Cisco Umbrella

About the Device

Cisco Umbrella provides the first line of defense against threats on the internet.With Cisco Umbrella policies, you can effectively manage your user’s internet access through category-based content filtering, allow/block lists, block page bypass, and SafeSearch browsing enforce it also identify targeted attacks by comparing your security activity to the world’s security activity, then investigate where on the Internet related attacks will emerge.Cisco Umbrella gives you the power to block newly-detected threats beyond the network perimeter, everywhere your employees work.Cisco integrated technology from across the Cisco security portfolio, including capabilities from the Cloud Web Security proxy, and the Advanced Malware Protection (AMP) file inspection.

Device Information

Collection Method

Device Configuration

Cisco Managed Amazon-S3:

 1. Navigate to Admin > Log Management and select Use your company-managed Amazon S3 bucket.

Open

2. Select a Region and a Retention Duration.

Open

Select a Region—Regional endpoints are important to minimize latency when downloading logs to your servers. The regions match those available in Amazon S3; however, not all regions are available. For example, China is not listed.
Select the region that's closest to you. If you wish to change your region in the future, you will need to delete your current settings and start over.
Select a Retention Duration—Select 7, 14, or 30 days. Beyond the selected time period, all data will be purged and cannot be retrieved. We recommend a smaller time period if your ingestion cycle is regular. The retention duration can be changed at any time.

3. Click Save and then Continue to confirm your settings.

Umbrella activates its ability to export to an AWS S3 account. When activation is complete, the Amazon S3 Summary page appears.

4. Copy credentials from this page and store them in a safe place. These are the only instances when the Access and Secret keys will be provided to you. These keys are required to access your S3 bucket and download logs. If you lose these keys, they must be regenerated.

5. Once keys are copied and safe, check Got it and then click Continue.

You can turn off and on logging at your convenience.  However, logs will continue to be purged based on your retention duration, whether or not you are continuing to log new data.

To Set up self-managed Amazon bucket in S3 and Setting SQS notification.

NOTE: Adaptive MxDR recommends using a self-managed S3 bucket instead of a Cisco-managed S3 bucket. Additionally, configure SQS on the self-managed S3 bucket, as the cost of reading logs directly from the S3 bucket is higher than using SQS. Moreover, the Cisco-managed S3 bucket does not support configuring SQS notifications for reading data.

Prerequisites:

In order to archive DNS, Proxy logs, you must meet the following requirements:

• Full administrative access to the Cisco Umbrella dashboard.

• A login to Amazon AWS service http://aws.amazon.com/console/. If you don't have an account, Amazon provides free signup for S3. They do require a credit card in case your usage exceeds free plan usage.

• A bucket configured in Amazon S3 to be used for storing logs. Instructions for configuring and setting up the Amazon S3 bucket are below.

• User with s3 bucket read only access. 

For IAM users we need to generate the access keys, if we want to fetch S3 bucket logs.

To create, modify, or delete a user's access keys for IAM user

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, select Users.

3. Choose the name of the desired user, and then select the Security Credentials.

4. If needed, expand the Access Keys section and do any of the following:

   • To create an access key, choose Create Access Key. Then choose Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, choose Close.

 AWS Documentation:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

 To Set up Your Amazon S3 Bucket

1. Start by signing into the AWS Console, and select S3 - Scalable Storage in the Cloud in Storage & Content Delivery.

you should see an introduction screen welcoming you to the Amazon Simple Storage System.

2. Click Create Bucket, if you don't already have a bucket and you want to create one.

3. Start by entering a Bucket Name. 
   The bucket name must be universally unique—not just to your AWS or your Umbrella, but to all of Amazon AWS. Using something personal, such as my-organization-name-log-bucket can help you bypass the requirement for universally unique bucket name. The bucket name must only use lowercase letters and cannot contain spaces or periods and must comply with DNS naming conventions. 

   For more information on name restrictions, read here: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

   For more information on bucket creation, including naming, read here: https://docs.aws.amazon.com/AmazonS3/latest/UG/CreatingaBucket.html

4. Select the required Region based on your location.

5. Click Create. Next, you will need to configure the bucket to accept uploads from the Umbrella Service. In S3, this is referred to as a bucket policy.

6. Click the newly created bucket to open it.  

7. Then select Properties.

8. In Properties, select and expand Permissions. In Permissions, click Add bucket policy.

A modal window appears.

9. At this point, you'll want to upload the preconfigured bucket policy provided in this article.

10. Copy and paste the JSON string below, which contains the bucket policy, to a text editor or simply paste it into the window. Substitute your exact bucket name where bucketname is specified below.

11. Click Save to confirm this change.

Attach SQS with S3:

1. Create SQS and attach with S3, please refer Configuring AWS Simple Queue Service (SQS) with S3 Storage

Note: Please refer below page to check required IAM user and KMS Key policies for S3, SQS and KMS
IAM User and KMS Key Policies Required for AWS

Integration Parameter details: Please refer below page to get credentials for Chronicle feed.
Get Credentials for AWS Storage

To Verify Your Amazon S3 Bucket

Step 1

1. Go back to your Umbrella dashboard and navigate to Admin > Log Management. 

2. In Bucket Name, type or paste the exact bucket name you created in S3 and click Verify.
   You should receive a confirmation message in your dashboard indicating that the bucket was successfully verified.

If you receive an error indicating that your bucket could not be verified, recheck the syntax of the bucket name and review the configuration. If problems persist, please open a case with our support department. 

Step 2

As a secondary precaution to ensure the correct bucket was specified, Umbrella will request that you enter a unique activation token. The activation token can be obtained by revisiting your S3 bucket. As part of the verification process, a file named README_FROM_UMBRELLA.txt was uploaded from Umbrella to your Amazon S3 bucket and should appear there.  

1. Download the readme file by double-clicking on it and then open it in a text editor. Within the file, there will be a unique token tying your S3 bucket to your Umbrella dashboard.  

2. Return to the Umbrella dashboard and paste the token into the Token Number field and click Save. At this point, the configuration is complete. 

Managing the Log Lifecycle

When you're using S3, you can manage the lifecycle of the data within the bucket to extend the duration of time you'd like to retain logs for. Depending on the reason you're using the external log management, the duration could be very short or very long. For instance, you may wish to simply download the logs from the S3 bucket after 24 hours and store them offline or retain the logs indefinitely in the cloud.

By default, Amazon stores the data in a bucket indefinitely, but unlimited storage does raise the cost of maintaining the bucket. For more information on S3 lifecycles, please read: https://docs.aws.amazon.com/AmazonS3/latest/UG/LifecycleConfiguration.html

To configure the lifecycle of your bucket:

1. Select Properties and then click Lifecycle.

2. Click Add a Rule, then apply the Rule to the whole bucket (or a subfolder if you've configured it as such).

3. Select an Action on Objects, such as Delete or Archive, then select the time period and whether you'd like to use Glacier storage to help reduce your Amazon costs. (Glacier is 'cold' off-line storage, which while slower to access, is much less expensive.)

Device configuration for Log collection

Please refer the below link for device configuration for log collection.

https://support.umbrella.com/hc/en-us/articles/231248448-Cisco-Umbrella-Log-Management-in-Amazon-S3

Integration Parameters

Parameters required from customer for Integration.

SQS:

S3: