FortiSIEM Support Added: 6.3.2
FortiSIEM Last Modification: 6.4.0
Product Information: https://umbrella.cisco.com/
What is Discovered and Monitored
The following protocols are used to discover and monitor various aspects of Cisco Umbrella.
|AWS S3 Bucket API||
DNS logs, Proxy logs, IP logs, Admin Audit logs
Setup in Cisco Umbrella
Complete these steps from the Cisco Umbrella Portal.
Login to dashboard.umbrella.com.
Navigate to Admin > Log Management.
Navigate to Amazon S3.
Select the Use Cisco-Managed S3 storage radio button.
Select the closest geographically region to the FortiSIEM instance that will poll the logs.
Select the desired retention duration.
Note: Since this will be ingested by FortiSIEM, it is recommended to select the shortest duration.
On the final screen, record these values for Setup in FortiSIEM.
Data Path: This is the S3 bucket URL
Click Got It.
Cisco Umbrella setup is now complete. However, it may take some time to activate.
Note: You can select company-managed s3 bucket, but you must provide an access key and secret with
appropriate permissions. Cisco managed takes away the difficulty with IAM permissions for S3 bucket access.
Setup in FortiSIEM
FortiSIEM processes events from Cisco Umbrella via the AWS S3 bucket API. Obtain your Access Key, Secret Key, and S3 bucket URL from the Cisco Umbrella Portal before proceeding.
Complete these steps in the FortiSIEM UI:
- For Multi-tenant users, change the scope to the appropriate FortiSIEM organization.
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box, and click Save when done.
Settings Description Name Enter a name for the credential. Device Type Cisco Umbrella Access Protocol AWS_S3 Region Enter the AWS region for the bucket that was created, which can be found by looking at the data path name.
cisco-managed-us-west-1, means "us-west-1", so you would input
us-west-1in the Region field.
If you know your region, you can use the region information from the link below. For example, for the region Europe (Frankfort), input
eu-central-1in the Region field.
Region information can be found here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
Bucket Enter the Bucket value that appears before the forward slash, e.g. cisco-managed-us-west-1. If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111, the bucket should be "umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111".
Provide the prefix; This is the part with the forward slash. Example: 1234567_b123456789f1e2a3a412345410123ffcd456789e0/
The prefix may be entered in any of the following ways:
If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-something, enter only a forward slash, "/".
Access Key ID
Enter/paste the access key you acquired during the Cisco Umbrella setup.
Enter/paste the secret key you acquired during the Cisco Umbrella setup.
Leave the default option, which is
Description Description about the device
- In Step 2: Enter IP Range to Credential Associations, if you have more than one FortiSIEM collector, select the collector that will do the polling from the drop-down list. Note: A drop-down list will not appear if you only have one collector.
- Click New.
- Select the credential name you created (during step 3a) from the Credentials drop-down list. The IP/Host Name field should auto populate the URL (reports.api.umbrella.com).
- Click Save.
- Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
- Wait for approximately 5 minutes.
- Navigate to ANALYTICS, and confirm that events appear.
//CiscoUmbrella-DNS-A-Query-Success 1 184.108.40.206 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-25/2021-08-25-21-20-ade8.csv.gz : "2021-08-25 21:19:36","LAB-MACHINE","LAB-MACHINE","192.168.10.218","220.127.116.11","Allowed","1 (A)","NOERROR","static-asm.secure.skypeassets.com.","Chat,Instant Messaging,Software/Technology,Infrastructure,Internet Telephony,Application","Roaming Computers","Roaming Computers","" //CiscoUmbrella-DNS-A-Query-Blocked 1 18.104.22.168 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-26/2021-08-26-19-00-44ea.csv.gz : "2021-08-26 19:03:13","LAB-MACHINE","LAB-MACHINE","192.168.10.218","22.214.171.124","Blocked","1 (A)","NOERROR","www.facebook.com.","Social Networking,Application,Application Block","Roaming Computers","Roaming Computers","Application,Application Block"