Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Umbrella

FortiSIEM Support Added: 6.3.2

FortiSIEM Last Modification: 6.4.0

Vendor: Cisco

Product Information: https://umbrella.cisco.com/

 

 

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Cisco Umbrella.

Protocol

Metrics Collected

Used For

AWS S3 Bucket API

DNS logs, Proxy logs, IP logs, Admin Audit logs

Security Monitoring

 

Configuration

Setup in Cisco Umbrella

Complete these steps from the Cisco Umbrella Portal.

  1. Login to dashboard.umbrella.com.

  2. Navigate to Admin > Log Management.

  3. Navigate to Amazon S3.

  4. Select the Use Cisco-Managed S3 storage radio button.

  5. Select the closest geographically region to the FortiSIEM instance that will poll the logs.

  6. Select the desired retention duration.
    Note: Since this will be ingested by FortiSIEM, it is recommended to select the shortest duration.

  7. Click Save.

  8. Click Continue.

  9. On the final screen, record these values for Setup in FortiSIEM.

    • Data Path: This is the S3 bucket URL

    • Access Key

    • Secret Key

  10. Click Got It.

  11. Click Continue.
    Cisco Umbrella setup is now complete. However, it may take some time to activate.

Note: You can select company-managed s3 bucket, but you must provide an access key and secret with

appropriate permissions. Cisco managed takes away the difficulty with IAM permissions for S3 bucket access.

Setup in FortiSIEM

FortiSIEM processes events from Cisco Umbrella via the AWS S3 bucket API. Obtain your Access Key, Secret Key, and S3 bucket URL from the Cisco Umbrella Portal before proceeding.

Complete these steps in the FortiSIEM UI:

  1. For Multi-tenant users, change the scope to the appropriate FortiSIEM organization.
  2. Go to the ADMIN > Setup > Credentials tab.
  3. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box, and click Save when done.

      Settings Description
      Name Enter a name for the credential.
      Device Type Cisco Umbrella
      Access Protocol AWS_S3
      Region

      Enter the AWS region for the bucket that was created, which can be found by looking at the data path name. For example, cisco-managed-us-west-1, means "us-west-1", so you would input us-west-1 in the Region field.

      If you know your region, you can use the region information from the link below. For example, for the region Europe (Frankfort), input eu-central-1 in the Region field.
      Region information can be found here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html

      Bucket

      Enter the Bucket value that appears before the forward slash, e.g. cisco-managed-us-west-1.

      If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111, the bucket should be "umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111".
      Example: 
      Bucket: umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111

      Prefix

      Provide the prefix; This is the part with the forward slash. Example: 1234567_b123456789f1e2a3a412345410123ffcd456789e0/

       

      The prefix may be entered in any of the following ways:

      /xxxx/

      xxxx

      /xxxx

      xxxx/

       

      Examples: 

      /1234567_b123456789f1e2a3a412345410123ffcd456789e0/

      1234567_b123456789f1e2a3a412345410123ffcd456789e0

      /1234567_b123456789f1e2a3a412345410123ffcd456789e0

      1234567_b123456789f1e2a3a412345410123ffcd456789e0/

       

      If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-something, enter only a forward slash, "/".
      Example:
      Prefix: /

      Access Key ID

      Enter/paste the access key you acquired during the Cisco Umbrella setup.

      Secret Key

      Enter/paste the secret key you acquired during the Cisco Umbrella setup.

      Log Keyword

      Leave the default option, which is Cisco_Umbrella_Log.

      Description Description about the device
  4. In Step 2: Enter IP Range to Credential Associations, if you have more than one FortiSIEM collector, select the collector that will do the polling from the drop-down list. Note: A drop-down list will not appear if you only have one collector.
  5.  Click New.
    1. Select the credential name you created (during step 3a) from the Credentials drop-down list. The IP/Host Name field should auto populate the URL (reports.api.umbrella.com).
    2. Click Save.
  6. Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
  7. Wait for approximately 5 minutes.
  8. Navigate to ANALYTICS, and confirm that events appear.

Sample Events

//CiscoUmbrella-DNS-A-Query-Success
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-25/2021-08-25-21-20-ade8.csv.gz : "2021-08-25 21:19:36","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Allowed","1 (A)","NOERROR","static-asm.secure.skypeassets.com.","Chat,Instant Messaging,Software/Technology,Infrastructure,Internet Telephony,Application","Roaming Computers","Roaming Computers",""

//CiscoUmbrella-DNS-A-Query-Blocked
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-26/2021-08-26-19-00-44ea.csv.gz : "2021-08-26 19:03:13","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Blocked","1 (A)","NOERROR","www.facebook.com.","Social Networking,Application,Application Block","Roaming Computers","Roaming Computers","Application,Application Block"

 

Cisco Umbrella

FortiSIEM Support Added: 6.3.2

FortiSIEM Last Modification: 6.4.0

Vendor: Cisco

Product Information: https://umbrella.cisco.com/

 

 

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Cisco Umbrella.

Protocol

Metrics Collected

Used For

AWS S3 Bucket API

DNS logs, Proxy logs, IP logs, Admin Audit logs

Security Monitoring

 

Configuration

Setup in Cisco Umbrella

Complete these steps from the Cisco Umbrella Portal.

  1. Login to dashboard.umbrella.com.

  2. Navigate to Admin > Log Management.

  3. Navigate to Amazon S3.

  4. Select the Use Cisco-Managed S3 storage radio button.

  5. Select the closest geographically region to the FortiSIEM instance that will poll the logs.

  6. Select the desired retention duration.
    Note: Since this will be ingested by FortiSIEM, it is recommended to select the shortest duration.

  7. Click Save.

  8. Click Continue.

  9. On the final screen, record these values for Setup in FortiSIEM.

    • Data Path: This is the S3 bucket URL

    • Access Key

    • Secret Key

  10. Click Got It.

  11. Click Continue.
    Cisco Umbrella setup is now complete. However, it may take some time to activate.

Note: You can select company-managed s3 bucket, but you must provide an access key and secret with

appropriate permissions. Cisco managed takes away the difficulty with IAM permissions for S3 bucket access.

Setup in FortiSIEM

FortiSIEM processes events from Cisco Umbrella via the AWS S3 bucket API. Obtain your Access Key, Secret Key, and S3 bucket URL from the Cisco Umbrella Portal before proceeding.

Complete these steps in the FortiSIEM UI:

  1. For Multi-tenant users, change the scope to the appropriate FortiSIEM organization.
  2. Go to the ADMIN > Setup > Credentials tab.
  3. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box, and click Save when done.

      Settings Description
      Name Enter a name for the credential.
      Device Type Cisco Umbrella
      Access Protocol AWS_S3
      Region

      Enter the AWS region for the bucket that was created, which can be found by looking at the data path name. For example, cisco-managed-us-west-1, means "us-west-1", so you would input us-west-1 in the Region field.

      If you know your region, you can use the region information from the link below. For example, for the region Europe (Frankfort), input eu-central-1 in the Region field.
      Region information can be found here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html

      Bucket

      Enter the Bucket value that appears before the forward slash, e.g. cisco-managed-us-west-1.

      If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111, the bucket should be "umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111".
      Example: 
      Bucket: umbrella-managed-1105020-07c11114f2bd1366f0cef0db1048d111

      Prefix

      Provide the prefix; This is the part with the forward slash. Example: 1234567_b123456789f1e2a3a412345410123ffcd456789e0/

       

      The prefix may be entered in any of the following ways:

      /xxxx/

      xxxx

      /xxxx

      xxxx/

       

      Examples: 

      /1234567_b123456789f1e2a3a412345410123ffcd456789e0/

      1234567_b123456789f1e2a3a412345410123ffcd456789e0

      /1234567_b123456789f1e2a3a412345410123ffcd456789e0

      1234567_b123456789f1e2a3a412345410123ffcd456789e0/

       

      If there is no prefix specified in the S3 data path section, e.g. s3://umbrella-managed-something, enter only a forward slash, "/".
      Example:
      Prefix: /

      Access Key ID

      Enter/paste the access key you acquired during the Cisco Umbrella setup.

      Secret Key

      Enter/paste the secret key you acquired during the Cisco Umbrella setup.

      Log Keyword

      Leave the default option, which is Cisco_Umbrella_Log.

      Description Description about the device
  4. In Step 2: Enter IP Range to Credential Associations, if you have more than one FortiSIEM collector, select the collector that will do the polling from the drop-down list. Note: A drop-down list will not appear if you only have one collector.
  5.  Click New.
    1. Select the credential name you created (during step 3a) from the Credentials drop-down list. The IP/Host Name field should auto populate the URL (reports.api.umbrella.com).
    2. Click Save.
  6. Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
  7. Wait for approximately 5 minutes.
  8. Navigate to ANALYTICS, and confirm that events appear.

Sample Events

//CiscoUmbrella-DNS-A-Query-Success
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-25/2021-08-25-21-20-ade8.csv.gz : "2021-08-25 21:19:36","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Allowed","1 (A)","NOERROR","static-asm.secure.skypeassets.com.","Chat,Instant Messaging,Software/Technology,Infrastructure,Internet Telephony,Application","Roaming Computers","Roaming Computers",""

//CiscoUmbrella-DNS-A-Query-Blocked
1 146.112.59.20 reports.api.umbrella.com Cisco_Umbrella_Log 5381234_b617173610f6e6a12340410126fdba516751f0/dnslogs/2021-08-26/2021-08-26-19-00-44ea.csv.gz : "2021-08-26 19:03:13","LAB-MACHINE","LAB-MACHINE","192.168.10.218","99.99.99.25","Blocked","1 (A)","NOERROR","www.facebook.com.","Social Networking,Application,Application Block","Roaming Computers","Roaming Computers","Application,Application Block"