Integrating Cisco Umbrella With Blumira

Cisco Umbrella prevents users from accessing any known malicious websites to protect against phishing and ransomware. It does this by filtering domain name server (DNS) requests, keeping a record of all malicious websites.


Blumira’s integration with Cisco Umbrella allows you to retrieve event data from Cisco Umbrella directly to your Blumira sensor. Now you can start centralizing logs and leveraging Blumira’s security insight to detect and respond to threats.


Related Integrations: Cisco FTD FirePower Threat Defense, Cisco ASA Firewall


Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.


Free Trial

Cisco Umbrella Log Collection Configuration

Cisco Umbrella provides an API which allows for the retrieval of event data from Umbrella directly to your Blumira sensor. If you are using Umbrella, please follow this guide.

Umbrella API

Before Blumira can retrieve logs from Umbrella, you will first need to obtain a Key and Secret for the Umbrella Reporting API.

  1. Navigate to Admin > API Keys > Create
  2. Select the Umbrella Reporting API > Create
  3. Copy the Key and Secret for your records. Note the Secret will not be accessible again.

*You may skip the steps involving base64 encoding these values to create an Authorization header.

*If the Reporting API is greyed out, it’s currently in use. Each API can only be used for one resource.

Organization ID

You will also need to make a note of your Organization ID within Umbrella.

  1. Check your Umbrella Admin Console URL and grab the Organization ID.
  2. This is typically a 7 digit number in the URL (see below)
  3. https://dashboard.umbrella.com/o/<OrgID>/#/overview

Configuring Blumira

Next, you’ll need to configure your Blumira sensor to connect to the Umbrella API, using the credentials you’ve obtained.

Here’s how to add the Umbrella module:

  1. Once you have chosen or installed a Blumira sensor, access that sensor’s detail page through the admin console Infrastructure > Sensors.
  2. In the Modules section for your sensor, click on the Add Module button. In the Module drop-down, select the Cisco Umbrella Module.
  3. Fill in the New Module fields, shown here:

  1. Organization ID – Seven Digit Number
  2. API Token – Your Key from Umbrella
  3. API Secret – Your Secret from Umbrella
  4. Log Source Name (optional) – Custom Name
  5. Press Install and wait a few seconds for the system to process your request.

The Add New Module window should close. Back in your sensor detail page view, you should now see the Cisco Umbrella Module listed in the table of modules.

Within minutes, the module will be operational and will ingest Cisco Umbrella logs from the last 90 days into the Blumira platform. It will then poll Cisco Umbrella every minute for the latest available logs.

Note: In order to have client names included in the Umbrella logs, you will need to configure Active Directory integration with Umbrella. See the Additional Resources section below for detailed instructions on how to accomplish this.

Additional Resources

Cisco Umbrella API: https://docs.umbrella.com/umbrella-api/docs/authentication-and-errors.

Cisco Umbrella Org ID: https://docs.umbrella.com/deployment-umbrella/docs/find-your-organization-id.

Cisco Umbrella AD Integration: https://docs.umbrella.com/deployment-umbrella/docs/1-ad-integration-setup-overview