AlienVault® USM Anywhere™

Cisco Umbrella

When you configure Cisco Umbrella (formerly, OpenDNS) integration to send log data to USM Anywhere, you can use the Cisco Umbrella plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Antivirus
Connection type S3
Vendor link https://support.umbrella.com/hc/en-us/articles/231248448

Before the USM Anywhere can collect the Umbrella log data, you must set up Amazon Simple Storage Service (S3) log management in your Cisco Umbrella deployment. This requires that you have a self-managed Amazon S3 bucket in an Amazon Web Service (AWS) account that is configured to accept uploads from the Umbrella Service. For detailed information about this configuration, refer to this article: https://support.umbrella.com/hc/en-us/articles/231248448-Cisco-Umbrella-Log-Management-in-Amazon-S3#self-bucket

Note: USM Anywhere currently does not support the Cisco-managed buckets in Amazon S3.

To verify Amazon S3 log management in Cisco Umbrella

  1. Log in to the Cisco Umbrella (OpenDNS) dashboard.
  2. Go to Settings > Log Management.
  3. Click Amazon S3.
  4. In the Bucket Name field, enter the exact Amazon S3 bucket name.
  5. Click Verify.

    A confirmation message in the dashboard indicates that the bucket has been successfully verified.

Plugin Enablement

This procedure configures Cisco Umbrella (formerly, OpenDNS) to send log data to a USM Anywhere AWS sensor. By design, Cisco Umbrella will only export log data to a AWS S3 bucket; therefore, accessing this data requires a deployed AWS sensor.

Note: If you want to deploy a sensor to facilitate Cisco Umbrella log collection, see AWS Sensor Deployment.

To schedule an S3 bucket log collection job

  1. Go to Settings > Scheduler.
  2. In the left navigation list, click Log Collection.

    Note: You can use the Sensor filter at the top of the list to review the available log collection jobs on your AWS sensorGoogle Cloud Platform (GCP) Sensor.

  3. Click Create Log Collection Job.

    Click Create Log Collection Job to add a scheduled log collection job

    Click Create Log Collection Job to add a scheduled log collection job

    Note: If you recently deployed a new USM Anywhere Sensor, it can take 10 to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the AWS GCP log collection jobs you want before the system collects the log data.

  4. Enter the name and description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

  5. For the Action Type option, select Amazon Web Services.
  6. Select the USM Anywhere Sensor for the job to run on.
  7. For the App Action option, select Monitor S3 bucket.

    Select the Monitor S3 Bucket app action

  8. In the Bucket Name field, enter the name of the Amazon S3 bucket that is configured in Cisco Umbrella log management.
  9. In the Path field, enter the path on the bucket where the logs reside (in this case, dnslogs/).
  10. For the Source Format option, select raw.
  11. For the Plugin option, select Cisco Umbrella.

    Set Monitor S3 Bucket options for collecting the Cisco Umbrella log data

  12. In the Schedule section, specify when USM Anywhere runs the job:

    1. Select the increment as Hour, Day, Week, Month, or Year.
    2. Set the interval options for the increment. The selected increment determines the available options.

      For example, on a weekly increment you can select the days of the week to run the job.

      Set the schedule for the job to run each week

      Or, on a monthly increment you can specify a date or a day of the week that occurs within the month.

      Set the schedule for the job to run each month

    3. Set the Start time.

      This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (default is UTC).

  13. Click Save.

    You should start seeing new Cisco Umbrella events in USM Anywhere shortly after the initial raw log data collection and normalization.

After the first log collection job completes and USM Anywhere retrieves and normalizes the raw log data from Cisco Umbrella, these events start appearing in the Events dashboard view. To provide a more focused view of these events, the Cisco Umbrella dashboard is available under Dashboards in the top navigation menu.

View the Cisco Umbrella dashboard in USM Anywhere

Available Plugin Fields

The Cisco Umbrella plugin provides support for multiple fields, which are important attributes extracted from the message. These fields are used in USM Anywhere reports and can be referenced when creating custom reports. In addition to reporting, the fields are also used by the USM Anywhere correlation rules.

Note: The custom fields are prefilled according to the values described. You cannot change them.

  • source_zone
  • security_group_name
  • content_category
  • dns_rcode
  • dns_rrname
  • dns_rrtype
  • event_action
  • event_name
  • plugin_device
  • rep_device_hostname
  • security_group_name
  • source_address
  • source_nat_address
  • customfield_1 → Resource Type ID*
  • customfield_2 → Resource Type Description*
  • customheader_1
  • customheader_2

----------------------------

* customfield_1 and 2 contain the actual values for Resource Type ID and Resource Type Description.

customheader_1 and 2 contain the words Resource Type ID and Description.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

Cisco Umbrella Knowledge Base