- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
Cisco Umbrella Integration
editCisco Umbrella Integration
editVersion |
1.28.0 (View all) |
Compatible Kibana version(s) |
8.16.2 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
This integration is for Cisco Umbrella. It includes the following datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS:
-
log
dataset: supports Cisco Umbrella logs.
Logs
editUmbrella
editWhen using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically.
The log
dataset collects Cisco Umbrella logs.
Example
An example event for log
looks as following:
{ "@timestamp": "2024-03-14T18:59:23.000Z", "agent": { "ephemeral_id": "4b522414-3f7d-4cec-a7f7-7df2a87de0c9", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "aws": { "s3": { "bucket": { "arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-37380", "name": "elastic-package-cisco-umbrella-bucket-37380" }, "object": { "key": "auditlogs.log" } } }, "cisco": { "umbrella": { "audit": { "after": [ "includeAuditLog: 1" ], "after_values": { "includeAuditLog": "1" }, "type": "logexportconfigurations" } } }, "cloud": { "provider": "", "region": "us-east-1" }, "data_stream": { "dataset": "cisco_umbrella.log", "namespace": "27145", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "action": "update", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_umbrella.log", "id": "1757843536", "ingested": "2024-06-12T03:03:50Z", "kind": "event", "original": "\"1757843536\",\"2024-03-14 18:59:23\",\"admin@company.com\",\"Administrator\",\"logexportconfigurations\",\"update\",\"81.2.69.144\",\"\",\"includeAuditLog: 1\n\"", "type": [ "change" ] }, "input": { "type": "aws-s3" }, "log": { "file": { "path": "https://elastic-package-cisco-umbrella-bucket-37380.s3.us-east-1.amazonaws.com/auditlogs.log" }, "offset": 529 }, "observer": { "product": "Umbrella", "vendor": "Cisco" }, "related": { "ip": [ "81.2.69.144" ], "user": [ "Administrator" ] }, "source": { "address": "81.2.69.144", "geo": { "city_name": "London", "continent_name": "Europe", "country_iso_code": "GB", "country_name": "United Kingdom", "location": { "lat": 51.5142, "lon": -0.0931 }, "region_iso_code": "GB-ENG", "region_name": "England" }, "ip": "81.2.69.144" }, "tags": [ "preserve_original_event", "cisco-umbrella", "forwarded" ], "user": { "email": "admin@company.com", "id": "admin@company.com", "name": "Administrator" } }
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
aws.s3.bucket.arn |
The AWS S3 bucket ARN. |
keyword |
aws.s3.bucket.name |
The AWS S3 bucket name. |
keyword |
aws.s3.object.key |
The AWS S3 Object key. |
keyword |
cisco.umbrella.action |
Whether the request was allowed or blocked. |
keyword |
cisco.umbrella.amp_disposition |
The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. |
keyword |
cisco.umbrella.amp_malware_name |
If Malicious, the name of the malware according to AMP. |
keyword |
cisco.umbrella.amp_score |
The score of the malware from AMP. This field is not currently used and will be blank. |
keyword |
cisco.umbrella.audit.after |
The policy or setting after the change was made. |
keyword |
cisco.umbrella.audit.after_values.* |
The individual values of the policy or setting after the change was made. |
object |
cisco.umbrella.audit.before |
The policy or setting before the change was made. |
keyword |
cisco.umbrella.audit.before_values.* |
The individual values of the policy or setting before the change was made. |
object |
cisco.umbrella.audit.type |
Where the change was made, such as settings or a policy. |
keyword |
cisco.umbrella.av_detections |
The detection name according to the antivirus engine used in file inspection. |
keyword |
cisco.umbrella.blocked_categories |
The categories that resulted in the destination being blocked. Available in version 4 and above. |
keyword |
cisco.umbrella.categories |
The security or content categories that the destination matches. |
keyword |
cisco.umbrella.certificate_errors |
Any certificate or protocol errors in the request. |
keyword |
cisco.umbrella.classification |
The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown. |
keyword |
cisco.umbrella.cves |
A list of information about security vulnerabilities and exposures. |
keyword |
cisco.umbrella.data_classification |
The data classification whose data identifier matched on the violation. |
keyword |
cisco.umbrella.data_identifier |
The data identifier that matched on the request. |
keyword |
cisco.umbrella.datacenter |
The name of the Umbrella Data Center that processed the user-generated traffic. |
keyword |
cisco.umbrella.destination_lists_id |
The ID number umbrella assigns to a destination list. |
keyword |
cisco.umbrella.dlp_status |
If the request was Blocked for DLP. |
keyword |
cisco.umbrella.file_action |
The action taken on a file in a remote browser isolation session. |
keyword |
cisco.umbrella.file_label |
The file name label that matched on the file properties. |
keyword |
cisco.umbrella.fqdns |
The fully qualified domain names (FQDNs) that match the request. |
keyword |
cisco.umbrella.gid |
Unique ID assigned to the part of the IPS which generated the event. |
keyword |
cisco.umbrella.identities |
An array of the different identities related to the event. |
keyword |
cisco.umbrella.identity |
The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) |
keyword |
cisco.umbrella.identity_types |
The type of identity that made the request. For example, Roaming Computer or Network. |
keyword |
cisco.umbrella.isolate_action |
The remote browser isolation state associated with the request. |
keyword |
cisco.umbrella.message |
A brief description of the signature. |
keyword |
cisco.umbrella.origin_id |
The unique identity of the network tunnel. |
keyword |
cisco.umbrella.policy_identity_type |
The first identity type matched with this request. Available in version 3 and above. |
keyword |
cisco.umbrella.puas |
A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. |
keyword |
cisco.umbrella.ruleset_id |
The ID number assigned to the ruleset by Umbrella. |
keyword |
cisco.umbrella.severity |
The severity level of the rule, such as High, Medium, Low, and Very Low. |
keyword |
cisco.umbrella.sha_sha256 |
Hex digest of the response content. |
keyword |
cisco.umbrella.sid |
Used to uniquely identify signatures. |
keyword |
cisco.umbrella.signature_list_id |
Unique ID assigned to a Default or Custom Signature List. |
keyword |
cisco.umbrella.warn_status |
The warn page state associated with the request. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset |
constant_keyword |
event.module |
Event module |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.offset |
long |
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
1.28.0 |
Enhancement (View pull request) |
8.16.2 or higher |
1.27.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.26.2 |
Bug fix (View pull request) |
8.13.0 or higher |
1.26.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.26.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.25.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.25.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.24.1 |
Bug fix (View pull request) |
8.12.0 or higher |
1.24.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.23.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.22.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.21.2 |
Enhancement (View pull request) |
8.4.0 or higher |
1.21.1 |
Bug fix (View pull request) |
8.4.0 or higher |
1.21.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.20.1 |
Bug fix (View pull request) |
8.4.0 or higher |
1.20.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.19.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.17.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.16.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.15.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.14.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.13.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.12.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.11.1 |
Bug fix (View pull request) |
8.4.0 or higher |
1.11.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.10.1 |
Enhancement (View pull request) |
8.0.0 or higher |
1.10.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.9.2 |
Bug fix (View pull request) |
8.0.0 or higher |
1.9.1 |
Bug fix (View pull request) |
8.0.0 or higher |
1.9.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.8.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.7.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.6.2 |
Enhancement (View pull request) |
8.0.0 or higher |
1.6.1 |
Enhancement (View pull request) |
8.0.0 or higher |
1.6.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.5.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.4.2 |
Enhancement (View pull request) |
8.0.0 or higher |
1.4.1 |
Bug fix (View pull request) |
8.0.0 or higher |
1.4.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.3.3 |
Enhancement (View pull request) |
8.0.0 or higher |
1.3.2 |
Bug fix (View pull request) |
8.0.0 or higher |
1.3.1 |
Bug fix (View pull request) |
8.0.0 or higher |
1.3.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.2.2 |
Bug fix (View pull request) |
8.0.0 or higher |
1.2.1 |
Enhancement (View pull request) |
8.0.0 or higher |
1.2.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.1.0 |
Enhancement (View pull request) |
8.0.0 or higher |
1.0.1 |
Enhancement (View pull request) |
8.0.0 or higher |
1.0.0 |
Enhancement (View pull request) |
8.0.0 or higher |
0.7.0 |
Enhancement (View pull request) |
— |
0.6.1 |
Bug fix (View pull request) |
— |
0.6.0 |
Enhancement (View pull request) |
— |
0.5.1 |
Enhancement (View pull request) |
— |
0.5.0 |
Enhancement (View pull request) |
— |
0.4.0 |
Bug fix (View pull request) |
— |
0.3.2 |
Bug fix (View pull request) |
— |
0.3.1 |
Bug fix (View pull request) |
— |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.2 |
Enhancement (View pull request) |
— |
0.2.1 |
Bug fix (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now