browse
FireEye and Cisco Umbrella integration overview
With integration between the FireEye security appliance and Cisco Umbrella, security officers and administrators are now able to extend protection against today's advanced threats to roaming laptops, tablets, or phones while also providing another layer of enforcement to a distributed corporate network.
This guide outlines how to configure your FireEye to communicate with Cisco Umbrella so security events from FireEye are integrated into policies that can be applied to clients protected by Cisco Umbrella.
Prerequisites
- A FireEye appliance with access to the public Internet.
- Cisco Umbrella Dashboard administrative rights.
- The Cisco Umbrella Dashboard must have the FireEye integration enabled.
Note: The FireEye integration is only included in Cisco Umbrella packages like DNS Essentials, DNS Advantage, SIG Essentials, or SIG Advantage. If you do not have one of these packages and would like to have the FireEye integration, please contact your Cisco Umbrella Account Manager. If you have the correct Cisco Umbrella package but do not see FireEye as an integration for your dashboard, please contact Cisco Umbrella Support.
How does the integration work?
The FireEye appliance first sends Internet-based threats it's found, such as domains that host malware, command and control for botnet, or phishing sites, to Cisco Umbrella.
Cisco Umbrella then validates the information passed to Cisco Umbrella to ensure it is valid and can be added to a policy. If the information from FireEye is confirmed to be formatted correctly (for example, it is not a file, a complex URL, or a highly popular domain) the domain address is added to the FireEye destination list as part of a security setting that can be applied to any Cisco Umbrella policy. That policy is immediately applied to any requests being made from devices using policies with the FireEye destination list.
Going forward, Cisco Umbrella automatically parses FireEye alerts and adds malicious sites to the FireEye destination list. This extends FireEye protection to all remote users and devices and providing another layer of enforcement to your corporate network.
Important: While Cisco Umbrella tries its best to validate and allow domains which are known to be generally safe (for example, Google and Salesforce), to avoid unwanted interruptions, we suggest adding domains you never wish to have blocked to the Global Allow List or other destination lists as per your policy.
Examples include:
- The home page for your organization.
- Domains representing services you provide that might have both internal and external records. For example, "mail.myservicedomain.com" and "portal.myotherservicedomain.com".
- Lesser-known cloud-based applications you depend on that Cisco Umbrella may not include in automatic domain validation. For example, "localcloudservice.com".
These domains should be added to the Global Allow List, which is found under Policies > Destination Lists in Cisco Umbrella.
Configuring Your Cisco Umbrella Dashboard to receive information from FireEye
The first step is to find your unique URL in Cisco Umbrella for the FireEye appliance to communicate with.
-
Log into the Cisco Umbrella Dashboard as an Administrator.
-
Navigate to Policies > Policy Components > Integrations and select "FireEye" in the table to expand it.
-
Select the Enable box and then select Save. This generates a unique, specific URL for your organization within Cisco Umbrella.
You will use this URL later to configure the FireEye appliance to send data to Cisco Umbrella, so be sure to copy the URL.
Configuring FireEye to communicate with Cisco Umbrella
To begin sending traffic from your FireEye appliance to Cisco Umbrella, you must configure FireEye with the URL information generated in the previous section.
- Start by logging into FireEye and then select Settings.
-
Select Notifications from the list of settings:
-
Ensure all "Event Types" to be sent to Cisco Umbrella are checked (we recommend starting with all) and then select the HTTP link at the top of the column.
-
When the menu expands, set the following to enable Event Notification. The numbered steps are outlined in the screenshot below.
- Default delivery: Per Event
- Default provider: Generic
- Default format: JSON Extended
- Name the HTTP Server "OpenDNS".
- Server Url: Paste the Cisco Umbrella URL you generated from your Cisco Umbrella dashboard earlier here.
-
Notification drop-down: Select "All Events" to ensure maximum coverage.
-
The final step is to ensure "Delivery", "Default Provider" and "Provider Parameters" drop-downs all match the default settings, or if multiple notification servers are being used:
- Delivery: Per Event basis
- Default Provider: Generic
- Provider Parameters: Message format JSON Extended
- (Optional) If you prefer to send traffic over SSL, click "SSL Enable".
At this point, your FireEye appliance is set to send the selected Event Types to Cisco Umbrella. Next, you'll learn how to see this information in your Cisco Umbrella Dashboard and set a policy to block against this traffic.
Ensuring connectivity: “Test Fire” between FireEye and Cisco Umbrella
At this point, it's a good idea to test your connectivity and ensure that everything is set up properly:
- In FireEye, select "domain-match" from the Test Fire dropdown and select "Test Fire":
In Cisco Umbrella, the FireEye integration includes a list of domains provided by the FireEye Appliance to see which domain(s) are being actively added.
- After you’ve select Test Fire, in Cisco Umbrella navigate to Settings > Integrations and select FireEye in the table to expand it.
- Select See Domains.
Selecting Test Fire generates a domain in the FireEye Destinations List named “fireeye-testevent.example.com-[date]”. Each time you select Test Fire in Fireeye, it creates a unique domain with the date in UNIX Epoch time attached to the test, so future tests will have a unique test domain name.
If the Test Fire is successful, more events from FireEye will be sent to Cisco Umbrella, and a searchable list will begin to be populated and grow.
Observing events added to the FireEye Security Setting in "audit mode"
The events from your FireEye appliance will begin to populate a specific destination list that can be applied to policies as a FireEye security category. By default, the destination list and the security category are in "audit mode" and are not applied to any policies and will not result in any change to your existing Cisco Umbrella policies.
Note: ‘"Audit mode" can be enabled for however long is necessary based on your deployment profile and network configuration.
Review destination list
You can review the FireEye destination list at any time:
- Navigate to Policies > Policy Components > Integrations.
- Expand FireEye in the table and select See Domains.
Review Security Settings for a Policy
You can review the security settings that can be added to a policy at any time.
- Navigate to Policies > Policy Components > Security Settings.
- Select a security setting in the table to expand it and scroll to Integrations to locate the FireEye setting.
You can also review integration information through the Security Settings Summary page.
When getting started, it's best to leave this security setting cleared in order to ensure domains are correctly populating in an "audit mode."
Applying the FireEye Security Settings in"block mode" to a policy for managed clients
Once you're ready to have these additional security threats enforced by clients managed by Cisco Umbrella, change the security setting on an existing policy, or create a new policy that that sits above your default policy to ensure it's enforced first.
First, create or update a security settings
- Navigate to Policies > Policy Components > Security Settings.
- Under Integrations, select FireEye and select Save.
Next, in the Policy wizard, add this security setting to the policy you're editing:
- Navigate to Policies > Policy List.
- Expand a policy and under Security Setting Applied, select "Edit."
- In the Security Settings dropdown, select a security setting that includes the FireEye setting.
The shield icon under Integrations updates to blue.
- Select Set & Return.
Note: It’s also possible to edit your Security Settings from the Policy wizard.
FireEye domains contained within the security setting for FireEye will be blocked for identities using the policy.
Reporting within Cisco Umbrella for FireEye events
Reporting on FireEye Security Events
The FireEye destination list is one of the security categories available for reports. Most or all of the reports use the Security Categories as a filter. For instance, you can filter security categories to only show FireEye-related activity.
- Navigate to Reporting > Activity Search.
- Under Security Categories, select FireEye to filter the report to only show the security category for FireEye.
- Select Apply to see FireEye-related activity for the period selected in the report.
Reporting on when domains were added to the FireEye destination list
The Admin Audit log includes events from the FireEye appliance as it adds domains to the destination list. A user named “FireEye Account”, which is also branded with the FireEye logo, generates the events. These events include the domain that was added and the time at which it was added.
You can filter to only include FireEye changes by applying a filter for the “FireEye Account” user.
If the “Test Fire” step earlier was performed, the addition of the FireEye test domain should appear in the Audit Log.
Handling unwanted detections or false positives
Allow lists
Although unlikely, it is possible that domains added automatically by your FireEye appliance could potentially trigger an unwanted detection that blocks your users from accessing particular websites. In a situation like this, we recommend adding the domain(s) to an allow list (Policies > Destination Lists), which takes precedence over all other types of block lists, including security settings.
There are two reasons why this approach is preferable.
- First, in case the FireEye appliance was to re-add the domain after it was removed, the allow list safeguards against this causing further issues.
- Second, the allow list shows a historical record of problematic domains that can be used for forensics or audit reports.
By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.
If the FireEye security setting in block mode is only applied to a subset of your managed Cisco Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for those identities or policies.
To create an allow list:
- Navigate to Policies > Destination Lists and select the ("Add") icon.
- Select Allow, and add your domain to the list.
- Select Save.
Once the destination list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.
Deleting domains from the FireEye destination list
Next to each domain name in the FireEye destination list is a ("Delete") icon. Deleting domains lets you clean up the FireEye destination list in the event of an unwanted detection.
However, the delete is not permanent if the FireEye appliance resends the domain to Cisco Umbrella.
To delete a domain:
- Navigate to Settings > Integrations, then select "FireEye" to expand it.
- Select See Domains.
- Search for the domain name you want to delete.
- Select the "Delete" icon.
- Select Close.
- Select Save.
In the instance of an unwanted detection or false positive, we recommend creating an allow list in Cisco Umbrella immediately and then remediating the false positive within the FireEye appliance. Later, you can remove the domain from the FireEye destination list.