Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.4.3 External Systems Configuration Guide
    6.4.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Cisco Umbrella

    Cisco Umbrella

    FortiSIEM Support Added: 6.3.2

    FortiSIEM Last Modification: 6.4.0

    Vendor: Cisco

    Product Information: https://umbrella.cisco.com/

    What is Discovered and Monitored

    The following protocols are used to discover and monitor various aspects of Cisco Umbrella.

    Protocol

    Metrics Collected

    Used For
    AWS S3 Bucket API

    DNS logs, Proxy logs, IP logs, Admin Audit logs

    		 Security Monitoring

    Configuration

    Setup in Cisco Umbrella

    Complete these steps from the Cisco Umbrella Portal.

    1. Login to dashboard.umbrella.com.

    2. Navigate to Admin > Log Management.

    3. Navigate to Amazon S3.

    4. Select the Use Cisco-Managed S3 storage radio button.

    5. Select the closest geographically region to the FortiSIEM instance that will poll the logs.

    6. Select the desired retention duration.
      Note: Since this will be ingested by FortiSIEM, it is recommended to select the shortest duration.

    7. Click Save.

    8. Click Continue.

    9. On the final screen, record these values for Setup in FortiSIEM.

      • Data Path: This is the S3 bucket URL

      • Access Key

      • Secret Key

    10. Click Got It.

    11. Click Continue.
      Cisco Umbrella setup is now complete. However, it may take some time to activate.

    Note: You can select company-managed s3 bucket, but you must provide an access key and secret with

    appropriate permissions. Cisco managed takes away the difficulty with IAM permissions for S3 bucket access.

    Setup in FortiSIEM

    FortiSIEM processes events from Cisco Umbrella via the AWS S3 bucket API. Obtain your Access Key, Secret Key, and S3 bucket URL from the Cisco Umbrella Portal before proceeding.

    Complete these steps in the FortiSIEM UI:

    1. For Multi-tenant users, change the scope to the appropriate FortiSIEM organization.
    2. Go to the ADMIN > Setup > Credentials tab.
    3. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box, and click Save when done.

        SettingsDescription
        NameEnter a name for the credential.
        Device TypeCisco Umbrella
        Access ProtocolAWS_S3
        Region Enter the AWS region for the bucket that was created, which can be found by looking at the data path name.
        For example, cisco-managed-us-west-1, means "us-west-1", so you would input us-west-1 in the Region field.
        If you know your region, you can use the region information from the link below. For example, for the region Europe (Frankfort), input eu-central-1 in the Region field.
        Region information can be found here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
        BucketEnter the Bucket value that appears before the forward slash, e.g. cisco-managed-us-west-1. If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111, the bucket should be "umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111".
        Example:
        Bucket: umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111
        Prefix

        Provide the prefix; This is the part with the forward slash. Example: 1234567_b123456789f1e2a3a412345410123ffcd456789e0/

        The prefix may be entered in any of the following ways:

        /xxxx/

        xxxx

        /xxxx

        xxxx/

        Examples:

        /1234567_b123456789f1e2a3a412345410123ffcd456789e0/

        1234567_b123456789f1e2a3a412345410123ffcd456789e0

        /1234567_b123456789f1e2a3a412345410123ffcd456789e0

        1234567_b123456789f1e2a3a412345410123ffcd456789e0/

        If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-something, enter only a forward slash, "/".
        Example:
        Prefix: /

        Access Key ID

        Enter/paste the access key you acquired during the Cisco Umbrella setup.

        Secret Key

        Enter/paste the secret key you acquired during the Cisco Umbrella setup.

        Log Keyword

        Leave the default option, which is Cisco_Umbrella_Log.

        DescriptionDescription about the device
    4. In Step 2: Enter IP Range to Credential Associations, if you have more than one FortiSIEM collector, select the collector that will do the polling from the drop-down list. Note: A drop-down list will not appear if you only have one collector.
    5. Click New.
      1. Select the credential name you created (during step 3a) from the Credentials drop-down list. The IP/Host Name field should auto populate the URL (reports.api.umbrella.com).
      2. Click Save.
    6. Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
    7. Wait for approximately 5 minutes.
    8. Navigate to ANALYTICS, and confirm that events appear.

    Sample Events

    //CiscoUmbrella-DNS-A-Query-Success
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-25/2021-08-25-21-20-ade8.csv.gz : "2021-08-25 21:19:36","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Allowed","1 (A)","NOERROR","static-asm.secure.skypeassets.com.","Chat,Instant Messaging,Software/Technology,Infrastructure,Internet Telephony,Application","Roaming Computers","Roaming Computers",""

//CiscoUmbrella-DNS-A-Query-Blocked
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-26/2021-08-26-19-00-44ea.csv.gz : "2021-08-26 19:03:13","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Blocked","1 (A)","NOERROR","www.facebook.com.","Social Networking,Application,Application Block","Roaming Computers","Roaming Computers","Application,Application Block"

    Previous
    Next

    Cisco Umbrella

    Cisco Umbrella

    FortiSIEM Support Added: 6.3.2

    FortiSIEM Last Modification: 6.4.0

    Vendor: Cisco

    Product Information: https://umbrella.cisco.com/

    What is Discovered and Monitored

    The following protocols are used to discover and monitor various aspects of Cisco Umbrella.

    Protocol

    Metrics Collected

    Used For
    AWS S3 Bucket API

    DNS logs, Proxy logs, IP logs, Admin Audit logs

    		 Security Monitoring

    Configuration

    Setup in Cisco Umbrella

    Complete these steps from the Cisco Umbrella Portal.

    1. Login to dashboard.umbrella.com.

    2. Navigate to Admin > Log Management.

    3. Navigate to Amazon S3.

    4. Select the Use Cisco-Managed S3 storage radio button.

    5. Select the closest geographically region to the FortiSIEM instance that will poll the logs.

    6. Select the desired retention duration.
      Note: Since this will be ingested by FortiSIEM, it is recommended to select the shortest duration.

    7. Click Save.

    8. Click Continue.

    9. On the final screen, record these values for Setup in FortiSIEM.

      • Data Path: This is the S3 bucket URL

      • Access Key

      • Secret Key

    10. Click Got It.

    11. Click Continue.
      Cisco Umbrella setup is now complete. However, it may take some time to activate.

    Note: You can select company-managed s3 bucket, but you must provide an access key and secret with

    appropriate permissions. Cisco managed takes away the difficulty with IAM permissions for S3 bucket access.

    Setup in FortiSIEM

    FortiSIEM processes events from Cisco Umbrella via the AWS S3 bucket API. Obtain your Access Key, Secret Key, and S3 bucket URL from the Cisco Umbrella Portal before proceeding.

    Complete these steps in the FortiSIEM UI:

    1. For Multi-tenant users, change the scope to the appropriate FortiSIEM organization.
    2. Go to the ADMIN > Setup > Credentials tab.
    3. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box, and click Save when done.

        SettingsDescription
        NameEnter a name for the credential.
        Device TypeCisco Umbrella
        Access ProtocolAWS_S3
        Region Enter the AWS region for the bucket that was created, which can be found by looking at the data path name.
        For example, cisco-managed-us-west-1, means "us-west-1", so you would input us-west-1 in the Region field.
        If you know your region, you can use the region information from the link below. For example, for the region Europe (Frankfort), input eu-central-1 in the Region field.
        Region information can be found here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
        BucketEnter the Bucket value that appears before the forward slash, e.g. cisco-managed-us-west-1. If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111, the bucket should be "umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111".
        Example:
        Bucket: umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111
        Prefix

        Provide the prefix; This is the part with the forward slash. Example: 1234567_b123456789f1e2a3a412345410123ffcd456789e0/

        The prefix may be entered in any of the following ways:

        /xxxx/

        xxxx

        /xxxx

        xxxx/

        Examples:

        /1234567_b123456789f1e2a3a412345410123ffcd456789e0/

        1234567_b123456789f1e2a3a412345410123ffcd456789e0

        /1234567_b123456789f1e2a3a412345410123ffcd456789e0

        1234567_b123456789f1e2a3a412345410123ffcd456789e0/

        If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-something, enter only a forward slash, "/".
        Example:
        Prefix: /

        Access Key ID

        Enter/paste the access key you acquired during the Cisco Umbrella setup.

        Secret Key

        Enter/paste the secret key you acquired during the Cisco Umbrella setup.

        Log Keyword

        Leave the default option, which is Cisco_Umbrella_Log.

        DescriptionDescription about the device
    4. In Step 2: Enter IP Range to Credential Associations, if you have more than one FortiSIEM collector, select the collector that will do the polling from the drop-down list. Note: A drop-down list will not appear if you only have one collector.
    5. Click New.
      1. Select the credential name you created (during step 3a) from the Credentials drop-down list. The IP/Host Name field should auto populate the URL (reports.api.umbrella.com).
      2. Click Save.
    6. Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
    7. Wait for approximately 5 minutes.
    8. Navigate to ANALYTICS, and confirm that events appear.

    Sample Events

    //CiscoUmbrella-DNS-A-Query-Success
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-25/2021-08-25-21-20-ade8.csv.gz : "2021-08-25 21:19:36","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Allowed","1 (A)","NOERROR","static-asm.secure.skypeassets.com.","Chat,Instant Messaging,Software/Technology,Infrastructure,Internet Telephony,Application","Roaming Computers","Roaming Computers",""

//CiscoUmbrella-DNS-A-Query-Blocked
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-26/2021-08-26-19-00-44ea.csv.gz : "2021-08-26 19:03:13","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Blocked","1 (A)","NOERROR","www.facebook.com.","Social Networking,Application,Application Block","Roaming Computers","Roaming Computers","Application,Application Block"

    Previous
    Next