If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
Cisco Umbrella uses the internet’s infrastructure to block malicious destinations before a connection is ever established. It uses DNS to stop threats over all ports and protocols — even direct-to-IP connections. Stop malware before it reaches your endpoints or network. Instead of proxying all web traffic, Umbrella routes requests to risky domains for deeper URL and file inspection.
For more information on Cisco Umbrella services see:
https://umbrella.cisco.com/
The main challenges and needs are to:
- Get and retain full audit of activities in Cisco Umbrella managed accounts.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation for Cisco Umbrella Cloud Connector is part of the SkyFormation Collect (c) module.
It continuously retrieves audit events from the different audit sources in the Cisco Umbrella platform account, unifies the events into a common application events format, enriches the events with needed detection context and sends the events to any existing SIEM/SOC system.
How it works
SkyFormation for Cisco Umbrella Cloud Connector retrieves the events from Cisco Umbrella service through its persisted data in Cisco's Managed S3 Bucket. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event as a blob
- Parse the origin event into a set of dedicated key-value fields
- Enrich the event with detection context (e.g. AD identity information)
- Encode the resulted event into the target SIEM/SOC system standard format (e.g. CEF)
- Send the event to the existing SIEM/SOC system over syslog
Connector's API/Audit Sources & Events Supported
| Audit Source (API) | Service/Module Covered | Event Included |
|---|---|---|
security-activity |
any | All |
Comments
0 comments
Please sign in to leave a comment.