Cisco Umbrella Integration

Version	1.27.0 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

This integration is for Cisco Umbrella. It includes the following datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS:

log dataset: supports Cisco Umbrella logs.

Logs

edit

Umbrella

edit

When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically.

The log dataset collects Cisco Umbrella logs.

Example

An example event for log looks as following:

{
    "@timestamp": "2024-03-14T18:59:23.000Z",
    "agent": {
        "ephemeral_id": "4b522414-3f7d-4cec-a7f7-7df2a87de0c9",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "aws": {
        "s3": {
            "bucket": {
                "arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-37380",
                "name": "elastic-package-cisco-umbrella-bucket-37380"
            },
            "object": {
                "key": "auditlogs.log"
            }
        }
    },
    "cisco": {
        "umbrella": {
            "audit": {
                "after": [
                    "includeAuditLog: 1"
                ],
                "after_values": {
                    "includeAuditLog": "1"
                },
                "type": "logexportconfigurations"
            }
        }
    },
    "cloud": {
        "provider": "",
        "region": "us-east-1"
    },
    "data_stream": {
        "dataset": "cisco_umbrella.log",
        "namespace": "27145",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "update",
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "dataset": "cisco_umbrella.log",
        "id": "1757843536",
        "ingested": "2024-06-12T03:03:50Z",
        "kind": "event",
        "original": "\"1757843536\",\"2024-03-14 18:59:23\",\"admin@company.com\",\"Administrator\",\"logexportconfigurations\",\"update\",\"81.2.69.144\",\"\",\"includeAuditLog: 1\n\"",
        "type": [
            "change"
        ]
    },
    "input": {
        "type": "aws-s3"
    },
    "log": {
        "file": {
            "path": "https://elastic-package-cisco-umbrella-bucket-37380.s3.us-east-1.amazonaws.com/auditlogs.log"
        },
        "offset": 529
    },
    "observer": {
        "product": "Umbrella",
        "vendor": "Cisco"
    },
    "related": {
        "ip": [
            "81.2.69.144"
        ],
        "user": [
            "Administrator"
        ]
    },
    "source": {
        "address": "81.2.69.144",
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "ip": "81.2.69.144"
    },
    "tags": [
        "preserve_original_event",
        "cisco-umbrella",
        "forwarded"
    ],
    "user": {
        "email": "admin@company.com",
        "id": "admin@company.com",
        "name": "Administrator"
    }
}

Exported fields

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
aws.s3.bucket.arn	The AWS S3 bucket ARN.	keyword
aws.s3.bucket.name	The AWS S3 bucket name.	keyword
aws.s3.object.key	The AWS S3 Object key.	keyword
cisco.umbrella.action	Whether the request was allowed or blocked.	keyword
cisco.umbrella.amp_disposition	The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.	keyword
cisco.umbrella.amp_malware_name	If Malicious, the name of the malware according to AMP.	keyword
cisco.umbrella.amp_score	The score of the malware from AMP. This field is not currently used and will be blank.	keyword
cisco.umbrella.audit.after	The policy or setting after the change was made.	keyword
cisco.umbrella.audit.after_values.*	The individual values of the policy or setting after the change was made.	object
cisco.umbrella.audit.before	The policy or setting before the change was made.	keyword
cisco.umbrella.audit.before_values.*	The individual values of the policy or setting before the change was made.	object
cisco.umbrella.audit.type	Where the change was made, such as settings or a policy.	keyword
cisco.umbrella.av_detections	The detection name according to the antivirus engine used in file inspection.	keyword
cisco.umbrella.blocked_categories	The categories that resulted in the destination being blocked. Available in version 4 and above.	keyword
cisco.umbrella.categories	The security or content categories that the destination matches.	keyword
cisco.umbrella.certificate_errors	Any certificate or protocol errors in the request.	keyword
cisco.umbrella.classification	The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.	keyword
cisco.umbrella.cves	A list of information about security vulnerabilities and exposures.	keyword
cisco.umbrella.data_classification	The data classification whose data identifier matched on the violation.	keyword
cisco.umbrella.data_identifier	The data identifier that matched on the request.	keyword
cisco.umbrella.datacenter	The name of the Umbrella Data Center that processed the user-generated traffic.	keyword
cisco.umbrella.destination_lists_id	The ID number umbrella assigns to a destination list.	keyword
cisco.umbrella.dlp_status	If the request was Blocked for DLP.	keyword
cisco.umbrella.file_action	The action taken on a file in a remote browser isolation session.	keyword
cisco.umbrella.file_label	The file name label that matched on the file properties.	keyword
cisco.umbrella.fqdns	The fully qualified domain names (FQDNs) that match the request.	keyword
cisco.umbrella.gid	Unique ID assigned to the part of the IPS which generated the event.	keyword
cisco.umbrella.identities	An array of the different identities related to the event.	keyword
cisco.umbrella.identity	The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user)	keyword
cisco.umbrella.identity_types	The type of identity that made the request. For example, Roaming Computer or Network.	keyword
cisco.umbrella.isolate_action	The remote browser isolation state associated with the request.	keyword
cisco.umbrella.message	A brief description of the signature.	keyword
cisco.umbrella.origin_id	The unique identity of the network tunnel.	keyword
cisco.umbrella.policy_identity_type	The first identity type matched with this request. Available in version 3 and above.	keyword
cisco.umbrella.puas	A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.	keyword
cisco.umbrella.ruleset_id	The ID number assigned to the ruleset by Umbrella.	keyword
cisco.umbrella.severity	The severity level of the rule, such as High, Medium, Low, and Very Low.	keyword
cisco.umbrella.sha_sha256	Hex digest of the response content.	keyword
cisco.umbrella.sid	Used to uniquely identify signatures.	keyword
cisco.umbrella.signature_list_id	Unique ID assigned to a Default or Custom Signature List.	keyword
cisco.umbrella.warn_status	The warn page state associated with the request.	keyword
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
log.offset		long

Changelog

edit

Changelog

Version	Details	Kibana version(s)
1.27.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	8.13.0 or higher
1.26.2	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.13.0 or higher
1.26.1	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.13.0 or higher
1.26.0	Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event.	8.13.0 or higher
1.25.1	Bug fix (View pull request) Make file_selectors configurable to prevent parsers from being unintentionally overwritten.	8.13.0 or higher
1.25.0	Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
1.24.1	Bug fix (View pull request) Fix sample event.	8.12.0 or higher
1.24.0	Enhancement (View pull request) Make `event.category` field conform to ECS field definition.	8.12.0 or higher
1.23.0	Enhancement (View pull request) Add dashboards.	8.12.0 or higher
1.22.0	Enhancement (View pull request) Set sensitive values as secret.	8.12.0 or higher
1.21.2	Enhancement (View pull request) Changed owners	8.4.0 or higher
1.21.1	Bug fix (View pull request) Fix handling of intermediate data while processing email identities.	8.4.0 or higher
1.21.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.4.0 or higher
1.20.1	Bug fix (View pull request) Add missing fields from beats input	8.4.0 or higher
1.20.0	Enhancement (View pull request) Improve event.original check to avoid errors if set.	8.4.0 or higher
1.19.0	Enhancement (View pull request) ECS version updated to 8.10.0.	8.4.0 or higher
1.18.0	Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.	8.4.0 or higher
1.17.0	Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.4.0 or higher
1.16.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.4.0 or higher
1.15.0	Enhancement (View pull request) Document duration units.	8.4.0 or higher
1.14.0	Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors.	8.4.0 or higher
1.13.0	Enhancement (View pull request) Update package to ECS 8.8.0.	8.4.0 or higher
1.12.0	Enhancement (View pull request) Lowercase host.name field	8.4.0 or higher
1.11.1	Bug fix (View pull request) Handle user identities with extended email values.	8.4.0 or higher
1.11.0	Enhancement (View pull request) Update package-spec version to 2.7.0.	8.4.0 or higher
1.10.1	Enhancement (View pull request) Add Mobile Devices as hosts	8.0.0 or higher
1.10.0	Enhancement (View pull request) Update package to ECS 8.7.0.	8.0.0 or higher
1.9.2	Bug fix (View pull request) Revert Umbrella S3 multiline.	8.0.0 or higher
1.9.1	Bug fix (View pull request) Fix indentation.	8.0.0 or higher
1.9.0	Enhancement (View pull request) Add DLP and intrusion datasets.	8.0.0 or higher
1.8.0	Enhancement (View pull request) Release Cisco Umbrella datastream as GA.	8.0.0 or higher
1.7.0	Enhancement (View pull request) Split identity types.	8.0.0 or higher
1.6.2	Enhancement (View pull request) Add v8 proxy log CSV fields	8.0.0 or higher
1.6.1	Enhancement (View pull request) Added categories and/or subcategories.	8.0.0 or higher
1.6.0	Enhancement (View pull request) Update package to ECS 8.6.0.	8.0.0 or higher
1.5.0	Enhancement (View pull request) Update package to ECS 8.5.0.	8.0.0 or higher
1.4.2	Enhancement (View pull request) Remove duplicate field.	8.0.0 or higher
1.4.1	Bug fix (View pull request) Remove hint for cisco managed s3 Bucket List Prefix	8.0.0 or higher
1.4.0	Enhancement (View pull request) Expose Default Region setting to UI	8.0.0 or higher
1.3.3	Enhancement (View pull request) Use ECS geo.location definition.	8.0.0 or higher
1.3.2	Bug fix (View pull request) Fix proxy log CSV fields	8.0.0 or higher
1.3.1	Bug fix (View pull request) Set default endpoint to empty string	8.0.0 or higher
1.3.0	Enhancement (View pull request) Update package to ECS 8.4.0	8.0.0 or higher
1.2.2	Bug fix (View pull request) Fix proxy URL documentation rendering.	8.0.0 or higher
1.2.1	Enhancement (View pull request) Add missing proxy config to S3 input	8.0.0 or higher
1.2.0	Enhancement (View pull request) Enrich DNS fields	8.0.0 or higher
1.1.0	Enhancement (View pull request) Update package to ECS 8.3.0.	8.0.0 or higher
1.0.1	Enhancement (View pull request) Update to readme. added link to Cisco documentation	8.0.0 or higher
1.0.0	Enhancement (View pull request) Make GA	8.0.0 or higher
0.7.0	Enhancement (View pull request) Add Audit Logs	—
0.6.1	Bug fix (View pull request) Fix use of destination.ip instead of source.nat.ip in DNS logs	—
0.6.0	Enhancement (View pull request) Update to ECS 8.2	—
0.5.1	Enhancement (View pull request) Add documentation for multi-fields	—
0.5.0	Enhancement (View pull request) Update to ECS 8.0	—
0.4.0	Bug fix (View pull request) Update config to support Cisco Managed S3	—
0.3.2	Bug fix (View pull request) Regenerate test files using the new GeoIP database	—
0.3.1	Bug fix (View pull request) Change test public IPs to the supported subset	—
0.3.0	Enhancement (View pull request) Add 8.0.0 version constraint	—
0.2.2	Enhancement (View pull request) Update Title and Description.	—
0.2.1	Bug fix (View pull request) Fix logic that checks for the forwarded tag	—
0.2.0	Enhancement (View pull request) Update to ECS 1.12.0	—
0.1.0	Enhancement (View pull request) Initial migration from Filebeat Module	—

« Cisco Secure Endpoint Integration Cisco Meraki Metrics Integration »