Cisco Umbrella Collector Plugin - 5thColumn/Revolver-wiki-archive GitHub Wiki

Description

The Cisco Umbrella Collector plugin gathers all logs containing all DNS queries received from your endpoints and actions taken from your Cisco Umbrella account, and delivers them to BOSS every ten minutes.

Configuration Instructions

  1. Go to https://login.umbrella.com and log into your account.
  2. In the menu bar, select the Policies dropdown then choose All Policies.
    • If you do not yet have a policy applied to All Identities, select the add new button on the top righthand corner of the screen and add a new policy that is applied to All Identities.
    • If you already have a policy applied to All Identities, you will need to edit it. To do this, select the arrow dropdown to the right of the policy name.
  4. Click the Advanced Settings dropdown to expand the section.
  5. Select Log All Requests and then click Save.
  6. Next, in the menu bar, select Admin and choose Log Management.
  7. Select Use a Cisco-managed Amazon S3 bucket. Note: it does not cost anything to use Cisco-managed storage.
  8. Select a Region and Retention Duration.
  • For Region, select whichever location is closest to your Revolver.
  • For Retention Duration, the recommended setting is 30 days. However, you can select as low as 7 days.
  1. Select Save and then Continue.
  2. You will receive the AWA Access Key ID, the AWS S3 Secret Access Key, and the AWS S3 Data Path. Note: Record the keys and store them in a secure place as you will only be able to view them once. If you lose these, you will have to generate new ones.
  3. Log in to your Revolver instance and go to Manage Plugins.
  4. Select the drop-down next to Cisco Umbrella Collector to expand the section to see the fields required for configuration.
  5. Insert the keys (from Step 10) into the appropriate fields and select Configure.
  6. You will receive a notification that the plugin is in the process of being configured. After a few moments, you will receive a second notification that the plugin has been configured and is ready for use. Note: If you receive an error notice after configuring the plugin, select Configure again. If the error persists, contact the support team.

Release Notes

Current Version: 1.5