Cisco Umbrella

1 About the Device
2 Device Information
3 Collection Method
4 Device Configuration
5 Integration Parameters

About the Device

Cisco Umbrella provides the first line of defense against threats on the internet.With Cisco Umbrella policies, you can effectively manage your user’s internet access through category-based content filtering, allow/block lists, block page bypass, and SafeSearch browsing enforce it also identify targeted attacks by comparing your security activity to the world’s security activity, then investigate where on the Internet related attacks will emerge.Cisco Umbrella gives you the power to block newly-detected threats beyond the network perimeter, everywhere your employees work.Cisco integrated technology from across the Cisco security portfolio, including capabilities from the Cloud Web Security proxy, and the Advanced Malware Protection (AMP) file inspection.

Device Information

Entity	Particulars

Entity	Particulars
Vendor Name	Cisco
Product Name	Umbrella
Type of Device	Cloud

Collection Method

og Type	Ingestion label	Preferred Logging Protocol - Format	Log collection method

og Type	Ingestion label	Preferred Logging Protocol - Format	Log collection method
Cisco Umbrella DNS	UMBRELLA_DNS	Prop Vendor API - JSON	C2C Storage
Cisco Umbrella Audit	CISCO_UMBRELLA_AUDIT
Cisco Umbrella Cloud Firewall	UMBRELLA_FIREWALL
Cisco Umbrella Web Proxy	UMBRELLA_WEBPROXY
Cisco Umbrella IP	UMBRELLA_IP

Device Configuration

Cisco Managed Amazon-S3:

1. Navigate to Admin > Log Management and select Use your company-managed Amazon S3 bucket.

2. Select a Region and a Retention Duration.

Select a Region—Regional endpoints are important to minimize latency when downloading logs to your servers. The regions match those available in Amazon S3; however, not all regions are available. For example, China is not listed.
Select the region that's closest to you. If you wish to change your region in the future, you will need to delete your current settings and start over.
Select a Retention Duration—Select 7, 14, or 30 days. Beyond the selected time period, all data will be purged and cannot be retrieved. We recommend a smaller time period if your ingestion cycle is regular. The retention duration can be changed at any time.

Click Save and then Continue to confirm your settings.

Umbrella activates its ability to export to an AWS S3 account. When activation is complete, the Amazon S3 Summary page appears.

Copy credentials from this page and store them in a safe place. These are the only instances when the Access and Secret keys will be provided to you. These keys are required to access your S3 bucket and download logs. If you lose these keys, they must be regenerated.
Once keys are copied and safe, check Got it and then click Continue.

Continue is unavailable until you check Got it.

You can turn off and on logging at your convenience. However, logs will continue to be purged based on your retention duration, whether or not you are continuing to log new data.

To Set up a self-managed Amazon bucket in S3

Prerequisites:

In order to archive DNS, Proxy logs, you must meet the following requirements:

Full administrative access to the Cisco Umbrella dashboard.
A login to Amazon AWS service http://aws.amazon.com/console/. If you don't have an account, Amazon provides free signup for S3. They do require a credit card in case your usage exceeds free plan usage.
A bucket configured in Amazon S3 to be used for storing logs. Instructions for configuring and setting up the Amazon S3 bucket are below.
User with s3 bucket read only access.

For IAM users we need to generate the access keys, if we want to fetch S3 bucket logs.

To create, modify, or delete a user's access keys for IAM user

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, select Users.
Choose the name of the desired user, and then select the Security Credentials.
If needed, expand the Access Keys section and do any of the following:
- To create an access key, choose Create Access Key. Then choose Download Credentials to save the access key ID and secret access key to a CSV file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the CSV file, choose Close.

AWS Documentation:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

To Set up Your Amazon S3 Bucket

Start by signing into the AWS Console, and select S3 - Scalable Storage in the Cloud in Storage & Content Delivery.

you should see an introduction screen welcoming you to the Amazon Simple Storage System.

Click Create Bucket, if you don't already have a bucket and you want to create one.
Start by entering a Bucket Name.
The bucket name must be universally unique—not just to your AWS or your Umbrella, but to all of Amazon AWS. Using something personal, such as my-organization-name-log-bucket can help you bypass the requirement for universally unique bucket name. The bucket name must only use lowercase letters and cannot contain spaces or periods and must comply with DNS naming conventions.
For more information on name restrictions, read here: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
For more information on bucket creation, including naming, read here:
Select the required Region based on your location.

Click Create. Next, you will need to configure the bucket to accept uploads from the Umbrella Service. In S3, this is referred to as a bucket policy.
Click the newly created bucket to open it.

Then select Properties.

In Properties, select and expand Permissions. In Permissions, click Add bucket policy.

A modal window appears.

At this point, you'll want to upload the preconfigured bucket policy provided in this article.
Copy and paste the JSON string below, which contains the bucket policy, to a text editor or simply paste it into the window. Substitute your exact bucket name where bucketname is specified below.

The bucketname must be exact or the service will not accept the bucket policy and you will receive the error message "Policy has invalid resource - arn:aws:s3:::bucketname/*"

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::568526795995:user/logs"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::568526795995:user/logs"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*"
},

{
"Sid": "",
"Effect": "Allow",
"Principal":

{ "AWS": "arn:aws:iam::568526795995:user/logs" }

,
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::bucketname"
},

{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::568526795995:user/logs"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname"
}
]
}

11. Click Save to confirm this change.

To Verify Your Amazon S3 Bucket

Step 1

Go back to your Umbrella dashboard and navigate to Admin > Log Management.
In Bucket Name, type or paste the exact bucket name you created in S3 and click Verify.
You should receive a confirmation message in your dashboard indicating that the bucket was successfully verified.

If you receive an error indicating that your bucket could not be verified, recheck the syntax of the bucket name and review the configuration. If problems persist, please open a case with our support department.

Step 2

As a secondary precaution to ensure the correct bucket was specified, Umbrella will request that you enter a unique activation token. The activation token can be obtained by revisiting your S3 bucket. As part of the verification process, a file named README_FROM_UMBRELLA.txt was uploaded from Umbrella to your Amazon S3 bucket and should appear there.

Download the readme file by double-clicking on it and then open it in a text editor. Within the file, there will be a unique token tying your S3 bucket to your Umbrella dashboard.

You may need to refresh your S3 bucket in the browser in order to see the README file after it's been uploaded.

Return to the Umbrella dashboard and paste the token into the Token Number field and click Save. At this point, the configuration is complete.

Managing the Log Lifecycle

When you're using S3, you can manage the lifecycle of the data within the bucket to extend the duration of time you'd like to retain logs for. Depending on the reason you're using the external log management, the duration could be very short or very long. For instance, you may wish to simply download the logs from the S3 bucket after 24 hours and store them offline or retain the logs indefinitely in the cloud.

By default, Amazon stores the data in a bucket indefinitely, but unlimited storage does raise the cost of maintaining the bucket. For more information on S3 lifecycles, please read:

To configure the lifecycle of your bucket:

Select Properties and then click Lifecycle.
Click Add a Rule, then apply the Rule to the whole bucket (or a subfolder if you've configured it as such).
Select an Action on Objects, such as Delete or Archive, then select the time period and whether you'd like to use Glacier storage to help reduce your Amazon costs. (Glacier is 'cold' off-line storage, which while slower to access, is much less expensive.)

Integration Parameters

Parameters required from customer for Integration.

Property	Default Value	Description

Property	Default Value	Description
REGION	Yes	Region of your S3 Storage
S3 URI	Yes	URI of S3: For Example: s3://cs-prod-cannon-000ca8016/<datapath> NOTE: Different features will have different data path for example: auditlogs, dnslogs etc.
URI IS A	Yes	The type of object the URI points to For Example: Single FIle Directory Directory which includes subdirectory
SOURCE DELETION OPTION	Yes	Whether to delete file at source after transferring Never Delete File Delete Transferred Files and Empty Directory Delete Transferred Files