Collect Cisco Umbrella DNS logs
This document explains how to collect Cisco Umbrella DNS logs to a Google Security Operations feed using AWS S3 bucket. The parser handles both JSON and CSV formatted logs. It extracts fields, renames them to match the UDM, handles different log versions and formats (including proxy and IP logs), and performs specific logic for identities, security categories, and network events, ultimately merging the extracted data into the UDM schema.
Before you begin
- Ensure that you have a Google SecOps instance.
- Ensure that you privileged access to AWS IAM and S3.
- Ensure that you have privileged access to Cisco Umbrella.
Configure a Cisco-managed Amazon S3 bucket
- Sign in to the Cisco Umbrella dashboard.
- Go to Admin > Log management.
- Select Use a Cisco-managed Amazon S3 bucket option.
- Provide the following configuration details: - Select a region: select a region closer to your location for lower latency.
- Select a retention duration: select the time period. The retention duration is 7, 14, or 30 days. After the selected time period, data is deleted and cannot be recovered. If your ingestion cycle is regular, use a shorter time period. You can change the retention duration at a later time.
 
- Click Save.
- Click Continue to confirm your selections and to receive activation notification.
 In the Activation complete window that appears, the Access key and Secret key values are displayed.
- Copy the Access key and Secret key values. If you lose these keys, you must regenerate them.
- Click Got it > Continue.
- A summary page displays the configuration and your bucket name. You can turn logging off or on as required by your organization. However, logs are purged based on the retention duration, regardless of new data getting added.
Optional: Configure user access keys for self-managed AWS S3 bucket
- Sign in to the AWS Management Console.
- Create a User following this user guide: Creating an IAM user.
- Select the created User.
- Select the Security credentials tab.
- Click Create Access Key in the Access Keys section.
- Select Third-party service as the Use case.
- Click Next.
- Optional: add a description tag.
- Click Create access key.
- Click Download CSV file to save the Access Key and Secret Access Key for later use.
- Click Done.
- Select the Permissions tab.
- Click Add permissions in the Permissions policies section.
- Select Add permissions.
- Select Attach policies directly.
- Search for and select the AmazonS3FullAccess policy.
- Click Next.
- Click Add permissions.
Optional: Configure a self-managed Amazon S3 bucket
- Sign in to the AWS Management Console. 
- Go to S3. 
- Click Create bucket. 
- Provide the following configuration details: - Bucket name: provide a name for the Amazon S3 bucket.
- Region: select a region.
 
- Click Create. 
Optional: Configure a bucket policy for self-managed AWS S3 bucket
- Click the newly created bucket to open it.
- Select Properties > Permissions.
- In the Permissions list, click Add bucket policy.
- Enter the preconfigured bucket policy as follows: - { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::BUCKET_NAME/*" }, { "Sid": "", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKET_NAME/*"}, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:GetBucketLocation", "Resource": "arn:aws:s3:::BUCKET_NAME" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::BUCKET_NAME" } ] }- Replace BUCKET_NAMEwith the Amazon S3 bucket name you provided.
 
- Replace 
- Click Save. 
Optional: Required Verification for self-managed Amazon S3 bucket
- In the Cisco Umbrella dashboard, select Admin > Log management > Amazon S3.
- In the Bucket name field, specify your exact Amazon S3 bucket name, and then click Verify.
- As part of the verification process, a file named README_FROM_UMBRELLA.txtis uploaded from Cisco Umbrella to your Amazon S3 bucket. You may need to refresh your browser in order to see the readme file when it is uploaded.
- Download the README_FROM_UMBRELLA.txtfile, and open it using a text editor.
- Copy and save the unique Cisco Umbrella token from the file.
- Go to the Cisco Umbrella dashboard.
- In the Token number field, specify the token and click Save.
- If successful, you get a confirmation message in your dashboard indicating that the bucket was successfully verified. If you receive an error indicating that your bucket can't be verified, re-check the syntax of the bucket name and review the configuration.
Configure a feed in Google SecOps to ingest the Cisco Umbrella DNS logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed; for example, Cisco Umbrella DNS Logs.
- Select Amazon S3 V2 as the Source type.
- Select Cisco Umbrella DNS as the Log type.
- Click Next.
- Specify values for the following input parameters: - S3 URI: the bucket URI. - s3:/BUCKET_NAME/- Replace BUCKET_NAMEwith the actual name of the bucket.
 
- Replace 
 
- Source deletion options: select deletion option according to your preference.
 
- S3 URI: the bucket URI. 
- Click Next. 
- Review your new feed configuration in the Finalize screen, and then click Submit. 
UDM Mapping Table
| Log Field | UDM Mapping | Logic | 
|---|---|---|
| action | security_result.action_details | The value is taken from the actionfield if it exists in the JSON logs, or fromcolumn6orcolumn7in CSV logs, and converted to uppercase (ALLOW or BLOCK). | 
| amp.disposition | security_result.detection_fields[].key | Value is ampDisposition. | 
| amp.disposition | security_result.detection_fields[].value | The value is taken from the amp.dispositionfield. | 
| amp.malware | security_result.detection_fields[].key | Value is ampMalware. | 
| amp.malware | security_result.detection_fields[].value | The value is taken from the amp.malwarefield. | 
| amp.score | security_result.detection_fields[].key | Value is ampScore. | 
| amp.score | security_result.detection_fields[].value | The value is taken from the amp.scorefield. | 
| blocked_categories | security_result.category_details | The value is taken from the blocked_categoriesfield. | 
| blockedfiletype | security_result.detection_fields[].key | Value is egress type. | 
| blockedfiletype | security_result.detection_fields[].value | The value is taken from the blockedfiletypefield. | 
| bundleid | additional.fields[].key | Value is bundleid. | 
| bundleid | additional.fields[].value.string_value | The value is taken from the bundleidfield. | 
| categories[] | security_result.category_details | The value is taken from the categories[].labelfield. | 
| column1 | metadata.event_timestamp.seconds | The value is parsed from the column1field as a timestamp. For proxy logs, ifdateandtimefields exist, they are combined and parsed as a timestamp. | 
| column10 | network.http.user_agent | The value is taken from the column10field. | 
| column10 | additional.fields[].value.string_value | The value is taken from the column10field. | 
| column11 | target.port | The value is taken from the column11field. | 
| column12 | principal.resource.name | The value is taken from the column12field. | 
| column13 | security_result.rule_id | The value is taken from the column13field. | 
| column14 | security_result.action_details | The value is taken from the column14field. | 
| column2 | principal.user.user_display_name | The value is taken from the column2field. | 
| column2 | principal.user.userid | The value is taken from the column2field. | 
| column2 | principal.location.name | The value is taken from the column2field. | 
| column3 | principal.hostname | The value is taken from the column3field. | 
| column3 | principal.user.product_object_id | The value is taken from the column3field. | 
| column3 | principal.location.city | The value is taken from the column3field. | 
| column3 | additional.fields[].value.string_value | The value is taken from the column3field. | 
| column4 | principal.asset.ip | The value is taken from the column4field. | 
| column4 | principal.ip | The value is taken from the column4field. | 
| column4 | principal.port | The value is taken from the column4field. | 
| column5 | principal.asset.ip | The value is taken from the column5field. | 
| column5 | principal.ip | The value is taken from the column5field. | 
| column5 | target.asset.ip | The value is taken from the column5field. | 
| column5 | target.ip | The value is taken from the column5field. | 
| column6 | security_result.action_details | The value is taken from the column6field. | 
| column6 | target.port | The value is taken from the column6field. | 
| column7 | network.received_bytes | The value is taken from the column7field. | 
| column7 | additional.fields[].value.string_value | The value is taken from the column7field. | 
| column8 | principal.asset.ip | The value is taken from the column8field. | 
| column8 | principal.ip | The value is taken from the column8field. | 
| column8 | target.url | The value is taken from the column8field. | 
| column9 | principal.port | The value is taken from the column9field. | 
| column9 | network.http.referral_url | The value is taken from the column9field. | 
| data_center_name | principal.resource.name | The value is taken from the data_center_namefield. | 
| datacenter.label | security_result.detection_fields[].key | Value is datacenter label. | 
| datacenter.label | security_result.detection_fields[].value | The value is taken from the datacenter.labelfield. | 
| destinationip | target.asset.ip | The value is taken from the destinationipfield. | 
| destinationip | target.ip | The value is taken from the destinationipfield. | 
| direction | network.direction | The value is taken from the directionfield and converted to uppercase. | 
| domain | network.dns.questions[].name | The value is taken from the domainfield, with the trailing dot removed if present. | 
| dstPort | target.port | The value is taken from the dstPortfield. | 
| dstip | target.asset.ip | The value is taken from the dstipfield. | 
| dstip | target.ip | The value is taken from the dstipfield. | 
| egress.ip | security_result.detection_fields[].key | Value is egress ip. | 
| egress.ip | security_result.detection_fields[].value | The value is taken from the egress.ipfield. | 
| egress.type | security_result.detection_fields[].key | Value is egress type. | 
| egress.type | security_result.detection_fields[].value | The value is taken from the egress.typefield. | 
| externalip | principal.asset.ip | The value is taken from the externalipfield. | 
| externalip | principal.ip | The value is taken from the externalipfield. | 
| forwardingmethod | additional.fields[].key | Value is forwardingmethod. | 
| forwardingmethod | additional.fields[].value.string_value | The value is taken from the forwardingmethodfield. | 
| granular_identity | principal.user.user_display_name | The value is taken from the granular_identityfield if bothgranular_identityandmost_granular_identityare present. Otherwise, it's derived from the_policy_identityfield and further parsed based onidentityType. | 
| granular_identity | principal.user.email_addresses | The value is extracted from the granular_identityfield using a regular expression. | 
| granular_identity | principal.user.first_name | The value is extracted from the granular_identityfield using a regular expression. | 
| granular_identity | principal.user.last_name | The value is extracted from the granular_identityfield using a regular expression. | 
| granular_identity | principal.user.userid | The value is extracted from the granular_identityfield using a regular expression. | 
| granular_identity | principal.hostname | The value is taken from the granular_identityfield. | 
| granular_identity | principal.location.name | The value is taken from the granular_identityfield. | 
| identity_types | additional.fields[].value.string_value | The value is taken from the identity_typesfield. | 
| identities[] | principal.user.product_object_id | The value is taken from the identities[]field. | 
| identities | principal.user.product_object_id | The value is taken from the identitiesfield. | 
| internalip | principal.asset.ip | The value is taken from the internalipfield. | 
| internalip | principal.ip | The value is taken from the internalipfield. | 
| isolated.fileaction | security_result.detection_fields[].key | Value is isolated fileaction. | 
| isolated.fileaction | security_result.detection_fields[].value | The value is taken from the isolated.fileactionfield. | 
| isolated.state | security_result.detection_fields[].key | Value is isolated state. | 
| isolated.state | security_result.detection_fields[].value | The value is taken from the isolated.statefield. | 
| most_granular_identity | principal.user.identityType | The value is taken from the most_granular_identityfield if bothgranular_identityandmost_granular_identityare present. Otherwise, it's taken from the_policy_identity_typefield. | 
| nat_destination_ip | principal.asset.ip | The value is taken from the nat_destination_ipfield. | 
| nat_destination_ip | principal.ip | The value is taken from the nat_destination_ipfield. | 
| odns_categories | security_result.category_details | The value is taken from the odns_categoriesfield. | 
| policy.ruleid | security_result.rule_id | The value is taken from the policy.ruleidfield. | 
| policy.rulesetid | security_result.detection_fields[].key | Value is rulesetid. | 
| policy.rulesetid | security_result.detection_fields[].value | The value is taken from the policy.rulesetidfield. | 
| policy.timebasedrule | security_result.detection_fields[].key | Value is timebasedrule. | 
| policy.timebasedrule | security_result.detection_fields[].value | The value is taken from the policy.timebasedrulefield. | 
| port | target.port | The value is taken from the portfield. | 
| query_type_name | network.dns.questions[].type | The numeric part is extracted from the query_type_namefield using a regular expression and converted to an integer. | 
| query_type_name | additional.fields[].value.string_value | The string part within parentheses is extracted from the query_type_namefield using a regular expression. | 
| querytype | network.dns.questions[].type | The value is taken from the querytypefield and mapped to a numeric value based on the DNS record type. | 
| referer | network.http.referral_url | The value is taken from the refererfield. | 
| requestmethod | network.http.method | The value is taken from the requestmethodfield. | 
| requestsize | network.sent_bytes | The value is taken from the requestsizefield and converted to an unsigned integer. | 
| response | additional.fields[].value.string_value | The value is taken from the responsefield. | 
| responsecode | network.http.response_code | The value is taken from the responsecodefield. | 
| responsefilename | target.file.names | The value is taken from the responsefilenamefield. | 
| responsesize | network.received_bytes | The value is taken from the responsesizefield and converted to an unsigned integer. | 
| returncode | network.dns.response_code | The value is taken from the returncodefield and converted to an unsigned integer. | 
| securityoverridden | additional.fields[].key | Value is securityoverridden. | 
| securityoverridden | additional.fields[].value.string_value | The value is taken from the securityoverriddenfield. | 
| sha256 | target.file.sha256 | The value is taken from the sha256field. | 
| source_ip | principal.asset.ip | The value is taken from the source_ipfield if it exists in the JSON logs, or fromcolumn3in CSV logs. | 
| source_ip | principal.ip | The value is taken from the source_ipfield if it exists in the JSON logs, or fromcolumn3in CSV logs. | 
| srcPort | principal.port | The value is taken from the srcPortfield. | 
| statuscode | network.http.response_code | The value is taken from the statuscodefield. | 
| tenantcontrols | additional.fields[].key | Value is tenantcontrols. | 
| tenantcontrols | additional.fields[].value.string_value | The value is taken from the tenantcontrolsfield. | 
| timestamp | metadata.event_timestamp.seconds | The value is parsed from the timestampfield as a timestamp. | 
| tunnel_name | additional.fields[].key | Value is tunnel_name. | 
| tunnel_name | additional.fields[].value.string_value | The value is taken from the tunnel_namefield. | 
| tunnel_type | metadata.product_event_type | The value is taken from the tunnel_typefield. | 
| type | additional.fields[].key | Value is type. | 
| type | additional.fields[].value.string_value | The value is taken from the typefield. | 
| url | target.url | The value is taken from the urlfield. | 
| useragent | network.http.user_agent | The value is taken from the useragentfield. | 
| verdict | security_result.action_details | The value is taken from the verdictfield. | 
| warnstatus | security_result.detection_fields[].key | Value is warnstatus. | 
| warnstatus | security_result.detection_fields[].value | The value is taken from the warnstatusfield. Value isDNS Lookup Type. The string part within parentheses is extracted from thequery_type_namefield using a regular expression, or it's an empty string if the field is not present. Value isDNS request and response were made.Determined based on the presence of certain fields: NETWORK_DNS ifquestion.nameis present, NETWORK_CONNECTION if bothprincipal.ipandtarget.ipare present, STATUS_UPDATE if onlyprincipal.ipis present, or GENERIC_EVENT otherwise. Value isUMBRELLA_DNS. Value isUmbrella DNS. Value isCisco. Value is initially set toDNS. Ifrequestmethodis a valid HTTP method, it's changed toHTTP. The numeric part is extracted from thequery_type_namefield using a regular expression and converted to an integer, or it's derived from thequerytypefield and mapped to a numeric value based on the DNS record type. The value is derived from theuseragentorcolumn10field using theparseduseragentfilter. The value is taken from the last part of thecolumn3field after splitting by commas, or it's an empty string if the field is not present. The value is taken from the first part of thecolumn3field after splitting by commas, or it's taken from thecolumn2field ifcolumn3is not present. The value is extracted from thecolumn2orcolumn3field using a regular expression. The value is extracted from thecolumn2orcolumn3field using a regular expression. The value is extracted from thecolumn2orcolumn3field using a regular expression. The value is extracted from thecolumn2orcolumn3field using a regular expression. The value is derived from theaction,column6,column7, orverdictfield and converted to uppercase (ALLOW or BLOCK). Value is set toNETWORK_MALICIOUSif_categoriescontainsMalware, orNETWORK_SUSPICIOUSif_categoriescontainsPotentially Harmful. | 
Need more help? Get answers from Community members and Google SecOps professionals.