QRadar from IBM is a popular SIEM for log analysis. It provides a powerful interface for analyzing large chunks of data, such as the logs provided by Cisco Umbrella for your organization's DNS traffic. The Cisco Cloud Security App for IBM QRadar provide insight from multiple security products (Investigate, Enforcement and CloudLock) and integrates them with QRadar. It also helps the user to automate security and contain threats faster and directly from QRadar.
When you set up Cisco Cloud Security app for QRadar, it integrates all the data from Cisco Cloud Security platform and allows you to view the data in graphical form in the QRadar console. From the application, analysts can:
- Investigate domains, ip addresses, email addresses
- Block and Unblock domains (enforcement)
- View the information of all the incidents of the network.
This article outlines the basic how-to of getting QRadar set up and running so that it is able to pull the logs from your S3 bucket and consume them.
Note: Support for QRadar must come from IBM, as Cisco is unable to directly support third-party hardware or software. For any issues connecting your Umbrella dashboard to your S3 bucket, we can provide support. Much of the information found below can also be found on the IBM website:
Cisco Umbrella requirements
This document assumes that your Amazon AWS S3 bucket has been configured in Umbrella (Settings > Log Management) and is showing green with recent logs having been uploaded.
For more information on how to configure this feature, read here: Manage Your Logs
IBM Security QRadar SIEM requirements
The administrator will be required to have administrative rights to the QRadar appliance(s), the Amazon S3 configuration and Umbrella dashboard, these instructions assume that the QRadar administrator is familiar with creating LSX (Log source Extension) files.
Please be aware that the Cisco Cloud Security App v1.0.3 will only work up to IBM QRadar 7.2.8. The new version, v1.0.6, will work with the current QRadar version from 7.4.2 and above
Installing Cisco Cloud Security App for IBM QRadar
- Download and install the Cisco Cloud Security App for IBM QRadar found here: Cisco Cloud Security App v1.0.3 (for IBM QRadar v7.2.8) or Cisco Cloud Security App v1.0.6 (for IBM QRadar v7.4.8)
- After the installation, deploy changes in QRadar.
Cisco Cloud Security App Configuration: Adding Log Source
To add a log source, click on the Admin tab on the QRadar navigation bar, scroll down to QRadar Log Source Management, and click on it, then click button +New Log Source:
- Log Source Name (entry names must match exactly as below):
- Cisco DNS Logs: cisco_umbrella_dns_logs
- Cisco Umbrella IP Logs: cisco_umbrella_ip_logs
- Cisco Umbrella Proxy Logs: cisco_umbrella_proxy_logs
- Event Format: Cisco Umbrella CSV
- Log Source Type: Cisco Umbrella
- Protocol Configuration: Amazon AWS S3 REST API
- File Pattern: .*?\.csv\.gz
- Log Source Extension: CiscoUmbrella_ext **
- Please select any groups you would like this log source to be a member of: cisco_umbrella_logsource_group
Go through the Add a Single Log Source Wizard
** Note: If the Log Source Extension is not mapped to "CiscoUmbrella_ext", please choose the Log Source Name from the list:
Here's an example of what a Cisco Managed Bucket looks like:
Bucket name: cisco-managed-us-west-1
Your Directory Prefix is the key part of this. This is the customers folder,
followed by the appropriate log folder.
For example: xxxxxxx_cfa37bd906xxxxxx3aff94e205db7bxxxxxxx/dnslogs
Generating Authentication Token
The administrator will need to generate a service token to add to your Cisco Security App. As best practice, the Authorized Service Token should be recreated every 90 days:
1. Login to QRadar > Admin Tab > Authorized Services
2. Add Authorized Services
3. Enter the details and generate authentication token
4. After generating the token, click "Deploy Changes"
Configuring the Cisco Cloud Security App
1. From the "Admin" tab on the QRadar navigation bar, scroll down and open "Cisco Cloud Security App Settings"
2. Enter the Authentication Token generated in previous step
3. Edit the "Api Settings" as follows:
- Cisco Investigate Base URL: https://investigate.api.umbrella.com/
- Cisco Investigate API token: generate via the Umbrella dashboard -> Investigate -> API Keys -> Create New Token; for more information see https://developer.cisco.com/docs/cloud-security/#!investigate-introduction-authentication/authentication
- Cisco Enforce Base URL: https://s-platform.api.opendns.com/1.0/
- Cisco Enforce CustomerKey: generate via the Umbrella dashboard -> Policy Components -> Integrations -> Add; for more information see https://developer.cisco.com/docs/cloud-security/#!enforcement-introduction-authentication/generate-an-api-key
- Cisco Cloudlock Base URL: https://<Your Environments Address>.cloudlock.com/api/v2/ (e.g. https://api-demo.cloudlock.com/api/v2/. Please confirm your Cloudlock Base URL aka Cloudlock Enterprise API URL by sending an email to firstname.lastname@example.org.)
- Cisco Cloudlock API token: generate via Cloudlock -> Settings -> Authentication & API -> Generate; for more information see https://developer.cisco.com/docs/cloud-security/#!cloudlock-enterprise-introduction-authentication/generate-an-api-token
A popup will indicate that the application settings have been successfully updated.
Indexing in QRadar
1.Navigate to Admin tab>Click on Index Management
2.Index the CEPs Packaged with the app
Recommended CEPs to be indexed are the following:
1. Log Source
2. DNS Category
3. Event Type
4. Domain URL
6. Granular User
8. Location Origin ID
9. Event Category
Now you are ready to use QRadar to start monitoring activities for Cisco Umbrella, Investigate, and CloudLock details. More instructions on how to navigate QRadar can be found here: Navigating the Cisco Cloud Security App