description: The referring domain or URL.
      type: string
      indicators:
        - url
        - hostname
    - name: userAgent
      description: The browser agent that made the request.
      type: string
    - name: statusCode
      description: The HTTP status code; should always be 200 or 201.
      type: int
    - name: requestSize
      description: Request size in bytes.
      type: bigint
    - name: responseSize
      description: Response size in bytes.
      type: bigint
    - name: responseBodySize
      description: Response body size in bytes.
      type: bigint
    - name: sha
      description: SHA256 hex digest of the response content.
      type: string
      indicators:
        - sha256
    - name: categories
      description: The security categories for this request, such as Malware.
      type: array
      element:
        type: string
    - name: avDetections
      description: The detection name according to the antivirus engine used in file inspection.
      type: array
      element:
        type: string
    - name: puas
      description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
      type: array
      element:
        type: string
    - name: ampDisposition
      description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
      type: string
    - name: ampMalwareName
      description: If Malicious, the name of the malware according to AMP.
      type: string
    - name: ampScore
      description: The score of the malware from AMP. This field is not currently used and will be blank.
      type: string
    - name: identityType
      description: The type of identity that made the request. For example, Roaming Computer, Network, and so on.
      type: string
    - name: blockedCategories
      description: The categories that resulted in the destination being blocked. Available in version 4 and above.
      type: array
      element:
        type: string

PreviousCarbon Black Logs (Beta)NextCloudflare Logs

Last updated 2 years ago

Was this helpful?

schema: CiscoUmbrella.CloudFirewall description: Cloud Firewall logs show traffic that has been handled by network tunnels. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs fields: - name: timestamp required: true description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: originId description: The unique identity of the network tunnel. type: string - name: identity description: The name of the network tunnel. type: string - name: identityType description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'. type: string - name: direction description: The direction of the packet. It is destined either towards the internet or to the customer's network. type: string - name: ipProtocol description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP. type: bigint - name: packetSize description: The size of the packet that Umbrella CDFW received. type: bigint - name: sourceIp description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. type: string indicators: - ip - name: sourcePort description: The internal port number of the user-generated traffic towards the CDFW. type: int - name: destinationIp description: The destination IP address of the user-generated traffic towards the CDFW. type: string indicators: - ip - name: destinationPort description: The destination port number of the user-generated traffic towards the CDFW. type: int - name: dataCenter description: The name of the Umbrella Data Center that processed the user-generated traffic. type: string - name: ruleId description: The ID of the rule that processed the user traffic. type: string - name: verdict description: The final verdict whether to allow or block the traffic based on the rule. type: string

schema: CiscoUmbrella.DNS description: DNS logs show traffic that has reached our DNS resolvers. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs fields: - name: timestamp required: true description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: policyIdentity description: The first identity that matched the request in order of granularity. type: string - name: identities description: All identities associated with this request. type: array element: type: string - name: internalIp description: The internal IP address that made the request. type: string indicators: - ip - name: externalIp description: The external IP address that made the request. type: string indicators: - ip - name: action description: Whether the request was allowed or blocked. type: string - name: queryType description: The type of DNS request that was made. For more information, see Common DNS Request Types. type: string - name: responseCode description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). type: string - name: domain description: The domain that was requested. type: string indicators: - domain - name: categories description: The security or content categories that the destination matches. type: array element: type: string - name: policyIdentityType description: The first identity type matched with this request in order of granularity. Available in version 3 and above. type: string - name: identityTypes description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. type: array element: type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string

schema: CiscoUmbrella.Proxy description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy. referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs fields: - name: timestamp description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). type: timestamp timeFormats: - '%Y-%m-%d %H:%M:%S' isEventTime: true - name: identity description: The first identity that matched the request. type: string - name: identities description: Which identities, in order of granularity, made the request through the intelligent proxy. type: array element: type: string - name: internalIp description: The internal IP address of the computer making the request. type: string indicators: - ip - name: externalIp description: The egress IP address of the network where the request originated. type: string indicators: - ip - name: destinationIp description: The destination IP address of the request. type: string indicators: - ip - name: contentType description: The type of web content, typically text/html. type: string - name: verdict description: Whether the destination was blocked or allowed. type: string - name: url description: The URL requested. type: string indicators: - url - name: referrer description: The referring domain or URL. type: string indicators: - url - hostname - name: userAgent description: The browser agent that made the request. type: string - name: statusCode description: The HTTP status code; should always be 200 or 201. type: int - name: requestSize description: Request size in bytes. type: bigint - name: responseSize description: Response size in bytes. type: bigint - name: responseBodySize description: Response body size in bytes. type: bigint - name: sha description: SHA256 hex digest of the response content. type: string indicators: - sha256 - name: categories description: The security categories for this request, such as Malware. type: array element: type: string - name: avDetections description: The detection name according to the antivirus engine used in file inspection. type: array element: type: string - name: puas description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. type: array element: type: string - name: ampDisposition description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. type: string - name: ampMalwareName description: If Malicious, the name of the malware according to AMP. type: string - name: ampScore description: The score of the malware from AMP. This field is not currently used and will be blank. type: string - name: identityType description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. type: string - name: blockedCategories description: The categories that resulted in the destination being blocked. Available in version 4 and above. type: array element: type: string