Accenture MDR Quick Start Guide for Cisco Umbrella - Cloud Delivered Enterprise Security

This quick start guide will help Accenture MDR customers configure Cisco Umbrella Cloud Delivered Enterprise Security to send logs to the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table1-1: Port requirements for LCP communication.

Configuring Cisco Umbrella

There are two ways to configure the log management in Cisco Umbrella. 

1. A Cisco-managed bucket, where Cisco Umbrella owns the bucket, and set the configuration automatically.

2. A Self-managed bucket, where you own the bucket in Amazon and set up the configuration.

Once you have configure the bucket, follow the below ways to setup and verify the created S3 bucket..

I. Configure Cisco Managed Amazon S3 bucket.

1. On the Umbrella dashboard, navigate to Admin > Log Management.

Open

2. Select Use a Cisco-managed Amazon S3 bucket.

Open

3. From the Select a Region drop-down list, choose a region.

4. From the Select a Retention Duration drop-down list, choose the time period.

5. Click Save and you will be asked to confirm your region and duration. 

6. Click Continue and  you will get an activation notification.

7. You will then get your access and secret keys. You must accept them by clicking Got it!, because this the only time you will get to see either of the keys. The access and secret keys are required in order to access your data path and download logs.

 Note: For more information on device configuration for log collection, refer: https://support.umbrella.com/hc/en-us/articles/231248448-Cisco-Umbrella-Log-Management-in-Amazon-S3

II. Set up a self-managed Amazon bucket in S3.

    Prerequisites:

    In order to archive DNS,Proxy logs, you must meet the following requirements:

• Full administrative access to the Cisco Umbrella dashboard.

• Login to the Amazon AWS service (http://aws.amazon.com/console/). If you do not have an account, Amazon provides free signup for S3. They require a credit card in case your usage exceeds the free plan usage.

• User with s3 bucket read only access.

• A bucket configured in Amazon S3 to be used for storing logs. Instructions for configuring and setting up the Amazon S3 bucket are given below.If IAM users want to fetch S3 bucket logs then, you have to generate the access keys using below steps:

To Create, Modify, or Delete a user's access keys

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

2. Choose Users in the navigation pane.

3. Choose the name of the desired user, and then choose the Security Credentials tab.

4. If needed, expand the Access Keys section and do any of the following:

To set up your Amazon S3 bucket:

1. Login to the AWS console, and from the list of options, select S3 - Scalable Storage in the Cloud. (It is seen at the upper left corner, under Storage & Content Delivery.)

2. Next, to create a bucket click Create Bucket, if you do not have one.

3. In the Bucket Name text box, type the bucket name. 

 Note: For more information on name restrictions, see: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

For more information on bucket creation, including naming, see: https://docs.aws.amazon.com/AmazonS3/latest/UG/CreatingaBucket.html

  4. From the Region drop-down list, select a region that works best for your location and click Create. 

5. Next, to configure the bucket to accept uploads from the Umbrella service (in S3, this is referred to as a bucket policy), click the newly created bucket to open it.

6. Then, at the upper right-hand corner, select Properties.

7. From the Properties drop-down list, select and expand Permissions. From the Permissions drop-down list, click Add bucket policy.

8. A modal window opens. Upload the preconfigured bucket policy provided in this article.

9. Copy and paste the JSON string below which contains the bucket policy to a text editor or simply paste it in the window. Substitute your bucket name where bucket name is specified below.

 Note: The bucket name must be exact or the service will not accept the bucket policy and you will receive the error message "Policy has invalid resource - arn:aws:s3:::bucketname/*".

10. Click Save to confirm this change.

​Verify your Amazon S3 bucket.

Step 1:

1. Go to the Umbrella dashboard and navigate to Admin > Log Management. 

2. To expand the window, click Amazon S3.

3. In the Bucket Name field, type or paste the exact bucket name you created in S3 and click Verify. 

4. You should receive a confirmation message in your dashboard indicating that the bucket was successfully verified. If you receive an error indicating that your bucket could not be verified, re-check the syntax of the bucket name and review the configuration. If problems persist, please open a case with our support department. 

1. As a precaution to ensure the correct bucket was specified, Umbrella will ask you to enter a unique activation token. The activation token can be obtained by revisiting your S3 bucket. As part of the verification process, a file named README_FROM_UMBRELLA.txt was uploaded from Umbrella to your Amazon S3 bucket and should appear there.  

2. Double-click the readme file to download it and then open it in a text editor. Within the file, there will be a unique token tying your S3 bucket to your Umbrella dashboard.  

 Note: You may need to refresh your S3 bucket in the browser in order to see the readme file after it has been uploaded.

  3. Return to the Umbrella dashboard, and in the Token Number field, paste the token and click Save. At this point, the configuration is complete. 

LCP Configuration Parameters

Table 1-2: The Cisco Umbrella event collector (API -3839) properties to be configured by MDR are shown in the table.