IBM Support

QRadar®: Directory prefix for a Cisco Umbrella log source

How To


Summary

What you should put in the Directory Prefix field for a Cisco Umbrella log source configuration that uses the Amazon AWS S3 REST API protocol

Objective

To complete the DSM Configuration Guide for Cisco Umbrella.

Steps

If you have an active S3 bucket, you may be able to see similar information in your AWS GUI:
Example:
"We're sending data to your Cisco-managed S3 storage.
Storage Region: US East (Ohio)
...
Data Path: s3://cisco-managed-us-east-2/1234567_aabbccddeeff112233445566778899a1b2c3d4e5 (40 char long hexadecimal)
Last Sync: <date>
Schema Version: v4"
This information is used in the Log Source configuration - for example in the Log Source Management App, see the screen capture.
The IBM DSM Configuration Guide also stipulates the following:
Directory Prefix The location of the root directory on the Cisco Umbrella storage bucket from where the Cisco Umbrella logs are retrieved. For example, the root directory location might be dnslogs/.
To be more precise, the Directory Prefix field should be a combination of your Data Path and the root directory.
image 6219

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
18 September 2020

UID

ibm16328881