Cisco Umbrella

The IBM QRadar DSM for Cisco Umbrella collects DNS logs from Cisco Umbrella storage by using an Amazon S3 compatible API.

To integrate Cisco Umbrella with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar® Console in the order that they are listed.
    • Protocol Common RPM
    • Amazon AWS REST API Protocol RPM
    • Cisco Cloud Web Security DSM RPM
    • Cisco Umbrella DSM RPM
  2. Configure your Cisco Umbrella to communicate with QRadar.
  3. Add a Cisco Umbrella log source on the QRadar Console. The following table describes the parameters that require specific values for Cisco Umbrella event collection.
    Table 1. Amazon AWS S3 REST API log source parameters
    Parameter Value
    Log Source type Cisco Umbrella
    Protocol Configuration Amazon AWS S3 REST API
    Log Source Identifier Type a unique name for the log source.

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco Umbrella log source, you might want to identify the first log source as ciscoumbrella1, the second log source as ciscoumbrella2, and the third log source as ciscoumbrella3.

    Region Name (Signature V4 only) The region that is associated with the Amazon S3 bucket.
    Bucket Name The name of the AWS S3 bucket where the log files are stored. For example, the bucket name might be cisco-managed-us-west-1.
    S3 Endpoint URL

    https://s3.amazonaws.com/<bucketname>

    The endpoint URL that is used to query the AWS S3 REST API.

    The endpoint URL can be different depending on the device configurations.

    Important: You must have an Endpoint URL to configure a Cisco managed AWS S3 bucket and a customer-managed AWS S3 bucket.
    Directory Prefix

    <path>/

    The location of the root directory on the Cisco Umbrella storage bucket from where the Cisco Umbrella logs are retrieved. For example, the root directory location might be dnslogs/.
    File Pattern .*?\.csv\.gz
    Event Format Select Cisco Umbrella CSV from the list. The log source retrieves CSV formatted events.

For a complete list of Amazon AWS S3 REST API protocol parameters and their values, see Amazon AWS S3 REST API protocol configuration options.