Monitor and correlate Umbrella or Secure Access data for the Cisco Cloud Security Add-On for Splunk

Cisco Cloud Security Add-On for Splunk

The Cisco Cloud Security Add-On for Splunk is an on-line application for configuring the integration of the Cisco Umbrella and Cisco Secure Access event data with the Splunk data platform.

This guide describes how to install and configure the Cisco Cloud Security Add-On for your instance of Splunk.

The Cisco Cloud Security Add-On for Splunk is available at,

https://splunkbase.splunk.com/app/7569

What's New

The latest version of the Cisco Cloud Security Add-On for Splunk is 1.0.42.

Updates to the Cisco Cloud Security Add-On for Splunk

  • Added support for reading the event data from the logs using the log headers.
  • Simplified the configuration of the AWS account information and event log entries in the add-on.
  • Added the option to configure the settings for a specific log type or choose Create inputs for all event types.
  • Added the option to enter a Default Start Date with the current day using the YYYY-MM-DD format.
  • Updated the add-on to migrate any existing inputs to the new input settings after an upgrade of the add-on.
  • Added support for the Fileevent event type.
  • Added support for the Cisco Secure Access v12 log format.
  • Added the Splunk Common Information Model (CIM) mapping for the Fileevent event type and v12 log schema.
  • Fixed various software bugs in the add-on.

About the Umbrella Add-On for Splunk

For information about the Cisco Cloud Security Umbrella Add-On for Splunk, see Cisco Cloud Security Umbrella Add-On for Splunk Integration Guide.

About Event Log Headers

Important: When you export the organization's logs from the AWS S3 bucket, enable log headers. The add-on uses the log headers to extract the event data in the logs.

Installation of the Cloud Security Add-On in Distributed Deployments

You can install the Cloud Security Add-On in a distributed deployment of Splunk Enterprise, or any deployment where you use forwarders to retrieve your data. Depending on your environment and preferences, and the requirements of the add-on, you can install the add-on in multiple environments.

We recommend that you only install the Cisco Cloud Security Add-On using the Splunk heavy forwarder and Splunk indexes.

Splunk Platform Component Notes
Heavy Forwarder Recommended.
Indexer Supported if no heavy forwarders are enabled.

About Configuring the Data Inputs

In the add-on, configure data inputs for the Umbrella or Secure Access event types. Splunk manages the Umbrella or Secure Access event data and displays the events on the Cloud Security dashboards in the Cisco Cloud Security App for Splunk.

Umbrella data inputs

Configure any of the available Umbrella event types: dns, firewall, proxy, audit, or dlp.

  • DNS logs
  • Firewall logs
  • Proxy logs for the Secure Web Gateway (SWG)
  • Audit logs
  • Data Loss Prevention (DLP) logs

Samples of the Umbrella log endpoints in a Cisco-managed bucket

Event Type Example
dns 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dnslogs/
proxy 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/proxylogs/
firewall 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/firewalllogs/
audit 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/auditlogs/
dlp 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dlplogs/

Secure Access data inputs

You must configure all available Secure Access event types: dns, firewall, proxy, audit, dlp, ravpn, ztna, and ips.

  • DNS logs
  • Firewall logs
  • Proxy logs for the Secure Web Gateway (SWG)
  • Audit logs
  • Data Loss Prevention (DLP) logs
  • Remote Access Virtual Private Network (RAVPN) logs
  • Zero Trust Network Access (ZTNA) logs
  • Zero Trust Network Access (ZTNA) Flow logs
  • Intrusion Prevention System (IPS) logs

Samples of the Secure Access log endpoints in a Cisco-managed bucket

Event Type Example
dns 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dnslogs/
proxy 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/proxylogs/
firewall 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/firewalllogs/
audit 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/auditlogs/
dlp 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/dlplogs/
ravpn 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/ravpnlogs/
ztna 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/ztnalogs/
ztna flow logs 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/ztnaflowlogs/
ips 2506xxx_2db1xxxx1ddf7cxxx18652xxxxfdab7xxxxd60xx/intrusionlogs/

Get Started: Install and Configure the Cloud Security Add-On for Splunk

  1. Review the prerequisites for installing and configuring the add-on. For more information, see Prerequisites.
  2. Download and install the Cloud Security Add-On for Splunk in your instance of Splunk. For more information, see Download and Install the Cloud Security Add-On.
  3. For the add-on, accept the Terms and Conditions. For more information, see Accept the Terms and Conditions.
  4. Add the information for your AWS Accounts in the add-on. For more information, see Add Your AWS Accounts.
  5. Confirm the configuration of the Umbrella or Secure Access data inputs. For more information, see About Configuring the Data Inputs and Create New Inputs for Umbrella or Secure Access.
  6. View your configured events on the dashboards in the Cisco Cloud Security App for Splunk. For more information, see View Cloud Security Dashboards.

Walkthrough: Cloud Security Add-On for Splunk

Prerequisites

  • An instance of Splunk Enterprise or Splunk Cloud that supports Splunk platform versions 9.4.x or 9.3.x.
  • A subscription for Cisco Umbrella or Cisco Secure Access.
  • An AWS account associated with the configured AWS S3 bucket.
  • The credentials and bucket information for your own or a Cisco managed AWS S3 bucket.
    • AWS S3 Access key credentials (AWS Access key ID and secret).
    • AWS S3 region.
    • AWS S3 bucket name.
    • AWS S3 directory prefix.
  • For your instance of Splunk, administrative privileges and an environment with Python 3.9.
Note: You can not use the Cisco Cloud Security Add-On for Splunk with the Splunk Free license.

Download and Install the Cloud Security Add-On

  1. Navigate to Splunkbase at https://splunkbase.splunk.com/.
  2. Search for Cisco Cloud Security.
  3. Download the latest Cisco Cloud Security Add-On for Splunk software package (cisco-cloud-security-add-on-for-splunk_1042.tgz).
  4. Install the Cisco Cloud Security Add-On software package on your instance of Splunk.

Accept the Terms and Conditions

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security Addon.

    Cloud Security Apps Menu

  2. Navigate to Application Settings.

  3. Click I have read the terms and conditions of the Agreement and agree to be bound by them.

  4. Click Submit.

    Splunk Terms and Conditions

Add Your AWS Accounts

Add your AWS account information in the add-on.

  1. Navigate to Application Settings.

  2. Navigate to Configuration, and then click AWS Accounts.

    Add AWS Account Information

  3. Configure the setttings for an AWS account in the add-on.

    • For Name, enter a unique name of an AWS account where you have your own or a Cisco-managed S3 bucket.
    • For AWS Access Key Id, enter your AWS Access key ID.
    • For AWS Secret Access Key, enter your AWS Secret Access key.
    • For AWS Region, enter your AWS S3 region, for example: us-west-1.
    Add AWS Account Information

  4. Click Add.

  5. To add more AWS accounts in the add-on, repeat Steps 3–4.

Create New Inputs for Umbrella or Secure Access

Add Umbrella or Secure Access event types to integrate the event data from your own or a Cisco-managed S3 bucket with Splunk. Each line in a log file is processed and written to Splunk as a single event. For information about event types, see About Configuring the Data Inputs.

You can set up all event data by selecting Yes for the Create inputs for all event types option. Otherwise, select No and then enter the event types in the add-on.

After you add the first event type, you can clone it. Then, update the required settings for each cloned event type. For more information, see Clone an Event Type.

We recommend that you provide a unique name for each input.

Important: If you upgrade the add-on, you must reenter the AWS Secret Access Key. Do not edit the Default Start Date for an existing input.

  1. Navigate to Application Settings.

  2. Navigate to Configuration, and then click Event Logs.

    Add AWS Account Information

  3. Enter the values for Name, AWS Account to use, Bucket Name, Directory Prefix, Interval, Index, and Default Start Date.

    Create New Input
    • Name—Enter a unique name for the integration of the Umbrella or Secure Access events in the add-on.
    • AWS Account to use—Enter the name of the AWS account that you configured in the add-on.
    • AWS S3 Bucket Name—Enter your AWS S3 Bucket Name, for example: cisco-managed-us-west-1.
    • AWS S3 Directory Prefix—Enter the AWS S3 directory prefix and append it with a forward slash (/), for example: /dnslogs.
    • Interval—Provide an interval (in seconds) to fetch the data to the Splunk indexer. We recommend 600 seconds.
    • Index—Choose the index where to store the Umbrella or Secure Access logs. We recommend that you do not choose the default index.
    • Default Start Date—Enter a date in the YYYY-MM-DD format, for example: 2022-02-27. We recommend that you set the Default Start Date to the date when you installed the app. Selecting a date before the date when you installed the app may create a backlog of events that the app must process.
      • Note: You can enter a Default Start Date with the current day using the YYYY-MM-DD format.
    Cloud Security Add-On Configure Event Logs

  4. For Create inputs for all event types—Click Yes to create all events types for the AWS Account and S3 bucket, or click No, and then enter each event type in the add-on.

    • (Optional) You can clone the first event type that you added. For more information about cloning an event type, see Clone an Event Type.

  5. For Disable all the inputs, choose Yes to disable all configured inputs or click No.

Clone an Event Type

After you add the first event type, you can clone it and configure more data inputs. For each event type, you must configure the required settings.

  1. Navigate to Application Settings.

  2. Navigate to Inputs.

  3. Click Clone. The add-on clones many of the fields and attributes from the first event type.

    Create New Input

  4. For this input, enter the values for Name, AWS Secret Access Key, AWS S3 Directory Prefix, and Event Type.

    • For Name, enter a name for the data input.
    • For AWS Secret Access Key, enter your AWS Secret Access key.
    • For AWS S3 Directory Prefix, enter the AWS S3 directory prefix and append it with a forward slash, for example: /dnslogs/.
    • For Event Type, choose one of the event types: dns, firewall, proxy, audit, dlp, ravpn, ztna, or ips.

Contact Support

  • If you have questions about configuring the data inputs for Umbrella in the Cisco Cloud Security Add-On, contact Cisco Umbrella Support.
  • If you have questions about configuring the data inputs for Secure Access in the Cisco Cloud Security Add-On, contact Cisco Support.