The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Cisco Umbrella is part of the Cisco Secure Client (formerly AnyConnect). It integrates with the Secure Client to provide comprehensive security by combining VPN capabilities with DNS-layer protection, web security, and cloud-delivered firewall features.

This technology pack will process Cisco Umbrella logs, providing normalization and enrichment of those events.

Supported Version(s)

• Cisco Secure Client 5.1.3.62

Requirements

• Cisco Secure Client 5.1.3.62
• Cisco Umbrella Schema version 8 or 9
• Graylog 6.0.5+

Stream Configuration

This technology pack includes one stream:

• "Illuminate:Cisco Device Messages "

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

• "Cisco Devices Event Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

• Users must first set up log ingestion with Graylog's custom AWS S3 input.

Log Format Example

Proxy Logs

"2017-10-02 23:52:53","TheComputerName","192.192.192.135","1.1.1.91", "3.4.5.6","","ALLOWED","http://google.com/the.js","www.google.com","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","",""

DNS Logs

"2015-01-16 17:48:41","ActiveDirectoryUserName", "ActiveDirectoryUserName,ADSite,Network", "10.10.1.100","24.123.132.133","Allowed","1 (A)", "NOERROR","domain-visited.com.", "Photo Sharing","AD User","AD User,Site,Network",""

Audit Logs

"","2021-07-22 10:46:45","user@domain.com","", "logexportconfigurations", "update","209.165.200.227","version: 4","version: 5"

What is Provided

• We provide parsing rules to normalize and enrich Cisco Umbrella log messages.
• We provide categorization for the following log types:
• Audit Logs
• DNS Logs
• Proxy Logs

Events Processed by This Technology Pack

The Cisco Umbrella content pack supports parsing, normalization, and categorization for the events listed above.

Packetbeat Spotlight Content Pack

Cisco Umbrella offers a dashboard with three tabs: an overview tab, a network tab, and a tab for an overview of HTTP events.

Cisco Umbrella Overview Tab

Cisco Umbrella Network Tab

Cisco Umbrella HTTP Tab