Realm.Security Documentation

Appearance

Cisco Umbrella

Cisco Umbrella supports sending logs to a Cisco owned S3 bucket as well as to a Customer owned S3 bucket. Realm supports reading logs out of either bucket.

Important considerations

  • Umbrella requires that the organization rotate the IAM keys on the Cisco-managed S3 bucket every 90 days. This means customers will have to get the new keys and update them in the realm console every time they change. If your organization is unable to rotate the IAM keys on their Cisco-managed S3 bucket, Umbrella recommends that you use a self-managed Amazon S3 bucket.

  • Umbrella best practice recommends to not download log files multiple times. This means, customers should pause and think before setting up multiple integrations to read from the same Umbrella S3 bucket simultaneously.

Using Cisco Owned S3 Bucket

Cisco Umbrella

Configure Umbrella to send logs to Cisco Owned S3 bucket - Umbrella docs

Realm Console

  • Create a new Source
    • Name: Cisco Umbrella
    • Format: Cisco Umbrella
  • Add a new Input feed
    • Type: AWS S3 Poller
    • Enter Cisco owned S3 bucket name
    • Enter AWS region
    • Enter AWS Access Key
    • Enter AWS Secret key

Using Customer Owned S3 Bucket

AWS Console

  • Create a SQS Queue for S3 event notifications
  • Create a S3 bucket for Cisco Umbrella to sends logs to
  • Enable create item notifications for S3 bucket to be delivered to the SQS queue
  • Create a IAM role for Realm granting read permission to S3 bucket and SQS queue
  • Create a IAM user for Realm, assign the above policy to it
  • Configure Security Credentials > Access Keys for the above IAM user. These access keys will be needed when configuring the input feed in Realm console.

Cisco Umbrella

Configure Umbrella to send logs to your own S3 bucket - Umbrella docs

Realm Console

  • Create a new Source
    • Name: Cisco Umbrella
    • Format: Cisco Umbrella
  • Add a new Input feed
    • Type: AWS S3
    • Enter AWS Access Key
    • Enter AWS Secret key
    • Enter SQS Queue URL

Event meta data

Following additional meta data fields will be included with the events

Field NameValue
_sourceCategorycisco/umbrella