Has anyone successfully integrated Cisco Umbrella DNS logs into Nitro?
The feedback I've received from Cisco is to access the logs through an AWS S3 dump. I'd prefer more direct (on-prem) delivery, but either way I don't see how to do the integration.
It's a different kind of world with the cloud. People poking holes in their firewalls to let their logs back in is a weird phenomenon. I took a cursory look at Umbrella and it looks like S3 is the only game in town. I'm happy to help find a way to get the logs in if I have the data. Here is the info I found: Cisco Umbrella Log Management in Amazon S3 – Cisco Umbrella. You know how to find me
One further question: if you had your SIEM instance in a different cloud (Azure for argument's sake), how difficult would it be to ingest the data from Umbrella? (recollection says that cloud to cloud transfers can get rather expensive)
I'm not sure it matters where your SIEM lives in this case. Using the S3 download tool, you end up with a log file. That file can be dropped on a share or forwarded via syslog to the SIEM whether it's local or in the cloud.
OK, long time since, but this is broadly how we did it.(bear in mind this is for an MSSP operation)
Commercial limitations prevent me offering much more than that, but that's the outline.
2021 and there's still no official datasource - sheesh...