By default, each customer's Umbrella dashboard instance logs all requests made by an identity. The level of logging for an identity's activity is set when you configure Centralized Settings > Advanced Settings, which are then shared with your customers' Umbrella dashboards. By default, all requests are logged.
Logging levels are:
- Log All Requests—For full logging, whether for content, security or otherwise
- Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for people with the roaming client installed on personal devices
- Don't Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.
Cisco Umbrella's data warehouse is where your customer's event data logs are stored. By default, event data logs are saved to Cisco's California location; however, you can change the location of the data warehouse from North America to Europe at any time. For more information, see Change the Location of Event Data Logs.
The MSSP console has the ability to upload, store, and archive traffic activity logs from your customers' Umbrella dashboards to the cloud through Amazon S3. CSV formatted Umbrella logs are compressed (gzip) and uploaded every ten minutes so that there's a minimum of delay between traffic from the customer's Umbrella dashboard being logged and then being available to download from an S3 bucket.
By having your customers' logs uploaded to an S3 bucket, you can then download logs automatically to keep in perpetuity in backup storage. Or, ingest the logs through your SIEM or another security tool to determine if any security events in these Umbrella logs coincide with events in other security tools.
Umbrella Amazon S3 options:
- A self-managed bucket—You (or the customer) own the Amazon S3 bucket, including its configuration and management.
- A Cisco-managed bucket—Cisco Umbrella owns the bucket and sets the configuration and management of it.
For more information, see Cisco-managed Buckets in Amazon S3 for Log Management.
- Extremely easy to setup—it only takes a couple of minutes—and easy to manage.
- Included in the license cost for the MSSP console, effectively making it free. Although having your own bucket is very inexpensive, the overhead of having to manage another bill can be prohibitive.
- You cannot add anything to your bucket besides log files from Umbrella and the bucket cannot be used by another application.
- Some SIEM integration types (such as QRadar) may require advanced privileges for the user accessing the S3 bucket—beyond the basic Read permissions—and as such, may not work with the Amazon S3 feature.
- You cannot get support from Amazon directly for advanced configuration assistance, such as automation or help with the command line.
- Data can only be stored offline for a maximum of 30 days.
Note: Existing Umbrella Insights and Umbrella Platform customers can access Log Management with Amazon S3 through the dashboard. Log Management is not available in all packages. If you are interested in this feature, please contact your account manager or email our account management team at [email protected].
Updated about a year ago