Documentation Center
AlienVault® USM Anywhere™

Cisco Umbrella

When you configure Cisco Umbrella (formerly, OpenDNS) integration to send log data to USM Anywhere, you can use the Cisco Umbrella plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Antivirus
Connection type S3
Vendor link https://support.umbrella.com/hc/en-us/articles/231248448

Before the USM Anywhere can collect the Umbrella log data, you must set up Amazon S3 log management in your Cisco Umbrella deployment. This requires that you have an S3 bucket in an AWS account that is configured to accept uploads from the Umbrella Service. For detailed information about this configuration, refer to this article: https://support.umbrella.com/hc/en-us/articles/231248448-Cisco-Umbrella-Log-Management-in-Amazon-S3

To verify Amazon S3 log management in Cisco Umbrella

  1. Log into the Cisco Umbrella (OpenDNS) dashboard.
  2. Navigate to Settings > Log Management.
  3. Click Amazon S3.
  4. In the Bucket Name field, enter the exact S3 bucket name.
  5. Click Verify.

    A confirmation message in the dashboard will indicate that the bucket was successfully verified.

Plugin Enablement

This procedure configures Cisco Umbrella (formerly, OpenDNS) to send log data to a USM Anywhere AWS sensor. By design, Cisco Umbrella will only export log data to a AWS S3 bucket; therefore, accessing this data requires a deployed AWS sensor.

Note: If you want to deploy a sensor to facilitate Cisco Umbrella log collection, see AWS Sensor Deployment.

To schedule an S3 bucket log collection job

  1. Go to SETTINGS > SCHEDULER.
  2. In the left navigation list, click Log Collection.

    Note: You can use the Sensor filter at the top of the list to choose your AWS sensor to easily review the current AWS log jobs.

  3. Click Create Log Collection Job.

    Click Create Log Collection Job to add a scheduled log collection job

    Note: If you recently deployed a new Sensor, it can take 10 to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the AWS log collection jobs you want before the system collects the log data.

  4. Enter the Name and Description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

  5. For the Select App option, select Amazon Web Services.
  6. For the App Action option, select Monitor S3 bucket.

    Select the Monitor S3 Bucket app action

  7. In the Bucket Name field, enter the name of the S3 bucket that is configured in Cisco Umbrella log management.
  8. In the Path field, enter the path on the bucket where the logs reside (in this case, dnslogs/).
  9. For the Source Format option, select raw.
  10. For the Plugin option, select Cisco Umbrella.

    Set Monitor S3 Bucket options for collecting the Cisco Umbrella log data

  11. Set the Schedule to specify when USM Anywhere runs the job.

    First, choose the increment as Hour, Day, Week, Month, or Year. Next, set the interval options for the increment. The selected increment determines the available options.

    For example, on a weekly increment you can select the days of the week to run the job.

    Set the schedule for the job to run each week

    Or, on a monthly increment you can specify a date or a day of the week that occurs within the month.

    Set the schedule for the job to run each month

    To finish, set the Start time. This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (default is UTC).

  12. Click Save.

    You should start seeing new Cisco Umbrella events in USM Anywhere shortly after the initial raw log data collection and normalization.

After the first log collection job completes and USM Anywhere retrieves and normalizes the raw log data from Cisco Umbrella, these events start appearing in the Events dashboard view. To provide a more focused view of these events, the Cisco Umbrella dashboard is available under DASHBOARDS in the top navigation menu.

View the Cisco Umbrella dashboard in USM Anywhere

Available Plugin Fields

The Cisco Umbrella plugin provides support for multiple fields, which are important attributes extracted from the message. These fields are used in USM Anywhere reports and can be referenced when creating custom reports. In addition to reporting, the fields are also used by the USM Anywhere correlation rules.

Note: The custom fields are prefilled according to the values described. You cannot change them.

  • source_zone
  • security_group_name
  • content_category
  • dns_rcode
  • dns_rrname
  • dns_rrtype
  • event_action
  • event_name
  • plugin_device
  • rep_device_hostname
  • security_group_name
  • source_address
  • source_nat_address
  • customfield_1 → Resource Type ID*
  • customfield_2 → Resource Type Description*
  • customheader_1
  • customheader_2

----------------------------

* customfield_1 and 2 contain the actual values for Resource Type ID and Resource Type Description.

customheader_1 and 2 contain the words Resource Type ID and Description.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

Cisco Umbrella Knowledge Base