Cisco Umbrella provides a consistent and secure experience for all users and devices, no matter where they are located. Umbrella’s robust DNS-layer security provides an added layer of protection for users on-premises, while also ensuring roaming users get reliable protection for wherever their work takes them.
- Full administrative access to Cisco Umbrella
- S3 URI
- S3 region
- Access Key ID
- Secret Access Key
- Navigate to Admin > Log Management and select Use a Cisco-managed Amazon S3 bucket.
2. Select a Region and a Retention Duration.
- Select a Region — Regional endpoints are important to minimize latency when downloading logs to your servers. The regions match those available in Amazon S3; however, not all regions are available. For example, China is not listed. Pick the region that's closest to you from the dropdown. If you wish to change your region in the future, you will need to delete your current settings and start over.
- Select a Retention Duration —Select 7, 14, or 30 days. Beyond the selected time period, all data will be purged and cannot be retrieved. We recommend a smaller time period if your ingestion cycle is regular. The retention duration can be changed at any time.
- Click Save and then Continue to confirm your settings
Umbrella activates its ability to export to an AWS S3 account. When activation is complete, the Amazon S3 Summary page appears.
3. Copy credentials from this page and store them in a safe place. This is the only time that the Access and Secret keys are made available to you. These keys are required to access your S3 bucket and download logs. If you lose these keys, they must be regenerated.
4. Once keys are copied and safe, check Got it and then click Continue.
Configure a feed in Chronicle
Complete the following steps to configure a feed in Chronicle to ingest the salesforce logs
- Go to Chronicle settings and click Feeds.
- Click Add New.
3. Select Amazon S3 for Source Type.
4. Select Cisco Umbrella DNS for Log Type.
5. Click Next.
6. Under the required field, paste the data collected by above process.
7. Click Next and Finish.
The following are the logs that Cisco sends to Chronicle.
"2023-07-06 05:20:31","Contoso 2","Contoso 2","192.168.1.1","192.168.1.1","Allowed","28 (AAAA)","NOERROR","contoso.com.","Software/Technology,SaaS and B2B,Application,Cloud and Data Centers","Networks","Networks",""