The Sumo Logic App for Cisco Umbrella provides analytics and visibility into DNS, Proxy, and Admin activity. It gives insights into Geolocation of traffic sources, blocked clients, top categories, and more. It also analyzes traffic passing through Umbrella SWG and selective proxy, and provides information on client requests, malware, AV detections, and traffic summary. The Admin Activity dashboard provides snapshots of changes made in Umbrella's settings.
Sumo Logic app for Cisco Umbrella uses the following log types:
Sample Log Messages
To know about the Sample Logs and Schema for Cisco Umbrella logs, click here.
| where _sourcename matches "*dnslogs*"
| parse "\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\"" as timestamp,identity,identites_all,internal_ip,external_ip,action,query_type,response_code,domain_name,categories,first_identity_type_matched,all_identity_types,blocked_categories
| where _sourcename matches "*proxylogs*"
| parse "\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\"" as timestamp,policy_identity_label,internal_client_ip,external_client_ip,destination_ip,content_type,action,url,referer,user_agent,status_code,request_size,response_size,response_body_size,sha256,categories,av_detections,PUAs,AMP_disposition,AMP_malware_name,AMP_score,policy_identity_type,blocked_categories,identities,identity_types,request_method,DLP_status,certificate_errors,file_name,ruleset_ID,rule_ID,destination_list_IDs,isolate_action,file_action,warn_status
| where _sourcename matches "*auditlogs*"
| parse "\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\",\"*\"" as id, timestamp, email, user, type, action, ip, before, after
Collecting logs for Cisco Umbrella
This section provides instructions for setting up collection for Cisco Umbrella for analysis in Sumo Logic.
The Cisco Umbrella app offers logging to Amazon S3 as it has the ability to upload, store, and archive traffic activity logs from your Umbrella dashboards to the cloud through Amazon S3. CSV formatted Umbrella logs are compressed (gzip) and uploaded every ten minutes so that there's a minimum of delay between traffic from the customer's Umbrella dashboard being logged and then being available to download from an S3 bucket.
Login to your Amazon S3 admin account. You need to have a admin account to collect logs from Amazon S3 account.
Navigate to the Log Management.
You have the following two options on Cisco Umbrella Amazon S3:
- A self-managed bucket. You own the Amazon S3 bucket, including its configuration and management.
- A Cisco-managed bucket. Cisco Umbrella owns the bucket and sets the configuration and management of it. For more information, see Enable Logging to a Cisco-managed S3 Bucket.
If you're collecting from a Cisco Umbrella bucket, SNS Subscription Endpoint is not supported. For more information, see important note on using the Sumo Logic Amazon S3 source for the Cisco-Managed S3 bucket
By having all your logs uploaded to an S3 bucket, you can then download logs automatically to keep in perpetuity in backup storage. Or, ingest the logs through your SIEM or another security tool to determine if any security events in these Umbrella logs coincide with events in other security tools.
For more information, see Cisco Umbrella Documentation.
Installing Cisco Umbrella App
This section has instructions for installing the Cisco Umbrella App for Sumo Logic and dashboard descriptions.
To install the app:
- From the left nav, select App Catalog.
- Search for your app name and select it.
- When you get to your app page:
- If you want to see a preview of the dashboards included with the app before installing, scroll down to Dashboard Preview.
- If your Sumo Logic app has multiple versions (not all apps do), select the version of the service you're using.
- Click Add Integration.
- On the next configuration page, Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category, and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- You'll see a dialog confirming that the app was installed successfully.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't be available immediately, but within 20 minutes, you'll see full graphs and maps.
Viewing the Cisco Umbrella Dashboards
- All dashboards have a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.
You can use filters to drill down and examine the data on a granular level. Filters include client country, client device type, client IP, client request host, client request URI, client request user agent, edge response status, origin IP, and origin response status.
- Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.
Cisco Umbrella - Admin Activities. This dashboard displays snapshots of changes made to Umbrella's settings by the admin. By using the dashboard's filters, you can easily sort through the data based on key fields such as action.
Cisco Umbrella - DNS. This dashboard offers insights into traffic that has been processed by Cisco DNS resolvers. It provides a view of the geographical location of the traffic sources, clients that were blocked, the most popular categories and categories blocked by DNS. Additionally, it analyzes the domains requested, the related blocked requests and traffic, and the identities associated with them. The dashboard filters can be utilized to analyze the data based on crucial fields such as action, identity, response code, blocked category, and category.
Cisco Umbrella - Proxy. This dashboard provides insights into the traffic that has gone through Umbrella's Secure Web Gateway (SWG) or Selective Proxy. It gives you a clear view of the geographical location of the traffic sources, client requests by blocked or allowed actions, malware detections, blocked sources and URLs, anti-virus detections, traffic request/response size, and an overall traffic summary.
By using the dashboard's filters, you can easily analyze the data by different key fields such as action, identity, malware, anti-virus detection, blocked category, referrer, and category.