Ingest Logs from Cisco Umbrella
under review
C
Chris Wiegman
Thinking about this a bit, I believe the most relevant data Huntress could retrieve here is related to a machine attempting access to TOR, Command and Control Callbacks, Harmful domains, Malware a,nd Phishing Attacks. Cryptomining your EDR will detect. Attached is a screenshot of their security settings option
To enable log collection we would need to provide Huntress with:
-API Key
-Secret Key
-Data Path (S3 Bucket)
-Region in which the logs are being dumped to
Cisco Umbrella provides the ability to dump logs to a "Cisco-managed Amazon S3 storage" with up to 30 days retention. More screenshots below
Chris Bisnett
Chris Wiegman is S3 the only supported method for shipping logs out of Cisco Umbrella? Do they support anything like Splunk HTTP Event Collector or Syslog?
C
Chris Wiegman
Chris Bisnett They do only in the case where you run the Umbrella Virtual Appliance. In most cases we don't use this and the method of log retrieval our current SIEM uses is the S3 method.
Chris Bisnett
under review
We're considering this and will likely add it in the future, but we don't have access to an account or data. We're also looking to understand how many of our partners would make use of this.
S
Sam Arora
Chris Bisnett Reach out please. Happy to organise access
L
Lance'la Kozey'la
Chris Bisnett Hey Chris we use Umbrella and currently have it connected to another SIEM happy to help as well