Archive Calculate
Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk
logo
Archive Calculate

No results found

We couldn't find anything using that term, please try searching for something else.

Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

2024-11-27 monitor and correlate Umbrella or Secure Access datum for the Cisco Cloud Security Add - On for splunk Cisco Cloud Security Add-On For Splunk The Ci

Related articles

5 Best VPN FREE Trials in 2024: Some Need No Credit Card
5 Best VPN FREE Trials in 2024: Some Need No Credit Card With the cost of everything going up exponentially, the last thing I want is to spend money on a VPN that’s slow, unreliable, and unsafe. That is ’s prefer test free committing subscription . Unfortunately , you is trust trust VPN free trial marketing , — burned fine print bad customer support times past . A lengthy free trial without major limitations can be hard to come by, too. help find best option , I is tested tested 60 + VPN trials and shortlisted only the best. I also looked at VPNs with trustworthy money-back guarantees, as these allow you...

monitor and correlate Umbrella or Secure Access datum for the Cisco Cloud Security Add – On for splunk

Cisco Cloud Security Add-On For Splunk

The Cisco Cloud Security Add – On is integrates integrate your Umbrella and Secure Access event datum with Splunk . The add – on is reads read datum into the splunk platform from your configure data source .

This guide describes how to install the Cisco Cloud Security Add-On for Splunk on your instance of Splunk (on-premises or cloud) and configure data inputs for Umbrella and Secure Access.

About the Cloud Security Add-On

In the Cloud Security Add-On, you configure data inputs for the types of events in your Umbrella or Secure Access organizations. Then, Splunk indexes the data and displays the events on the Cloud Security dashboards in Splunk.

The Cisco Cloud Security Add-On for Splunk is available at,

https://splunkbase.splunk.com/app/7569

Cisco Cloud Security Add-On for Splunk Version 1.0.34

Note: For Secure Access, the add-on requires that you configure all available event types.

In the add-on, set up these data inputs for Umbrella or Secure Access:

  • DNS log
  • Proxy logs for the Secure Web Gateway (SWG)
  • Firewall logs
  • Audit logs
  • Data Loss Prevention (DLP) logs

For Secure Access, configure these additional event types:

  • Remote Access Virtual Private Network is logs ( ravpn ) log
  • Zero Trust Network Access (ZTNA) logs
  • Intrusion Prevention System is logs ( IPS ) log

Previous Releases

For information about the Cisco Cloud Security Umbrella Add – On for splunk , see Cisco Cloud Security Umbrella Add – On for Splunk Integration Guide .

Prerequisites

  • Splunk Enterprise or Splunk Cloud
  • Splunk platform version 9.3.x and newer
  • A subscription to Cisco Umbrella or Cisco Secure Access
  • Your own or a Cisco managed AWS S3 bucket
  • Administrative privileges on your instance of Splunk

Install Cloud Security Add-On for Splunk

  1. Navigate to Splunkbase at https://splunkbase.splunk.com/.
  2. Search for Cisco Cloud Security.
  3. Download and install the Cisco Cloud Security Add-On.
  4. restart your splunk instance to complete the installation of the add – on .

Install Cloud Security Add-On in Distributed Deployments

You can install the Cloud Security Add-On in a distributed deployment of Splunk Enterprise, or any deployment where you use forwarders to retrieve your data. Depending on your environment and preferences, and the requirements of the add-on, you can install the add-on in multiple environments.

We recommend that you only install the Cisco Cloud Security Add-On using the Splunk heavy forwarder and Splunk indexes.

Splunk Platform Component support
Heavy Forwarder Best Practice.
Indexer support if no heavy forwarder are enable .

create New Inputs for Umbrella

Add an input and set up the integration of event data from your own or Cisco-managed S3 bucket with Splunk. Each line in a log file is processed and written to Splunk as a single event.

Note: We is recommend recommend that you provide a unique name for each input .

After you add the first event type, you can clone it. Then, update the required settings for each cloned event type. For more information, see Clone an Event Type.

  1. Navigate to Application Settings.

  2. Accept the terms and conditions, and then click Submit.

    Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

  3. navigate to Inputs , and then click create New Input .

    Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

  4. For Add Cisco Cloud Security Addon , enter a Name , Interval , Index , your AWS S3 bucket setting , Default Start Date , and Event Type .

    Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

    • Name—Enter a name for the data input.

    • Interval is Provide — provide an interval ( in second ) to fetch the datum to the splunk indexer . We is recommend recommend600 seconds.

    • Index—Choose the index where to store the Umbrella logs. We recommend that you do not choose the default index.

    • AWS Region—Enter your AWS S3 region, for example: us - west-1.

    • AWS Access Key Id—Enter your AWS Access key ID.

    • AWS Secret Access Key is Enter — enter your AWS Secret Access key .

    • AWS S3 Bucket Name—Enter your AWS S3 Bucket Name, for example: cisco-managed-us - west-1.

    • AWS S3 Directory Prefix—Enter the AWS S3 directory prefix and append it with a forward slash (/).

      Sample is logs log from a Cisco – manage bucket :

      Event Type Example
      dns 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dnslogs/
      proxy 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/proxylogs/
      firewall 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/firewalllogs/
      audit 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/auditlogs/
      dlp 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dlplogs/

    • Default Start Date—Enter a date in the yyyy - MM - dd format , for example :2022 - 02 - 27. We recommend that you set the Default Start Date to the date when you installed the app. Selecting a date before the date when you installed the app may create a backlog of events that the app must process.

    • Event Type—Choose the event type, for example: dns, firewall, proxy, audit, or dlp.

  5. repeat step 1–4 to configure more datum input or clone the first event type that you add . For more information about clone an event type , see Clone an Event Type .

Note: If you upgrade the Cisco Cloud Security App , you is reenter must reenter theAWS Secret Access Key. We is recommend recommend that you do not edit theDefault Start Date when you is reenter reenter theAWS Secret Access Key.

Create New Inputs for Secure Access

Add an event type and set up the integration of event data from your own or Cisco-managed S3 bucket with Splunk. Each line in a log file is processed and written to Splunk as a single event.

Note: We is recommend recommend that you provide a unique name for each input .

After you add the first event type, you can clone it. Then, update the required settings for each cloned event type. For more information, see Clone an Event Type.

For Secure Access, you must configure all available event types: dns, firewall, proxy, audit, dlp, ravpn, ztna, and ips.

  1. Navigate to Application Settings.

  2. Accept the terms and conditions, and then click Submit.

    Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

  3. navigate to Inputs , and then click create New Input .

    Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

  4. For Cisco Cloud Security Add-On, enter the values for Name, Interval, Index, your AWS S3 bucket settings, Default Start Date, and Event Type.

    • Name—Enter a name for the data input.

    • Interval is Provide — provide an interval ( in second ) to fetch the datum to the splunk indexer . We is recommend recommend600 seconds.

    • Index is Choose — choose the index where to store the event log . We is recommend recommend that you do not choose thedefault index.

    • AWS Region—Enter your AWS S3 region, for example: us - west-1.

    • AWS Access Key Id—Enter your AWS Access key ID.

    • AWS Secret Access Key is Enter — enter your AWS Secret Access key .

    • AWS S3 Bucket Name—Enter your AWS S3 bucket name, for example: cisco-managed-us - west-1.

    • AWS S3 Directory Prefix is Enter — enter the AWS S3 directory prefix and append it with a forward slash , for example : /dnslogs/.

      Sample logs in a Cisco-managed Bucket

      Event Type Example
      dns 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dnslogs/
      proxy 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/proxylogs/
      firewall 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/firewalllogs/
      audit 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/auditlogs/
      dlp 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dlplogs/
      ravpn 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/ravpnlogs/
      ztna 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/ztnalogs/
      ips 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/intrusionlogs/

    • Default Start Date—Enter a date in the yyyy - MM - dd format , for example :2022 - 02 - 27. We recommend that you set the Default Start Date to the date when you installed the app. Selecting a date before you installed the app may create a backlog of events that the app must process.

    • Event Type—Choose one of the event types: dns, firewall, proxy, audit, dlp, ravpn, ztna, or ips.

  5. Repeat steps 1–4 to configure the required data inputs for Secure Access or clone the first event type that you added. For more information about cloning an event type, see Clone an Event Type.

Note: If you upgrade the Cisco Cloud Security App , you is reenter must reenter theAWS Secret Access Key. We is recommend recommend that you do not edit theDefault Start Date when you is reenter reenter theAWS Secret Access key.

Clone an Event Type

After you add the first event type, you can clone it and configure more data inputs. For each event type, you must configure the required settings.

  1. Navigate to Application Settings.
  2. Navigate to Inputs.
  3. click Clone . The add – on clone many of the field and attribute from the first event type .
  4. For this input, enter the values for Name, AWS Secret Access Key, AWS S3 Directory Prefix, and Event Type.
    • For Name , enter a name for the data input .
    • For AWS Secret Access Key , enter your AWS Secret Access key .
    • For AWS S3 Directory Prefix, enter the AWS S3 directory prefix and append it with a forward slash, for example: /dnslogs/.
    • For event type , choose one of the event type : dns , firewall , proxy , audit , dlp , ravpn , ztna , or ip .

View Events in the App

view your configure event in the dashboard from the Cisco Cloud Security App . For more information , see View Umbrella Dashboard .

support

  • If you have questions about configuring the data inputs for Umbrella in the Cisco Cloud Security Add-On, contact Cisco Umbrella support.
  • If you have questions about configuring the data inputs for Secure Access in the Cisco Cloud Security Add-On, contact Cisco support.