Realm.Security Documentation

Appearance

Cisco Umbrella

Cisco Umbrella supports sending logs to a Cisco owned S3 bucket as well as to a Customer owned S3 bucket. Realm supports reading logs out of either bucket.

Important considerations

  • Umbrella requires that the organization rotate the IAM keys on the Cisco-managed S3 bucket every 90 days. This means customers will have to get the new keys and update them in the Realm console every time they change. If your organization is unable to rotate the IAM keys on their Cisco-managed S3 bucket, Umbrella recommends using a self-managed Amazon S3 bucket.

  • Umbrella best practice recommends not downloading log files multiple times. Customers should pause and think before setting up multiple integrations to read from the same Umbrella S3 bucket simultaneously.

Using Cisco Owned S3 Bucket

Cisco Umbrella

Configure Umbrella to send logs to a Cisco Owned S3 bucket — Umbrella docs.

Realm Console

  1. Create a new Source.

    Name: Cisco UmbrellaFormat: Cisco Umbrella

  2. Add a new Input feed.

    Type: AWS S3 PollerS3 Bucket Name: Enter the Cisco owned S3 bucket name AWS Region: Enter the AWS region AWS Access Key: Enter the AWS Access Key AWS Secret Key: Enter the AWS Secret Key

Using Customer Owned S3 Bucket

AWS Console

  1. Create a SQS Queue for S3 event notifications.
  2. Create a S3 bucket for Cisco Umbrella to send logs to.
  3. Enable create item notifications for the S3 bucket to be delivered to the SQS queue.
  4. Create an IAM role for Realm granting read permission to the S3 bucket and SQS queue.
  5. Create an IAM user for Realm and assign the above policy to it.
  6. Configure Security Credentials > Access Keys for the IAM user. These access keys will be needed when configuring the input feed in Realm console.

Cisco Umbrella

Configure Umbrella to send logs to your own S3 bucket — Umbrella docs.

Realm Console

  1. Create a new Source.

    Name: Cisco UmbrellaFormat: Cisco Umbrella

  2. Add a new Input feed.

    Type: AWS S3AWS Access Key: Enter the AWS Access Key AWS Secret Key: Enter the AWS Secret Key SQS Queue URL: Enter the SQS Queue URL

Event Metadata

The following additional metadata fields will be included with the events.

Field NameValue
_sourceCategorycisco/umbrella