Monitor and correlate Secure Access, Umbrella, Investigate, and Cloudlock data in Splunk Enterprise App

Cisco Cloud Security App for Splunk

The Cisco Cloud Security App for Splunk is an on-line application that integrates with the Splunk data platform. The app provides dashboards, alert actions, research capabilities, and management of Cisco Secure Access and Cisco Umbrella resources. The Cisco Cloud Security App for Splunk combines the data from the Cisco Cloud Security APIs and events that you add from the Cisco Cloud Security Add-On for Splunk.

Splunk is a robust Security Information and Event Management (SIEM) platform. Splunk provides anomaly detection, incident forensics, and vulnerability management. For more information, see Cisco Splunk.

The Cicso Cloud Security App for Splunk's dashboards display cloud security key performance indicators (KPIs), outliers, and trends. The app provides the option to explore granular data obtained through the integration with the Cloud Security Add-On for Splunk. The app enables both detection and mitigation response of security events. Security operation center (SOC) teams and threat hunters have the ability to manage destinations and gain insights into the destinations that are accessed by the user devices on the organization's networks.

From the app, you can manage incidents with access to applications through the cloud access security broker (CASB) in Cisco Cloudlock. You can also use the app to research destinations with Cisco Investigate and create and export detailed reports about destinations and related information.

The Cisco Cloud Security App for Splunk is available at,

https://splunkbase.splunk.com/app/5558/

What's New

The latest version of the Cisco Cloud Security App for Splunk is 1.0.48.

Updates to the Cisco Cloud Security App for Splunk

  • Removed the requirement of restarting Splunk after upgrading the app.
  • Added the search option on the Private Resources panel.
  • Updated the Cloudlock sourcetype from Cloudock: Incidents to cisco:cloud_security:cloudlock.
  • Fixed various software bugs in the app.

About the Apps Menu

From the Apps Menu in your instance of Splunk, you can navigate to the Cisco Cloud Security App.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

    Cloud Security Apps Menu

  2. The Cisco Cloud Security App includes:

    • Search
    • Overview
    • Monitor
    • Applications
    • Access
    • Investigate
    • Application Settings

About the Dashboards

You can set up the dashboards in the Cloud Security App for Splunk to display the organization's cloud security events and log data.

Overview Dashboards

  • Total Requests
  • Total Blocks
  • Security Blocks
  • Application Discovery
  • Destination Lists
  • Cloudlock Incidents

Monitor: Cloud Security Dashboards

  • DNS
    • DNS Requests
    • Blocked versus Allowed Destinations
    • DNS Blocked Categories (Top 10)
  • Secure Web Gateway (SWG)
    • SWG Requests
    • Blocked versus Allowed Destinations
    • SWG Blocked Categories (Top 10)
  • Cloud-Delivered Firewall (CDFW)
    • CDFW Requests
    • Blocked versus Allowed Destinations
  • Destination Lists
    • Destinations Trend
    • Removed Destinations
  • Data Layer Protection (DLP).
    • Configure the DLP log data with the Cisco Cloud Security Add-On for Splunk.

Applications Dashboards

  • App Discovery
  • Private Resources Overview
  • Private Resources Details

Access Dashboards

  • Remote Access Virtual Private Network (RAVPN)
  • Zero Trust Network Access (ZTNA)

Investigate Dashboard

  • Investigate
  • Triggered Investigations
  • Reports

Cloudlock Dashboard

  • Incidents and other event data for applications that are managed and monitored by Cisco Cloudlock.

Get Started – Set Up the Cloud Security App

The Cloud Security App for Splunk guide describes how to download, install, configure, display data, and create alert actions on the app.

  1. Create an API key and secret in Umbrella or Secure Access, and optionally get the organization's Cloudlock API access token. For more information, see Prerequisites.
  2. Download and install the Cloud Security App for Splunk in your instance of Splunk. For more information, see Download and Install the Cloud Security App.
  3. (Optional) Download and install the Cloud Security Add-On for Splunk in your instance of Splunk. For more information, see Download and Install the Cloud Security Add-On.
  4. Configure the Cloud Security application settings in the app. For more information, see Configure Cloud Security Application Settings.
  5. (Optional) Configure alerts and reports on the app. For more information, see Manage Alert Actions.

Walkthrough: Cloud Security App for Splunk

Prerequisites

  • An instance of Cisco Splunk Enterprise or Cisco Splunk Cloud that supports Splunk platform versions 9.4.x or 9.3.x.
  • A subscription for at least one of the Cisco Cloud Security products: Cisco Secure Access, Cisco Umbrella, Cisco Investigate, or Cisco Cloudlock.
  • A valid Secure Access API key and secret. For more information, see Secure Access API Authentication.
  • A valid Umbrella API key and secret. For more information, see Umbrella API Authentication.
  • A valid Cloudlock API access token and URI. For more information, see Cloudlock Authentication.
  • Administrative privileges for your instance of Splunk.
Note: You can not use the Cicso Cloud Security App for Splunk with the Splunk Free license.

Create an API Key with the Required OAuth 2.0 Scopes

To get the organization's cloud security data integrated with the app, create an Umbrella or Secure Access API key with the required OAuth 2.0 scopes. For information about the Umbrella API key scopes, see Umbrella OAuth 2.0 Scopes. For information about the Secure Access API key scopes, see Secure Access OAuth 2.0 Scopes.

  • For the Reporting API, add the Reports > Aggregations (Read-only) key scope on the API key:
    • reports.aggregations:read
  • For the Destination Lists API, add the Policies > Destination Lists (Read/Write) and Policies > Destinations (Read/Write) key scopes on the API key:
    • policies.destinationlists:write
    • policies.destinations:write
  • For the App Discovery API, add the Reports > App Discovery (Read/Write) key scope on the API key:
    • reports.appDiscovery:write
  • For the Investigate API, add the Investigate > Investigate (Read-only) and Investigate > InvestigateBulk (Read-only) key scopes on the API key:
    • investigate.investigate:read
    • investigate.bulk:read

Download and Install the Cloud Security App

  1. Navigate to Splunkbase at https://splunkbase.splunk.com/, and then search for Cisco Cloud Security, or navigate to https://splunkbase.splunk.com/app/5558/.
  2. Download the latest Cisco Cloud Security App for Splunk software package (cisco-cloud-security-app-for-splunk_1048.tgz).
  3. Install the Cisco Cloud Security App for Splunk on your instance of Cisco Splunk Enterprise or Cisco Splunk Cloud.
  4. Restart your Splunk instance to complete the installation of the app.

Install the Cloud Security App in Distributed Deployments

You can install the Cloud Security App for Splunk in a distributed deployment of Splunk Enterprise, or any deployment where you use forwarders to retrieve your data. Depending on your environment and preferences, and the requirements of the app, you can install the app in multiple environments.

We recommend that you install the app using the Splunk search heads and Splunk indexers.

Splunk Platform Component Support
Search Heads Install and configure only the Destination Lists and S3 indexes.
Indexers Install and configure only the Investigate and Cloudlock APIs and indexes.

Role-Based Access Controls in the App

The Cisco Cloud Security App for Splunk creates roles for use in the dashboard views and the Application Settings view.

Role Permissions
cs_admin
  • Can update and edit the Application Settings.
  • Can update the status and severity of an incident in the CASB module.
cs_supervisor
  • Does not have access to the Application Settings.
  • Can update the status and severity of an incident in the CASB module.
cs_user
  • Can only view the dashboards.
  • Does not have access to the Application Settings.
  • Cannot update or retrieve data, or perform any right-click actions such as enrich or block.

Upgrade the Cloud Security App

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Manage Apps.

  2. Click Install App From File.

  3. Click Choose File, and then select the software package for the Cisco Cloud Security App for Splunk that you downloaded previously.

  4. Check Upgrade app, choose the zipped tar file, then click Upload.

    App Settings time range selector

Configure Application Settings

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

    Cloud Security Apps Menu

  2. Navigate to Application Settings, and then set up the Cloud Security App.

    Apps Top Navigation Menu

Add General Dashboard Settings

Select the default search interval and the panel refresh rate for the app.

  1. Navigate to Dashboard Settings.

  2. Choose a Default Search Interval and Panel Refresh Rate.

    default search interval and panel refresh rate
    • For Default Search Interval, enter an integer. When first installed, the app sets the Default search interval to 1.
      • If you upgrade the app, you must configure the Default search interval to ensure that the calendar dates align with your instance of Splunk.
      • If you update the Default Search Interval, we recommend that you clear your browser cache.
    • For Panel Refresh Rate, choose how often the app refreshes your dashboard view.

  3. Click Save.

Add Secure Access or Umbrella API Settings

Add the Secure Access or Umbrella API Key credentials, configure the timezone and storage region, and set up the App Discovery and Investigate index settings.

  1. Navigate to Cisco Secure Access/Umbrella API Settings.

    Splunk App Secure Access or Umbrella API Settings

    • For URL, enter the Secure Access API URL: https://api.sse.cisco.com or the Umbrella API URL: https://api.umbrella.com.

    • For API Key, enter your Secure Access or Umbrella API key ID.

    • For Key Secret, enter your Secure Access or Umbrella API key secret.

    • For Select Timezone, choose the timezone where you are running the app.

    • For Storage Region, choose the location of your storage region.

    • For Investigate Index, select an index for the Investigate data.

    • For App Discovery Index, click Configure Index.

      • (Optional) Enter the App Discovery log level, and then click Save.

        App Discovery configure settings

      • (Optional) Click More settings, add the App Discovery Interval, Source type, Host, and Index, and then click Save.

        App Discovery configuration of more settings

    • For Private Apps Index, click Configure Index.

      • (Optional) Enter the Private Apps log level, and then click Save.

        Private Apps log level

      • (Optional) Click More settings, add the Private Apps Interval, Source type, Host, and Index, and then click Save.

        Private Apps configuration of more settings

  2. Click Save.

Manage Destination List Settings

You can fetch all of the destination lists in the organization for the users of the app or choose specific destination lists from the organization to add in the app.

Note: Before you can fetch the destination lists in the organization, add the Secure Access or Umbrella API key credentials in the app. For more information, see Add Secure Access or Umbrella API Settings.

  1. Navigate to Destination List Settings.

  2. Click Fetch Destination Lists. The app displays all destination lists (Secure Access or Umbrella) in the organization.

  3. For each configured Splunk role, add the destination lists to the app. Use the redirection and filter icons to add or remove destination lists in the app.

    Manage Destination Lists

  4. Click Save.

Add Cloudlock Settings

Add the Cloudlock API Key credentials and configure the settings for the Cloudlock data.

  1. Navigate to Cloudlock Settings.

  2. For Config Name, enter a meaningful name.

  3. Obtain your Cloudlock URL from Cisco Cloudlock Support, and then add to URL.

    Sample Cloudlock URL: https://YourEnvironmentsAddress.cloudlock.com/api/v2

  4. Generate your Cloudlock API token in Cloudlock, and then add to Token. For more information, see Cloudlock API Authentication.

  5. Choose Retrieve event/entity raw data to view event information about your incidents.

  6. Choose Show Cisco CASB incident UEBA panels to view the UEBA panels.

  7. Choose a Start Date. When Start Date is blank, the app fetches incidents for the last seven days. We recommend that you do not set a start date that is older than one month. A start date older than one month causes the app to fetch large amounts of data.

    Splunk App Cloudlock Settings

  8. Click Save.

Add Log Index Settings

To configure the Log Index Settings, you must install the Cloud Security Add-On for Splunk in your instance of Splunk. For more information, see Create New Inputs for Umbrella and Create New Inputs for Secure Access.

  1. Navigate to Umbrella Log Index Settings.

  2. Choose the appropriate index for each event type to connect the inputs.

    Splunk Terms and Conditions

  3. Click Save.

View Configured Application Settings and API Health Status

After you configure the Application Settings in the app, you can view the history of the configured settings and health status of each configured Cloud Security API.

  1. Navigate to Application Settings.

  2. Click View History. The app displays the history of the application settings.

    Application Settings History

  3. Click Health Status. The app displays the status of the Cloud Security APIs, which are integrated with the app.

    Health Status of the APIs

Check Splunk Indexes

Check that Splunk receives events from Umbrella or Secure Access and applies the configured indexes. Query for the type of cloud security data to view the indexed events.

For example:

  1. Navigate to the Search tab.
  2. Enter sourcetype = cisco:umbrella:dns in Cisco Umbrella DNS Logs—View Umbrella DNS events.
  3. Enter sourcetype = cisco:umbrella:proxy in Cisco Umbrella Proxy Logs—View Umbrella Secure Web Gateway (proxy) events.
  4. Enter sourcetype = cisco:umbrella:firewall in Cisco Umbrella Firewall Logs—View Umbrella Firewall events.
  5. Enter sourcetype = cisco:umbrella:audit in Cisco Umbrella Audit Logs—View Umbrella Audit events.
  6. Enter sourcetype = cisco:umbrella:dlp in Cisco Umbrella DLP Logs—View Umbrella DLP events.

Troubleshoot Application Settings

If you encounter errors in the Cloud Security App for Splunk, we recommend that you verify your configured application settings, which includes the Secure Access or Umbrella API key credentials for the organization.

View Overview Dashboards

  • Aggregated Requests and Blocks
  • Application Discovery
  • Destination Lists (Added and Removed Trends)

Overview of Aggregated Requests and Blocks

In the app, the Overview page displays a series of dashboards of aggregated Secure Access or Umbrella data:

  • Total Requests
  • Total Blocks
  • Security Blocks

If the Secure Access or Umbrella app modules cannot connect to the Reporting API, the app may not display the aggregated data on the Overview page.

Overview aggregated data

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Overview > Overview to view the aggregated data dashboards.

  3. (Optional) Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).

    • (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.
    Splunk App Overview set time range

Overview of Application Discovery

In the app, the Overview page displays the aggregated data for the Application Discovery module.

If the Secure Access or Umbrella app modules cannot connect to the Application Discovery API, the app may not display the aggregated data on the Overview page.

Overview aggregated data

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.
  2. Navigate to Overview > App Discovery to view the number of application requests for each application discovery type monitored for the organization.

Overview of Destination Lists Added and Removed

In the app, the Overview page displays the destination lists in the app that were added or removed from the organization.

If the Secure Access or Umbrella app modules cannot connect to the Destination Lists API, the app may not display the aggregated data on the Overview page.

Overview aggregated data

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.
  2. Navigate to Overview > Destination Lists to view the number of destination lists that were added and removed in the organization.

View Cloud Security Dashboards

In the app, the Monitor page displays the requests, blocked versus allowed destinations, and blocked categories (Top 10), which depend on the configured Cloud Security log data.

The Monitor page includes the DNS-layer security, Secure Web Gateway (SWG), Cloud-Delivered Firewall (CDFW), and Destination Lists, and Data Layer Protection (DLP) modules.

The Cloud Security data for the individual security modules is available only when the Cisco Cloud Security Add-On is installed and configured. In Application Settings, select the indexes under Umbrella. For more information, see Create New Inputs for Umbrella or Secure Access.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.
  2. Navigate to Monitor.
  3. Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).
  4. (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.
  5. Click Apply.

  • DNS—Displays the total request count and total number of blocks, blocked versus allowed destinations for the specified time, and top blocked DNS categories.

    Cloud Security DNS

  • SWG—Displays the total request count and total number of blocks, blocked versus allowed destinations for the specified time, and top blocked proxy categories.

    Cloud Security SWG

  • CDFW—Displays the total request count and total number of blocks, and blocked versus allowed destinations for the specified time.

    Cloud Security CDFW

  • Destination Lists—Displays the number of blocked destinations (Destinations Trend), and destinations that were removed from the destination lists in the organization (Removed Destinations).

    Cloud Security Destination Lists

  • DLP—Displays the incidents about applications.

    Cloud Security DLP

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Monitor.
  2. Navigate to DLP.
  3. For Search Field, choose one of the fields to use when searching for an application.
  4. (Optional) For Search DLP, enter the name of an application. The application name is used to query the applications that are monitored by Secure Access or Umbrella DLP security.

DNS Details

  1. Click the DNS redirection icon. The app displays the Cloud Security > DNS dashboards for the DNS-layer security.

    • Total Security Blocks
    • Top 10 Security Blocks
    • Malware/BotNet/Phishing Trends
    • Command and Control
    • Phishing
    • Top DNS Blocks by Identity
    • Recent 15 Destinations

  2. Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).

    • (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.
    Splunk App Overview set time range

SWG Details

  1. Click the SWG redirection icon. The app displays the Cloud Security > SWG dashboards for the security provided by the Secure Web Gateway.

    • Total Security Blocks
    • Top 10 Security Blocks
    • Malware/BotNet/Phishing Trends
    • Breakdonw by AMP Verdict
    • Breakdown by Mime Types
    • Newly Seen Destinations
    • Recent 15 Destinations

CDFW Details

  1. Click the CDFW redirection icon. The app displays the Cloud Security > CDFW dashboards for the security provided by the cloud-delivered firewall.

    • Total Blocks
    • Top Blocked Destination IP
    • Block versus Allow Verdict Trend
    • Top Identities
    • IP Protocol
    • Web Port versus Other Port
    • Web Port
    • Non-Web Port

Destination Lists Details

  1. Click the Destination Lists redirection icon. The app displays the Cloud Security > Destination Lists dashboards for the destination lists in the organization.

    App Discovery Dashboard

Data Layer Protection (DLP) Details

  1. Click the DLP redirection icon. The app displays the Cloud Security > DLP dashboards.

View Applications Dashboards

The app displays the App Discovery, and Private Resources Overview and Private Resources Details dashboards. The CASB dashboards provide the information about the applications managed by the App Discovery API. The Private Resources dashboards provide the details about the Private Resources and private applications using the Private Resources and Resource Groups API.

App Discovery

View the incidents about applications and related events on the app from the App Discovery reports.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Applications.

  3. For Search Field, choose either Category, Weighted Risk, or Label.

  4. (Optional) For Search App, enter the name of an application. The application name is used to query the applications that are monitored by Secure Access or Umbrella.

    Cloud Security CASB, App Discovery

  5. (Optional) Select the label for the application, and then click Update.

Private Resources Overview

View the incidents for the private applications and related events in the app.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Applications > Private Resources Overview.

  3. View the number of private applications, count of the allowed requests, count of the blocked requests, timeline of the allowed and blocked requests to the private applications in the organization.

    Applications Private Resources Overview

Private Resources Details

View the details about a private application and related events.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Applications > Private Resources Details.

  3. For Search Field, choose one of the fields to use when searching for an application.

  4. (Optional) For Search Private Resources, enter the name of an application. The application name is used to query the applications that are monitored by Secure Access.

    Applications Private Resources Overview

View Access Dashboards

The app displays the RAVPN and ZTNA dashboards and the Access page only if you configure the input for the RAVPN or ZTNA event logs in the add-on.

RAVPN Dashboard

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.
  2. Navigate to Access > RAVPN.
  3. For Search Field, choose one of the fields to use when searching for the RAVPN events.

ZTNA Dashboard

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.
  2. Navigate to Access > ZTNA.
  3. For Search Field, choose one of the fields to use when searching for the ZTNA events.

View Cloudlock Dashboards

  1. Navigate to Cloudlock.

  2. Configure the time range for the data. If you do not set a time range, the app displays the data for the Last 1 Hour (last hour).

  3. (Optional) Choose one of the predefined date ranges, or click Custom to select Custom Date Ranges.

  4. Click an ID to view the details about an incident.

    Cloudlock Incident ID

  5. (Optional) Choose the severity or status of an incident from the drop-down menu, and then click Update.

    Cloudlock Incident Severity ID

View Investigate Dashboard

Investigate

Query for the information about a domain using a domain name, URL, Autonomous System Numbers (ASN), IP, hash, or email address.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Investigate > Investigate.

  3. Enter a domain name, URL, ASN, IP, hash, or email address to query for detailed information about a destination.

    Umbrella Investigate Dashboard

    The app displays the classifier prediction (risk score, threat type), DNS queries for the destination, WHOIS record data, associated hash samples, security features, DGA detection, IP addresses, nameservers, co-occurring destinations, and the domains related to the destination. The data is obtained through the integration of the app with Cisco Investigate.

    Umbrella Investigate Dashboard

Add a Destination to a Destination List

Use Cisco Investigate to query for information about a destination. Then, add related destinations to destination lists in the organization.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Investigate > Investigate.

  3. Enter a domain name, URL, ASN, IP, hash, or email address to query for detailed information about a destination.

    The app displays the information provided by Cisco Investigate, which includes the related domains.

    Investigate Dashboard

  4. Navigate to Related Domains.

  5. Right-click on a related domain and then choose a destination list where the app adds the destination to the destination lists in the organization.

    Investigate Interactive Block Destination

  6. (Optional) In the dialog window, add a comment, then click OK.

    Investigate related domains, comment

    The app confirms that the destination was added to the selected destination list.

    Investigate related domains, comment

Triggered Investigations

The triggered investigation of a domain, IP, or URL can retrieve the destination name, and Investigate risk score and category.

Before you begin, configure an alert action to get the security and network information about a destination, URL, or IP. For more information, see Add To Destination List.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Investigate > Triggered Investigations.

  3. (Optional) Choose the date and time to begin an investigation of a domain.

    Investigate Dashboard

  4. View the destinations lists generated by the Investigate Destinations alert action. For more information, see Investigate Destinations.

Reports

After you research a domain, IP, URL, or hash, create and download a detailed report about the destination and related information.

If the Investigate module cannot connect to the Investigate API, the app may not display data on Investigate > Investigate.

You can view the status of the Investigate module from Application Settings > Health. For more information, see View Configured Application Settings and API Health Status.

Before you begin, configure an alert action to get the security and network information about a destination, URL, or IP, or hash. For more information, see Destination Report.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Investigate > Investigate.

  3. Enter a domain name, IP, or URL in the search to query for detailed information about a destination.

    Umbrella Investigate Dashboard

Manage Alert Actions

Set up and manage alerts on the Cloud Security App. The app has pre-configured alert actions that are available for Cloud Security.

Investigate Destinations

Add an alert for the Investigate Destinations action. The alert creates a notification in the app when Cisco Investigate receives a request for information about a specific destination. For information about the field names and types, see Field Types and Related Datasets.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Search.

    Umbrella Investigate Triggered Dashboard

  3. Click New Alert.

  4. For Title, enter a label for the name of the alert.

  5. (Optional) For Description, enter a meaningful description of the alert.

  6. For App, choose Cisco Cloud Security (cisco-cloud-security).

  7. For Trigger Actions, click Add Actions, and then choose Investigate Destinations.

    Trigger Actions

  8. For Field Name, enter the name of the field in the source where you have the domain, URLs, or IP data.

  9. For Field Type, choose the type of the field.

    Trigger Actions

  10. Click Save.

Add To Destination List

Add an alert for the Add to Destination List action. The alert creates a notification when the app receives an addition of a destination in one of the organization's destination list.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Search.

    Umbrella Investigate Triggered Dashboard

  3. Click New Alert.

  4. For Title, enter a label for the name of the alert.

  5. (Optional) For Description, enter a meaningful description of the alert.

  6. For App, choose Cisco Cloud Security (cisco-cloud-security).

  7. For Trigger Actions, click Add Actions, and then choose Add to Destination List.

  8. For Field Name, enter the name of the field in the source where you have the domain, URLs, or IP data.

  9. For Destination List, choose a destination list for the organization.

  10. (Optional) For Comment, add a comment about the destination.

    Trigger Actions

Destination Report

Add an alert for the Destination Report action. The alert creates a notification of the availability of the Cisco Investigate Destination report.

  1. In your instance of Splunk, locate the Splunk navigation bar, click Apps, and then select Cisco Cloud Security.

  2. Navigate to Search.

    Umbrella Investigate Triggered Dashboard

  3. Click New Alert.

  4. For Title, enter a label for the name of the alert.

    Trigger Actions

  5. (Optional) For Description, enter a meaningful description of the alert.

  6. For App, choose Cisco Cloud Security (cisco-cloud-security).

  7. For Alert type, choose Scheduled or Real-time.

  8. For Trigger Actions, click Add Actions, and then choose Destination Report.

    • For Report Name, enter a meaningful name for the report.
    • For Field Name, enter the name of the field in the source where you have the domain, URLs, IP, or hash data.
    • For Field Type, choose the type of the field (Domain, URL, IP, or HASH). For information about the field names and types, see Field Types and Related Datasets.
    • For Investigate datasets, select the type of data from Investigate to include in the report.
    Trigger Actions

  9. Click Save.

Use the name of the fields and type of data to create the alert. Select the datasets that are associated with the selected field type.

Field type Dataset
Domain
  • Domain Status and Categorization
  • Domain Volume
  • Co-occurrences for a Domain
  • Related Domains
  • Passive DNS
  • Security Information
  • WHOIS Information
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration
IP
  • Passive DNS
  • AS Information
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration
URL
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration
Hash
  • Cisco Secure Malware Analytics (formerly Threat Grid) integration

Contact Support

  • If you have questions about configuring Umbrella in the Cisco Cloud Security App for Splunk, contact Cisco Umbrella Support.
  • If you have questions about configuring Secure Access in the Cisco Cloud Security App for Splunk, contact Cisco Support.