Cisco Umbrella
Collect logs from Cisco Umbrella with Elastic Agent.
Version | 1.26.2 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Elastic |
This integration is for Cisco Umbrella. It includes the following datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS:
log
dataset: supports Cisco Umbrella logs.
Logs
Umbrella
When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically.
The log
dataset collects Cisco Umbrella logs.
An example event for log
looks as following:
{
"@timestamp": "2024-03-14T18:59:23.000Z",
"agent": {
"ephemeral_id": "4b522414-3f7d-4cec-a7f7-7df2a87de0c9",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"aws": {
"s3": {
"bucket": {
"arn": "arn:aws:s3:::elastic-package-cisco-umbrella-bucket-37380",
"name": "elastic-package-cisco-umbrella-bucket-37380"
},
"object": {
"key": "auditlogs.log"
}
}
},
"cisco": {
"umbrella": {
"audit": {
"after": [
"includeAuditLog: 1"
],
"after_values": {
"includeAuditLog": "1"
},
"type": "logexportconfigurations"
}
}
},
"cloud": {
"provider": "",
"region": "us-east-1"
},
"data_stream": {
"dataset": "cisco_umbrella.log",
"namespace": "27145",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "update",
"agent_id_status": "verified",
"category": [
"configuration"
],
"dataset": "cisco_umbrella.log",
"id": "1757843536",
"ingested": "2024-06-12T03:03:50Z",
"kind": "event",
"original": "\"1757843536\",\"2024-03-14 18:59:23\",\"admin@company.com\",\"Administrator\",\"logexportconfigurations\",\"update\",\"81.2.69.144\",\"\",\"includeAuditLog: 1\n\"",
"type": [
"change"
]
},
"input": {
"type": "aws-s3"
},
"log": {
"file": {
"path": "https://elastic-package-cisco-umbrella-bucket-37380.s3.us-east-1.amazonaws.com/auditlogs.log"
},
"offset": 529
},
"observer": {
"product": "Umbrella",
"vendor": "Cisco"
},
"related": {
"ip": [
"81.2.69.144"
],
"user": [
"Administrator"
]
},
"source": {
"address": "81.2.69.144",
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.144"
},
"tags": [
"preserve_original_event",
"cisco-umbrella",
"forwarded"
],
"user": {
"email": "admin@company.com",
"id": "admin@company.com",
"name": "Administrator"
}
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
aws.s3.bucket.arn | The AWS S3 bucket ARN. | keyword |
aws.s3.bucket.name | The AWS S3 bucket name. | keyword |
aws.s3.object.key | The AWS S3 Object key. | keyword |
cisco.umbrella.action | Whether the request was allowed or blocked. | keyword |
cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword |
cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword |
cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword |
cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword |
cisco.umbrella.audit.after_values.* | The individual values of the policy or setting after the change was made. | object |
cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword |
cisco.umbrella.audit.before_values.* | The individual values of the policy or setting before the change was made. | object |
cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword |
cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword |
cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword |
cisco.umbrella.categories | The security or content categories that the destination matches. | keyword |
cisco.umbrella.certificate_errors | Any certificate or protocol errors in the request. | keyword |
cisco.umbrella.classification | The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown. | keyword |
cisco.umbrella.cves | A list of information about security vulnerabilities and exposures. | keyword |
cisco.umbrella.data_classification | The data classification whose data identifier matched on the violation. | keyword |
cisco.umbrella.data_identifier | The data identifier that matched on the request. | keyword |
cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword |
cisco.umbrella.destination_lists_id | The ID number umbrella assigns to a destination list. | keyword |
cisco.umbrella.dlp_status | If the request was Blocked for DLP. | keyword |
cisco.umbrella.file_action | The action taken on a file in a remote browser isolation session. | keyword |
cisco.umbrella.file_label | The file name label that matched on the file properties. | keyword |
cisco.umbrella.fqdns | The fully qualified domain names (FQDNs) that match the request. | keyword |
cisco.umbrella.gid | Unique ID assigned to the part of the IPS which generated the event. | keyword |
cisco.umbrella.identities | An array of the different identities related to the event. | keyword |
cisco.umbrella.identity | The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) | keyword |
cisco.umbrella.identity_types | The type of identity that made the request. For example, Roaming Computer or Network. | keyword |
cisco.umbrella.isolate_action | The remote browser isolation state associated with the request. | keyword |
cisco.umbrella.message | A brief description of the signature. | keyword |
cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword |
cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword |
cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword |
cisco.umbrella.ruleset_id | The ID number assigned to the ruleset by Umbrella. | keyword |
cisco.umbrella.severity | The severity level of the rule, such as High, Medium, Low, and Very Low. | keyword |
cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword |
cisco.umbrella.sid | Used to uniquely identify signatures. | keyword |
cisco.umbrella.signature_list_id | Unique ID assigned to a Default or Custom Signature List. | keyword |
cisco.umbrella.warn_status | The warn page state associated with the request. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Type of Filebeat input. | keyword |
log.offset | long |
Changelog
Version | Details | Kibana version(s) |
---|---|---|
1.26.2 | Bug fix View pull request | 8.13.0 or higher |
1.26.1 | Bug fix View pull request | 8.13.0 or higher |
1.26.0 | Enhancement View pull request | 8.13.0 or higher |
1.25.1 | Bug fix View pull request | 8.13.0 or higher |
1.25.0 | Enhancement View pull request | 8.13.0 or higher |
1.24.1 | Bug fix View pull request | 8.12.0 or higher |
1.24.0 | Enhancement View pull request | 8.12.0 or higher |
1.23.0 | Enhancement View pull request | 8.12.0 or higher |
1.22.0 | Enhancement View pull request | 8.12.0 or higher |
1.21.2 | Enhancement View pull request | 8.4.0 or higher |
1.21.1 | Bug fix View pull request | 8.4.0 or higher |
1.21.0 | Enhancement View pull request | 8.4.0 or higher |
1.20.1 | Bug fix View pull request | 8.4.0 or higher |
1.20.0 | Enhancement View pull request | 8.4.0 or higher |
1.19.0 | Enhancement View pull request | 8.4.0 or higher |
1.18.0 | Enhancement View pull request | 8.4.0 or higher |
1.17.0 | Enhancement View pull request | 8.4.0 or higher |
1.16.0 | Enhancement View pull request | 8.4.0 or higher |
1.15.0 | Enhancement View pull request | 8.4.0 or higher |
1.14.0 | Enhancement View pull request | 8.4.0 or higher |
1.13.0 | Enhancement View pull request | 8.4.0 or higher |
1.12.0 | Enhancement View pull request | 8.4.0 or higher |
1.11.1 | Bug fix View pull request | 8.4.0 or higher |
1.11.0 | Enhancement View pull request | 8.4.0 or higher |
1.10.1 | Enhancement View pull request | 8.0.0 or higher |
1.10.0 | Enhancement View pull request | 8.0.0 or higher |
1.9.2 | Bug fix View pull request | 8.0.0 or higher |
1.9.1 | Bug fix View pull request | 8.0.0 or higher |
1.9.0 | Enhancement View pull request | 8.0.0 or higher |
1.8.0 | Enhancement View pull request | 8.0.0 or higher |
1.7.0 | Enhancement View pull request | 8.0.0 or higher |
1.6.2 | Enhancement View pull request | 8.0.0 or higher |
1.6.1 | Enhancement View pull request | 8.0.0 or higher |
1.6.0 | Enhancement View pull request | 8.0.0 or higher |
1.5.0 | Enhancement View pull request | 8.0.0 or higher |
1.4.2 | Enhancement View pull request | 8.0.0 or higher |
1.4.1 | Bug fix View pull request | 8.0.0 or higher |
1.4.0 | Enhancement View pull request | 8.0.0 or higher |
1.3.3 | Enhancement View pull request | 8.0.0 or higher |
1.3.2 | Bug fix View pull request | 8.0.0 or higher |
1.3.1 | Bug fix View pull request | 8.0.0 or higher |
1.3.0 | Enhancement View pull request | 8.0.0 or higher |
1.2.2 | Bug fix View pull request | 8.0.0 or higher |
1.2.1 | Enhancement View pull request | 8.0.0 or higher |
1.2.0 | Enhancement View pull request | 8.0.0 or higher |
1.1.0 | Enhancement View pull request | 8.0.0 or higher |
1.0.1 | Enhancement View pull request | 8.0.0 or higher |
1.0.0 | Enhancement View pull request | 8.0.0 or higher |
0.7.0 | Enhancement View pull request | — |
0.6.1 | Bug fix View pull request | — |
0.6.0 | Enhancement View pull request | — |
0.5.1 | Enhancement View pull request | — |
0.5.0 | Enhancement View pull request | — |
0.4.0 | Bug fix View pull request | — |
0.3.2 | Bug fix View pull request | — |
0.3.1 | Bug fix View pull request | — |
0.3.0 | Enhancement View pull request | — |
0.2.2 | Enhancement View pull request | — |
0.2.1 | Bug fix View pull request | — |
0.2.0 | Enhancement View pull request | — |
0.1.0 | Enhancement View pull request | — |