Cisco Umbrella prevents users from accessing any websites that are known to be malicious to help protect them from phishing and ransomware. It does this by filtering domain name server (DNS) requests, keeping a record of all malicious websites.
Blumira’s integration with Cisco Umbrella allows you to retrieve event data from Cisco Umbrella directly to your Blumira sensor. Now you can start centralizing logs and leveraging Blumira’s security insight to detect and respond to threats.
Cisco Umbrella provides an API which allows for the retrieval of event data from Umbrella directly to your Blumira sensor. If you are using Umbrella, please follow this guide.
Before Blumira can retrieve logs from Umbrella, you will first need to obtain credentials to access the Umbrella API. To obtain these credentials, please follow the instructions provided by Umbrella here: https://docs.umbrella.com/umbrella-api/docs/authentication-and-errors. You will need to obtain a key and secret, but you may skip the steps involving base64 encoding these values to create an Authorization header.
You will also need to make a note of your Organization ID within Umbrella. Umbrella provides instructions for finding your Organization ID here: https://docs.umbrella.com/deployment-umbrella/docs/find-your-organization-id.
Next, you’ll need to configure your Blumira sensor to connect to the Umbrella API, using the credentials you obtained.
Here’s how to add the Umbrella module:
The Add New Module window should close, and, back in your sensor detail page view, you should now see the Cisco Umbrella Module listed in the table of modules.
Within minutes, the module will be operational, and will ingest Cisco Umbrella logs from the last 90 days into the Blumira platform. It will then poll Cisco Umbrella every minute for the latest available logs.