After configuring your Cisco Umbrella Log Management in Amazon's AWS S3, the logs you'll receive will be a gzip'd CSV format. Unzipping the logs and opening the CSV files will show the following columns of information extracted from your Umbrella logging. Although some of this information may be already familiar to you, there are additional data fields that are exposed in these logs that are worth understanding when you're consuming the data into a SIEM or other log management software.
A typical snippet of log will look like this:
"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","10.10.1.100","220.127.116.11","Allowed","1 (A)","NOERROR","domain-visited.com.","Chat,Photo Sharing,Social Networking,Allow List"
Log Management Export Columns
When this request was made in UTC.
Note: This is different than the Umbrella dashboard, which converts the time to your specified time zone.
|Most Granular Identity||
The first identity matched with this request in order of granularity. The order of granularity is Roaming Computers or Mobile Devices first, then AD Users, AD Computers, and Sites and Networks. The most granular identity to match this request is listed here.
All identities associated with this request in order of the first matched against your policy hierarchy.
The internal IP address that made the request.
The external IP address that made the request.
Whether the request was allowed or blocked.
The type of DNS request that was made. For details, see here: https://support.umbrella.com/hc/en-us/articles/232252848
The DNS return code for this request. For details, see here: https://support.umbrella.com/hc/en-us/articles/232254248
The domain that was requested.
Information about the security category or content category of the domain requested, e.g. "Search Engines", "Malware", "Blogs", etc. The category may also match your custom destination lists. The complete list of categories can be found here: https://api.opendns.com/v3/categories
Note: In order to view the information in that link, you must click it in an authenticated browser session with the Umbrella dashboard. The output from the link is in JSON, a tool like JsonView for Chrome can help parse it, and JSON to CSV convert can be found here: https://konklone.io/json/