Cisco Umbrella

Overview

Note: This beta connector guide is created by experienced users of the SNYPR platform and is currently going through verification processes within Securonix. This connector is made available to early adopters for the purposes of providing guidance and integration support prior to the release of official documentation.

Cisco Umbrella analyzes and learns from internet activity patterns. It automatically uncovers attacker infrastructure staged for current and emerging threats, which enables itself to proactively block requests to malicious destinations before a connection is even established or a malicious file is downloaded.

The following properties are specific to the Cisco Umbrella connector:

• Collection Method: Ciscoumbrella (API)

• API Version : V1

• Format: JSON

• Functionality: DNS / DHCP

• Parser: SCNX_CISCO_CISCOUMBRELLA_DNS_CIS_JSO

• Vendor Version: -

Prerequisites

Before you connect Cisco Umbrella, ensure you have the following information:

• Organization ID

• API Key

• API Secret

References

• https://developer.cisco.com/docs/cloud-security/#!reporting-v2-introduction-authentication/generate-an-api-key

Configure the connection on device

Complete the following steps to configure the Cisco Umbrella connection:

1. Log into Umbrella with the following URL: https://dashboard.umbrella.com/

2. Find your username after Admin in the navigation tree.

3. Confirm that your organization appears under your username.

Generating an API key

1. Navigate to Admin > API Keys.

2. Click Create.

   Note: Alternatively, in a management console (Multi-org, MSP, or MSSP), navigate to Settings > API Keys and click Add.

   

3. Select Umbrella Reporting.

4. Click Generate Token.

   

5. Expand Umbrella Reporting.

6. Copy Your Key and Your Secret.

7. Select To keep it secure.

8. Click Close.

   Note: You must acknowledge that your key and secret are only displayed once to activate the Close button.

Generating a new key and secret

Click Refresh for your current key and secret. Alternatively, delete the existing key and secret, then create a new key and secret pair.

Obtaining an organization ID

You can obtain an organization ID directly from the Umbrella dashboard after you log in to that particular organization, as it will be in the URL of your browser: https://dashboard.umbrella.com/o/{organizationId}/#/overview

Important: You have only one opportunity to copy your secret. Umbrella does not save the Reporting v2 API secret and it cannot be retrieved after its initial creation.

Configure the connection in SNYPR

Complete the following steps to configure Cisco Umbrella in the SNYPR application:

1. Resource group information

2. Parser management

3. Identity attribution

4. Detect policy violations

5. Summary

Step 1. Resource group information

1. In SNYPR, navigate to Menu > Add Data > Activity.

2. Click Add Data > Add Data for Supported Device Type to setup the ingestion process.

3. Click Vendor in the Resource Type Information section and select the following information:

   • Vendors: Cisco Systems
   • Device Type: Cisco Umbrella
   • Collection Method: Ciscoumbrella (API)/JSON

4. Select an ingester from the list.

5. Provide the following Connection Details:

   

   • Organization ID
   • API Key
   • API Secret

6. Complete the following information in the Device Information section:

   • Datasource Name: ciscoumbrella

   • Specify timezone for activity logs: Select a time zone from the list

7. Click Get Preview in the upper right corner of the page to preview the ingested data from the datasource.

8. Click Save & Next.

Step 2. Parser management

Click Save & Next.

Note: For more information on Parser Management, refer to the SNYPR 6.4 Data Integration Guide.

Step 3. Identity attribution

1. Click Add Condition > Add New Correlation Rule to add a correlation rule.

2. Provide a descriptive name for the correlation rule in the Correlation Rule section.

   Note: For more information on Identity Attribution, refer to the SNYPR 6.4 Data Integration Guide.

3. Specify the User Attribute, Operation, Parameter, Condition, and Separator parameters in the Correlate events to user using rule section.

4. Click Save in the lower-right corner of the page to save the Correlate events to user using rule table.

5. Click Save & Next in the upper-right corner of the page.

Step 4. Detect policy violations

Click Save & Next.

Step 5. Summary

1. Select Do you want to schedule this job for future? in the Job Scheduling Information section and select any of the following based on the collection method:

   • Run every 1 minutes for datasources with the collection method as syslog.

   • Run every 10 minutes for non-syslog based datasources.

2. Click Save & Run.

Verifying the job

Following a successful import, the security log data for the datasource is accessible in the Available Datasources section of Spotter. To access the imported security log data, complete the following steps:

1. Navigate to Menu > Security Center > Spotter.

2. Enter the datasource name provided while creating the connection, and then click the magnifying glass icon in the search bar.

   

Note: Refer to the Spotter Query Reference Guide for information on how to write queries in Spotter.