Cisco Umbrella (using Azure Functions) connector for Microsoft Sentinel incorrect custom table

[shaunyb93]

We have deployed an Azure Sentinel Data Connector for Cisco Umbrella [https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-umbrella]

The docs suggest the below Log analytics custom tables are relevant: Cisco_Umbrella_dns_CL Cisco_Umbrella_proxy_CL Cisco_Umbrella_ip_CL Cisco_Umbrella_cloudfirewall_CL

In our Log Analytics workspace, we are seeing that instead of Cisco_Umbrella_cloudfirewall_CL custom table existing and receiving input from the connector, we have Cisco_Umbrella_firewall_CL: This causes an issue with the workbooks and analytics rules related to the connector - the connector also shows data source Cisco_Umbrella_cloudfirewall_CL as disconnected.

I have raised a support query with Cisco who have informed me that the solution/data connector is supported by Microsoft. I have raised a support query with our Azure subscription reseller who are also unable to help as they are not classing this as a break-fix issue.

Some further info on the problem: The logs are being pulled via API from a Cisco-managed S3 bucket with the following containers in existence: auditlogs dnslogs firewalllogs proxylogs

I am not a programmer however I have taken a look inside the code within the Cisco Umbrella (using Azure Functions) connector function app code and I believe there may be an issue with how the data is pulled via API and then pushed into the Log Analytics workspace. I am guessing that because the table in the S3 bucket is called "firewalllogs" that the logic in the Function is pushing the pulled data into Log Analytics table "Cisco_Umbrella_firewall_CL".

Any further input on resolving this is appreciated.

[v-rusraut]

Hi @shaunyb93, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 19-06-2024. Thanks!

[macna]

Hi, just to add that I am seeing this behaviour also, in two separate deployments.

[v-rusraut]

Hi @shaunyb93, We are working on reproduce the issue, we will update you. Thanks

[v-rusraut]

Hi @shaunyb93, Please help us to understand which version of Cisco Umbrella you are using currently. Thanks

[shaunyb93]

Hi @v-rusraut Cisco Umbrella is a cloud service, there is no specific version information. Is there some specific info you were looking for? Thanks Shaun

[shaunyb93]

Details on the log folders and formats are shown here https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning

[v-rusraut]

Details on the log folders and formats are shown here https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning

Yes , please provide schema version

[shaunyb93]

We are using Log Schema v8

[v-rusraut]

Hi @shaunyb93, Please refer link https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-umbrella it is mentioned This connector has been updated to support [cisco umbrella version 5 and version 6

[shaunyb93]

Hi @v-rusraut Thanks although we were still having this issue before we upgraded to schema v8 The schema versions have mild difference in fields although I can't see how this would affect which custom table sentinel is writing to? Perhaps you could advise further? Thanks

[v-sudkharat]

@shaunyb93, Sorry for delay in response, let us check on this issue, and will update you. Thanks!

[shaunyb93]

Any update here? Thanks

[v-sudkharat]

@shaunyb93, We are checking the template for this issue, just want to know, do you have any test workspace in your environment? so, if required will share the update template with you. Thanks!

[shaunyb93]

Hi @v-sudkharat is there any update on a fix here?

[v-rusraut]

Hi @shaunyb93,

According to the Cisco Umbrealla log documentation, they are now stored in "firewalllogs": https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning

We have updated the template and will raise PR with the changes. Meantime, could you please custom deploy the Solution MainTemplate and check whether your issue get resolved. Sharing the MainTemplate and Custom deployment steps- Custom Deployment - CustomDeploymentSteps.docx Main template - mainTemplate.json

Thanks

[shaunyb93]

Hi @v-rusraut Thanks for the reply.

Cisco advised that these logs have always been stored in firewalllogs rather than cloudfirewalllogs so seems like an oversight in the initial development of this connector/solution.

Looking at the mainTemplate.json you have provided, cloudfirewalllogs is still referenced in the Workbook (line 775) Can you advise if this can be corrected?

Will making a custom deployment mean that we need to redeploy the function app again?

Ideally we would like the fix to be applied whereby we can run an update against our existing deployment without the need to redeploy or reconfigure the function app.

Thanks Shaun

[v-rusraut]

Hi @shaunyb93,

If you deploy solution with custom deployment, then you don't need to redeploy function app again. We need to correct reference of cloudfirewalllogs in the Workbook, please check EventType column value in Cisco_Umbrella_firewall_CL table, so we can create package again.

Thanks

[shaunyb93]

Hi @v-rusraut the EventType_s column is value firewalllogs Thanks

[v-rusraut]

Hi @shaunyb93, We have updated mainTemplate again, please custom deploy the mainTemplate and check whether your issue get resolved. Custom Deployment - CustomDeploymentSteps.docx Main template -mainTemplate.json Thanks

[shaunyb93]

Hi @v-rusraut Cisco_Umbrella_cloudfirewall_CL was still refrerenced on line 822 I changed this manually to Cisco_Umbrella_firewall_CL and ran the custom deployment. This does appear to have resolved the issue:

DataType Cisco_Umbrella_firewall_CL is now showing as connected against the Data connector. Thanks Shaun

[shaunyb93]

In looking at this, I have also noticed that the solution is not correctly configured for ingesting IPS traffic logs I believe the Azure Function is looking for a folder in the S3 bucket called "ip" however this folder is "intrusionlogs" as per https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning

This means that IPS traffic events are not being ingested by the connector - do I need to raise a new GitHub issue for this?

[v-rusraut]

Hi @shaunyb93, As table Cisco_Umbrella_firewall_CL showing as a connected, so closing this issue. As the IPS traffic events not ingested so this is feature request you can raise new Github issue so we can share details with respective team, if you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.