Monitor and correlate Umbrella data in Splunk Enterprise App

Cloud Security App For Splunk

The Cisco Cloud Security App integrates your Cloud Security data with event data from Splunk. Cisco Cloud Security includes Cisco Umbrella, Cisco Investigate, and Cisco Cloudlock. Splunk is a robust Security Information and Event Management (SIEM) platform. Splunk provides anomaly detection, incident forensics, and vulnerability management.

The Cloud Security App for Splunk guide explains how to install, deploy, and use the Cisco Cloud Security App for Splunk.

About the Cloud Security App

View your Cloud Security data, interact with the Cloud Security dashboards in Splunk, automate security for your networks, and contain threats.

  • View and research domains, URLs, and IPs using Umbrella Investigate.
  • Block and unblock destinations with the Umbrella Destination Lists API.
  • Provide visibility into the application traffic on your organization's networks with the App Discovery API.
  • View detailed Cloud Access Security Broker (CASB) incident information with the Cisco Cloudlock API.
  • Show visualizations of aggregated Umbrella event data using the Cloud Security APIs.

The Cisco Cloud Security App for Splunk is available at,

https://classic.splunkbase.splunk.com/app/5558/

What's New

Updates to the Cisco Cloud Security App for Splunk.

Cisco Cloud Security App Version 1.0.39

  • Added the App Discovery (CASB) dashboard.
  • Updated the data included on the dashboards in the app.
    • The app creates the dashboards seamlessly from your data using the Umbrella and Cloudlock APIs.
    • The app extends the dashboards with granular data that is collected on Splunk.
  • Updated the configuration of the Log Index Settings to include the dlp (Data Loss Prevention) logs.
  • Updated alert actions: Investigate Destinations, Block Destinations, and Destination Reports. For more information, see Configure Alerts.

Prerequisites

  • Splunk Enterprise, Splunk Cloud.
  • Splunk platform versions: 9.2, 9.1, 9.0.
  • Access to Cisco Umbrella, Cisco Investigate, and Cisco Cloudlock.
  • Umbrella API key. For more information, see Authentication.
  • Investigate API token. For more information, see Umbrella Investigate Authentication.
  • Cloudlock API token. For more information, see Cloudlock Authentication.
  • Splunk administrative privileges.

Previous Releases

Information about previous Cisco Cloud Security App for Splunk software releases.

Cisco Cloud Security App Version 1.0.30

  • Investigate module
    • Added Investigate scheduled report.
    • Added classification and categorization.
    • Removed deprecated items.
  • Splunk account—Map a request to a Splunk user account.
  • Dashboard panels—Only show configured log sources.
  • Destination lists—Provided option to add a comment while blocking a destination.
  • Fixed security vulnerabilities and upgraded library.

Prerequisites

Install Cloud Security App

  1. Navigate to Splunkbase at https://splunkbase.splunk.com/.
  2. Search for Cisco Cloud Security.
  3. Download and install the Cisco Cloud Security App.
  4. Restart your Splunk instance to complete the installation of the app.

Install Cloud Security App in Distributed Deployments

You can install the Cloud Security App in a distributed deployment of Splunk Enterprise, or any deployment where you use forwarders to retrieve your data. Depending on your environment and preferences, and the requirements of the app, you can install the app in multiple environments.

We recommend that you install the Cisco Cloud Security App using the Splunk search heads and Splunk indexers.

Splunk Platform Component Support
Search Heads Install and configure only the Destination Lists and S3 indexes.
Indexers Install and configure only the Investigate and Cloudlock APIs and indexes.

Role-Based Access Control

The Cisco Cloud Security App creates roles for use in the dashboard views and the Application Settings view.

Role Permissions
cs_admin
  • Can update and edit Application Settings.
  • Can update the status and severity of an incident in the CASB tab.
cs_supervisor
  • Does not have access to Application Settings.
  • Can update the status and severity of an incident in the CASB tab.
cs_user
  • Can only view the dashboards.
  • Does not have access to Application Settings.
  • Cannot update or retrieve data, or perform any right-click actions such as enrich or block.

Upgrade Cloud Security App

  1. Navigate to Splunkbase at https://splunkbase.splunk.com/.

  2. Search for Cisco Cloud Security.

  3. Navigate to Manage Apps.

  4. Click on Install app from file.

    Upgrade Manage Apps Browse

  5. Check Upgrade app and choose the zipped tar file, then click Upload.

    Upgrade Manage Apps Upgrade

  6. Accept the restart request. As part of the upgrade, Splunk restarts your Splunk instance.

    Upgrade Manage Apps Restart

About Cloud Security Apps Menu

Apps Menu

The Apps Menu displays a navigation bar that includes the Splunk Search and the Cloud Security App modules.

  • Search
  • Cloud Security
  • Umbrella
  • Investigate
  • CASB (App Discovery)
  • Cloudlock
  • Application Settings

Apps Top Navigation Menu

Configure Application Settings

  • Configure your Dashboard settings.
  • Configure the Umbrella API settings, including the Umbrella App Discovery settings.
  • Configure Umbrella Investigate.
  • Configure Cloudlock.
  • Configure the Umbrella Destination Lists settings.
  • Configure the Log Index settings—Choose the inputs on the app to search for event data in the Umbrella logs.

Dashboard Settings

  1. Navigate to Dashboard Settings.

  2. Choose a Default Search Interval and Panel Refresh Rate.

    Splunk App Dashboard Settings

    • For Default Search Interval, enter an integer. When first installed, the app sets the Default search interval to 1.
      • If you upgrade the app, you must configure the Default search interval to ensure that the calendar dates align with your instance of Splunk.
      • If you update the Default Search Interval, we recommend that you clear your browser cache.
    • For Panel Refresh Rate, choose how often the app refreshes your dashboard view.

Umbrella API Settings

  1. Navigate to Umbrella API Settings.

    Splunk App Umbrella API Settings

    • For URL, enter the legacy Umbrella API URL: https://api.umbrella.com.
    • For API Key, enter your Umbrella API key ID.
    • For Key Secret, enter your Umbrella API key secret.
    • For Select Timezone, choose the timezone where you are running the app.
    • For Storage Region, choose the location of your storage region.
    • For App Discovery Index, click Configure Index to add the Umbrella App Discovery log level, interval, source type, host, and index.

    Splunk Terms and Conditions

Destination List Settings

  1. Navigate to Destination List Settings.

  2. Enter the URL for the Umbrella API endpoint, https://api.umbrella.com.

  3. Create an API key ID and key secret in Umbrella.

  4. Encode the Umbrella API key and secret as a base64 string. For example, open a shell and run: echo 'key:secret' | openssl base64 -A.

  5. Enter your base64-encoded credentials into the Token field.

  6. Enter your Umbrella organization ID.

  7. Click Fetch. The app displays your organization's blocked Umbrella destination lists.

  8. For each configured Splunk role, add the blocked Umbrella destination lists to the app.

  9. On your Umbrella dashboards, use the redirection and filter icons to add destinations from your blocked Umbrella destination lists. You can only choose blocked destinations not allowed destinations. For more information about managing destinations on the app, see Umbrella Destination Lists.

    Splunk App Destination List Settings
Note: Your Umbrella dashboards only display destinations that you add to the app from your blocked Umbrella destination lists. Once you add a destination to your Umbrella dashboards, you can use the redirection icon to remove the destination from displaying on the app.

Investigate Settings

  1. Navigate to Investigate Settings.

  2. For URL, enter the Umbrella Investigate URL: https://investigate.api.umbrella.com/.

  3. For Token, enter an Investigate API token that you generate on Umbrella. For more information, see Investigate API Authentication.

  4. For Investigate, choose the index for Investigate.

    Splunk App Investigate Settings

Cloudlock Settings

  1. Navigate to Cloudlock Settings.

  2. For Config Name, enter a meaningful name.

  3. Obtain your Cloudlock URL from Cisco Cloudlock Support, and then add to URL.

    Sample Cloudlock URL: https://YourEnvironmentsAddress.cloudlock.com/api/v2

  4. Generate your Cloudlock API token in Cloudlock, and then add to Token. For more information, see Cloudlock API Authentication.

  5. Choose Retrieve event/entity raw data to view event information about your incidents.

  6. Choose Show Cisco CASB incident UEBA panels to view the UEBA panels.

  7. Choose a Start Date. When Start Date is blank, the app fetches incidents for the last seven days. We recommend that you do not set a start date that is older than one month. A start date older than one month causes the app to fetch large amounts of data.

    Splunk App Cloudlock Settings

Log Index Settings

The Log Index Settings requires that you install the Cloud Security Add-On for Splunk. For more information, see Configure Cloud Security Add-On.

  1. Navigate to Umbrella Log Index Settings.

  2. Choose the appropriate index for each Umbrella event type to connect the inputs.

    Splunk Terms and Conditions

View Application Settings and API Health Status

View the history of the configured settings and the health status of the APIs.

  1. Navigate to Application Settings.

  2. Click View History to display Application Settings History.

    Application Settings History

  3. Click Health Status to display the status of the Cloud Security APIs integrated with the app.

    Health Status of the APIs

Check Splunk Indexes

Check that Splunk receives events from Umbrella and applies the configured indexes. Query for each type of Umbrella event to view the indexed events.

  1. Navigate to the Search tab.
  2. Enter sourcetype = cisco:umbrella:dns in Cisco Umbrella DNS Logs—View Umbrella DNS events.
  3. Enter sourcetype = cisco:umbrella:proxy in Cisco Umbrella Proxy Logs—View Umbrella Secure Web Gateway (proxy) events.
  4. Enter sourcetype = cisco:umbrella:firewall in Cisco Umbrella Firewall Logs—View Umbrella Firewall events.
  5. Enter sourcetype = cisco:umbrella:audit in Cisco Umbrella Audit Logs—View Umbrella Audit events.
  6. Enter sourcetype = cisco:umbrella:dlp in Cisco Umbrella DLP Logs—View Umbrella DLP events.

Troubleshoot Application Settings

If you encounter errors in the Cloud Security Splunk App, we recommend that you verify your configured application settings.

View Cloud Security Dashboard

The Cloud Security tab displays aggregated data from Umbrella requests, Umbrella destination lists activity, App Discovery reports, and Cloudlock reports.

  • If the Umbrella and Cloudlock modules cannot connect to the Umbrella Destination Lists or Cloudlock APIs, the app may not display data on the Cloud Security page.
  • View the status of the Umbrella Destination Lists and Cloudlock modules from Application Settings > Health. For more information, see View Configured Application Settings and API Health Status.

Cloud Security Tab

  1. Navigate to Cloud Security.
  2. Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).
  3. (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.

View Umbrella Dashboard

The Umbrella tab is available only when the Cisco Cloud Security Add-On is installed and configured. In Application Settings, select the indexes under Umbrella. For more information, see Configure Cloud Security Add-On.

The Umbrella tab contains the Umbrella DNS, Secure Web Gateway (SWG), Cloud Delivered Firewall (CDFW), and Destination Lists modules.

  • Umbrella DNS—Displays the total request count, blocked requests, block trend for the specified time, blocked destinations compared to allowed destinations, and top blocked DNS categories.
  • Umbrella SWG—Displays the total request count, blocked requests, block trend for the specified time, blocked destination compared to allowed destination, and top blocked proxy categories.
  • Umbrella CDFW—Displays the total request count, blocked requests, blocked destinations for the specified time, and blocked and blocked with allowed destinations.
  • Destination Lists—Displays the number of blocked destinations and destinations that Umbrella does not block.

Umbrella Tab

  1. Navigate to Umbrella.
  2. Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).
  3. (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.

Umbrella DNS

  1. Click the Umbrella DNS redirection icon.

    Splunk App Umbrella DNS Settings

Umbrella SWG

  1. Click the Umbrella SWG redirection icon.

    Splunk App Umbrella Secure Web Gateway Settings

Umbrella CDFW

  1. Click the Umbrella CDFW redirection icon.

    Splunk App Umbrella Cloud Firewall Settings

Umbrella Destination Lists

  1. Click the Umbrella Destination Lists redirection icon.

    Umbrella Destination Lists Dashboard

  2. Use the filter icon to choose a destination list, and then select the destinations in the destination list to block.

    Umbrella Destination Lists Dashboard

View Investigate Dashboard

  • If the Investigate module cannot connect to the Umbrella Investigate API, the app may not display data in the Investigate tab.
  • View the status of the Investigate module from Application Settings > Health. For more information, see View Configured Application Settings and API Health Status.

  1. Navigate to Investigate.

  2. Enter a domain name, IP, or URL in the search to query for detailed information about a destination.

    Umbrella Investigate Dashboard

  3. Right click on a destination to block the destination.

    Umbrella Investigate Interactive Block Destination

  4. (Optional) Add a comment.

    Umbrella Investigate Alerts in Destination Lists

    Umbrella Investigate Alerts in Destination Lists

View CASB Dashboard

  1. Navigate to CASB.

  2. View the incidents about applications and related events on the app from the Umbrella App Discovery reports.

    App Discovery Dashboard

View Cloudlock Dashboard

The Cloudlock tab displays incidents about applications and related events on the app from the Cloudlock reports.

Cloudlock Dashboard

  1. Navigate to Cloudlock.

  2. Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).

  3. (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.

  4. Click an ID to view the details about an incident.

    Cloudlock Incident ID

  5. (Optional) Choose the severity or status of an incident from the drop-down menu, and then click Update.

    Cloudlock Incident Severity ID

Configure Reports

Destination Reports

  1. Navigate to Reports.

  2. View the destinations generated in the Destination Report alert.

    Umbrella Investigate Triggered Dashboard

  3. In the Search tab, run the inputlookup command with an option to return the events for the type of destination.

Destination inputlookup command
Domain inputlookup cisco_investigate_domains
IP inputlookup cisco_investigate_ips
URL inputlookup cisco_investigate_urls
Hash inputlookup cisco_investigate_hashes

Scheduled Reports

  1. Choose Scheduled in Alert type to schedule the Cloud Security App report.

    Configure Scheduled Reports

  2. Choose Destination Report under Add Actions.

  3. Enter a unique name for Report Name.

  4. Enter a name for Field Name. Use one of the field types for the field name: Domain, URL, IP, or Hash.

  5. Choose the type of the field from the Field Type drop-down menu.

  6. Choose the Umbrella Investigate datasets based on the value of Field Type.

    Choose the datasets that match the configured field type. If you select a dataset that does not match your field type, the app ignores the dataset.

    Configure Scheduled Reports

Field Types and Related Datasets

Field type Dataset
Domain
  • Domain Status and Categorization
  • Domain Volume
  • Co-occurrences for a Domain
  • Related Domains
  • Passive DNS
  • Security Information
  • WHOIS Information
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration
IP
  • Passive DNS
  • AS Information
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration
URL
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration
Hash
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration

Configure Alerts

Configure Alert Actions on the app.

Investigate Destinations

Set up the Investigate Destinations alert to query a destination using the destination's type and field name.

  1. Enter the field name.
  2. Choose the type of the field. The field type is either URL, IP, or Domain.

Configure Investigate Destinations Alert in Splunk

Block Destinations

Set up the Block the Destinations alert to block a domain, URL, or IP for the destinations found in a certain destination list.

  1. Enter the field name.
  2. Choose the destination list name.

Configure Block Destinations Alert in Splunk

Destination Reports

Set up the Destination Report alert to notify an admin about the availability of a blocked destinations report. For more information, see Scheduled Reports.

Support

If you have questions about the Cisco Cloud Security App, contact Cisco Umbrella Support.