cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rbroom
Level 7
Report Inappropriate Content
Message 1 of 7

Cisco Umbrella Integration

Has anyone successfully integrated Cisco Umbrella DNS logs into Nitro?

The feedback I've received from Cisco is to access the logs through an AWS S3 dump.  I'd prefer more direct (on-prem) delivery, but either way I don't see how to do the integration.

6 Replies
andy777
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Cisco Umbrella Integration

Hey Ralph!

It's a different kind of world with the cloud. People poking holes in their firewalls to let their logs back in is a weird phenomenon. I took a cursory look at Umbrella and it looks like S3 is the only game in town. I'm happy to help find a way to get the logs in if I have the data. Here is the info I found: Cisco Umbrella Log Management in Amazon S3 – Cisco Umbrella. You know how to find me  

rbroom
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Cisco Umbrella Integration

Thanks Andy!  Reading through their docs I arrived at the page that describes the log file format.

Log Management Export Format – Cisco Umbrella

andy777
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Cisco Umbrella Integration

Here are some rules that will parse the examples.

Are you able to get the S3 connector working to get the files into a directory for some sort of Receiver access?

jamesmac
Level 10
Report Inappropriate Content
Message 5 of 7

Re: Cisco Umbrella Integration

Hi Andy,

One further question: if you had your SIEM instance in a different cloud (Azure for argument's sake), how difficult would it be to ingest the data from Umbrella? (recollection says that cloud to cloud transfers can get rather expensive)

andy777
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Cisco Umbrella Integration

I'm not sure it matters where your SIEM lives in this case. Using the S3 download tool, you end up with a log file. That file can be dropped on a share or forwarded via syslog to the SIEM whether it's local or in the cloud.

jamesmac
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Cisco Umbrella Integration

OK, long time since, but this is broadly how we did it.(bear in mind this is for an MSSP operation)

 

  • Set up an S3 bucket.
  • Get a small Win10 PC and put it on the network you're collecting from.
  • Install TntDrive on it - this effectively maps the S3 bucket as a Windows share
  • Create a folder on C: and Robocopy the data into it.:
  • Create a second folder on C:
  • Install 7-Zip. Write a batch script to extract the relevant *.CSV files from the first C: folder to the second.
  • Install FileZilla server.
  • Point the SIEM data source at the second C: folder and pull the data.
  • Parse it.

Commercial limitations prevent me offering much more than that, but that's the outline.

2021 and there's still no official datasource - sheesh...

 

James 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community