Integrating Cisco Umbrella With Blumira

Cisco Umbrella prevents users from accessing any websites that are known to be malicious to help protect them from phishing and ransomware. It does this by filtering domain name server (DNS) requests, keeping a record of all malicious websites.

 

Blumira’s integration with Cisco Umbrella allows you to retrieve event data from Cisco Umbrella directly to your Blumira sensor. Now you can start centralizing logs and leveraging Blumira’s security insight to detect and respond to threats.

 

Related Integrations: Cisco FTD FirePower Threat Defense, Cisco ASA Firewall

Cisco Umbrella Log Collection Configuration

Cisco Umbrella provides an API which allows for the retrieval of event data from Umbrella directly to your Blumira sensor. If you are using Umbrella, please follow this guide.

Preparing Umbrella

Before Blumira can retrieve logs from Umbrella, you will first need to obtain credentials to access the Umbrella API. To obtain these credentials, please follow the instructions provided by Umbrella here: https://docs.umbrella.com/umbrella-api/docs/authentication-and-errors. You will need to obtain a key and secret, but you may skip the steps involving base64 encoding these values to create an Authorization header.

You will also need to make a note of your Organization ID within Umbrella. Umbrella provides instructions for finding your Organization ID here: https://docs.umbrella.com/deployment-umbrella/docs/find-your-organization-id.

Configuring Blumira

Next, you’ll need to configure your Blumira sensor to connect to the Umbrella API, using the credentials you obtained.

Here’s how to add the Umbrella module:

    1. Once you have chosen or installed a sensor that you would like to add Umbrella log collection to, access that sensor’s detail page through the sensor UI (Infrastructure > Sensors).
    2. In the Modules section for your sensor, click on the Add Module button. In the Module drop-down, find the Umbrella Module, and select the latest available version.
    3. Fill in the New Module form, shown here:

  1. The API Token and API Secret values should be filled in with the key and secret you obtained from Umbrella. Likewise, the Organization ID should be the Organization ID for your company within Umbrella.
  2. You can leave Log Source Name empty, or, optionally, set it to a short, alphanumeric string, without spaces, that will help identify this instance of the Cisco Umbrella integration, in case you later have multiple (e.g. “main” or “primary”).
  3. Press Install and wait a few seconds for the system to process your request.

The Add New Module window should close, and, back in your sensor detail page view, you should now see the Cisco Umbrella Module listed in the table of modules.

Within minutes, the module will be operational, and will ingest Cisco Umbrella logs from the last 90 days into the Blumira platform. It will then poll Cisco Umbrella every minute for the latest available logs.