- Supported Cloud Connectors
- Armis Cloud Connector
- AWS Cloud Connector
- AWS Multi-Tenant Cloud Connector
- Azure Cloud Connector
- Azure Cloud Connector Overview
- Azure Audit Source and Event Support
- Prerequisites to Configure the Azure Cloud Connector
- Configure the Azure Cloud Connector
- Collect EventHub Information for Azure EventHub Endpoints
- Collect all Microsoft Defender ATP Events
- Configure Azure to Monitor Security Center Events in Azure VMs
- Bitglass Cloud Connector
- Box Cloud Connector
- Centrify Cloud Connector
- Cisco AMP for Endpoints Cloud Connector
- Cisco Meraki Cloud Connector
- Cisco Umbrella Cloud Connector
- Citrix ShareFile Cloud Connector
- Cloudflare Cloud Connector
- Code42 Incydr Cloud Connector
- CrowdStrike Falcon Cloud Connector
- Cybereason Cloud Connector
- CylanceProtect Cloud Connector
- Dropbox Business Cloud Connector
- Duo Security Cloud Connector
- Egnyte Cloud Connector
- Fidelis Cloud Connector
- GitHub Cloud Connector
- Google Cloud Platform (GCP) Cloud Connector
- Google Cloud Pub/Sub Cloud Connector
- Google Workspace (Formerly G Suite) Cloud Connector
- LastPass Enterprise Cloud Connector
- Mimecast Email Security Cloud Connector
- Netskope Cloud Connector
- Office 365 Cloud Connector
- Okta Cloud Connector
- OneLogin Cloud Connector
- Palo Alto Networks SaaS Security Cloud Connector
- Ping Identity Cloud Connector
- Proofpoint Cloud Connector
- Rapid7 InsightVM Cloud Connector
- Salesforce Cloud Connector
- SentinelOne Cloud Connector
- ServiceNow Cloud Connector
- Slack App Cloud Connector
- Slack Classic App Cloud Connector (Formerly known as Slack Enterprise Grid Cloud Connector)
- Snowflake Cloud Connector
- Sophos Central Cloud Connector
- Symantec CloudSOC Cloud Connector
- Symantec Endpoint Protection (SEP) Mobile Cloud Connector
- Symantec Email Security.cloud Cloud Connector
- Symantec WSS Cloud Connector
- Tenable.io Cloud Connector
- VMware Carbon Black Cloud Endpoint Standard Cloud Connector
- Workday Cloud Connector
- Zoom Cloud Connector
- Custom Cloud Connector
- Webhook Cloud Connector
Cisco Umbrella Cloud Connector
Cisco Umbrella is a cloud-based Secure Internet Gateway (SIG) platform that offers multiple levels of security against internet-based threats. Cisco Umbrella unifies firewall, secure web gateway, DNS-layer security, threat intelligence solutions, and cloud access security broker (CASB) into a single platform. Cisco Umbrella protects internet access across all network devices, locations, and roaming users. For more information, see the Cisco Umbrella documentation.
Prerequisites to Configure the Cisco Umbrella Connector
Before you configure the Cisco Umbrella connector you must obtain the Cisco managed S3 bucket data including the access key, secret key, folder prefix, and the S3 bucket name.
Before you configure the Cisco Umbrella connector:
Obtain the Cisco managed S3 bucket data including the access key, secret key, folder prefix, and the S3 bucket name.
Obtain the company managed S3 bucket data, if you want to use S3 bucket managed by your organization.
Have full administrative access to Cisco Umbrella.
Obtain the Cisco Managed S3 Bucket Data
Cisco Umbrella APIs are authenticated via application keys. You must obtain the access key, secret key, folder prefix, and S3 bucket name to use while configuring the Cisco Umbrella for endpoints connector.
To obtain an application key and client ID:
Log in to Cisco Umbrella console by accessing https://login.umbrella.com/ as an administrator.
Navigate to Admin > Log Management.
Click Cisco-managed Amazon S3 bucket.
Select a region in the list. The regional endpoints are required to reduce latency while downloading logs to your servers. Select a region that is closer to you.
Select a time-period from the Select a Retention Duration list and click Save. After the selected time-period, all the data is purged and cannot be retrieved.
In the confirmation box that displays selected region and retention duration, click Continue to confirm the settings.
Cisco sends an activation notification. When the activation is complete, the Amazon S3 Summary page displays the data path, an access key, and a secret key.
Record the values for the data path, access key, and secret key. The values appear only once, if you lose the key values, you must regenerate the values.
After noting the values, select the Got it check box, and click Continue.
For more information, see the Cisco Umbrella documentation. The data path value contains S3 bucket name and folder prefix. The data value looks like this: s3://bucketname/f1/f2/f3. Use the values while configuring the Cisco Umbrella Connector on the Exabeam Cloud Connector platform.
Obtain the Company Managed S3 Bucket Data
Create a bucket policy to grant other AWS accounts or IAM users access permissions for the bucket and the objects in the bucket. For more information see Amazon S3 bucket policies.
To create or edit the bucket policy:
In the AWS management console, edit the bucket policy to ensure that the bucket accepts uploads from Cisco Umbrella by replacing
bucketnamewith the S3 bucket name that you specify in the following JSON file using the bucket policy text editor. For more information see the Cisco Umbrella Documentation and the AWS bucket policy guide.1{ 2"Version": "2008-10-17",a 3"Statement": [ 4{ 5"Sid": "", 6"Effect": "Allow", 7"Principal": { 8"AWS": "arn:aws:iam::568526795995:user/logs" 9}, 10"Action": "s3:PutObject", 11"Resource": "arn:aws:s3:::bucketname/*" 12}, 13{ 14"Sid": "", 15"Effect": "Deny", 16"Principal": { 17"AWS": "arn:aws:iam::568526795995:user/logs" 18}, 19"Action": "s3:GetObject", 20"Resource": "arn:aws:s3:::bucketname/*" 21}, 22 23{ 24"Sid": "", 25"Effect": "Allow", 26"Principal": 27 28{ "AWS": "arn:aws:iam::568526795995:user/logs" } 29 30, 31"Action": "s3:GetBucketLocation", 32"Resource": "arn:aws:s3:::bucketname" 33}, 34 35{ 36"Sid": "", 37"Effect": "Allow", 38"Principal": { 39"AWS": "arn:aws:iam::568526795995:user/logs" 40}, 41"Action": "s3:ListBucket", 42"Resource": "arn:aws:s3:::bucketname" 43} 44] 45}
In the Cisco Umbrella console, navigate to Admin > Log Management.
Click Use your company-managed Amazon S3 bucket.
In the Amazon S3 bucket box, type the S3 bucket name that you specified in the JSON file.
Click Verify.
Cisco Umbrella verifies and connects to the bucket and saves a
README_FROM_UMBRELLA.txtfile to the bucket.Copy the token from the
README_FROM_UMBRELLA.txtfile that Cisco Umbrella saved to your bucket.Paste the token in the Token Number box.
Click Save.
Configure the Cisco Umbrella Connector
Cisco Umbrella is a cloud-based Secure Internet Gateway (SIG) platform that offers multiple levels of security against internet-based threats. Cisco Umbrella unifies firewall, secure web gateway, DNS-layer security, threat intelligence solutions, and cloud access security broker (CASB) into a single platform. Cisco Umbrella protects internet access across all network devices, locations, and roaming users. For more information, see the Cisco Umbrella documentation.
The following table displays audit source API and security events supported by the connector.
Audit Source: API | Service or Module Covered | Event Included |
|---|---|---|
Any | All |
To configure the Cisco Umbrella connector to import data into the Exabeam Cloud Connector platform:
Complete the Prerequisites to Configure the Cisco Umbrella Connector.
Log in to the Exabeam Cloud Connectors platform with your registered credentials.
Navigate to Settings > Accounts > Add Account.
Click Select Service to Add, and then select Cisco Umbrella from the list.
In the Accounts section enter the required information.
Tenant – Select a tenant to attach to the connector if you are using a multi-tenant edition of Exabeam. Otherwise, select default.
Account Name – Specify a name for the Cisco Umbrella connector. For example, Corporate Cisco Umbrella SIG for Endpoints.
(Optional) Description – Describe the Cisco Umbrella connector. For example, Cisco Umbrella SIG for internet security.
Access Key – Enter the value for the access key represented by a string of letters and numbers, that you obtained while completing prerequisites.
Secret Key – Enter the value for the secret key represented by a string of letters and numbers, that you obtained while completing prerequisites.
S3 Bucket Name – Enter the bucket name mentioned in the initial part of the value for data path that you obtained while completing prerequisites for Cisco managed Amazon S3 bucket. Enter the S3 bucket name that you specified in the AWS console while completing prerequisites for company-managed Amazon S3 bucket.
Folder (Prefix) – Enter the value for the folder prefix mentioned in the later part of the data path that you obtained while completing prerequisites. For example, in the data path s3://bucketname/f1/f2/f3, the f/f2/f3 represents the folder prefix.
Note
Required fields are indicated with a red bar.
To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.
Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.
To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows
OK.
Troubleshoot for the Cisco Umbrella Connector
Problem: Events are not received in DL and CC UI for a certain endpoint.
Solution: The Exabeam DNS, Proxy, and IP Cisco Umbrella endpoints work in pairs. Exabeam uses the Explorer endpoint to read the log file names stored in the S3 bucket, then uses the data endpoint to retrieve data. Each endpoint in Cisco Umbrella has an explorer endpoint. Check if the explorer endpoint of the endpoint that is not collecting data is active. For example, if you want to use the DNS endpoint, ensure that the DNS-explorer endpoint is active.