Cisco Umbrella data connector - Include audit logs inside the Data Connector #9699
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @quarterb4ck , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 8Jan2024. Thanks! |
|
Hi @quarterb4ck ,Could you please share more details with sample data and schema ,its Admin audit logs i.e. https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning#firewall as per the documentation, currently we may need additional details what is the volume of data and there are different logs we are sending it, may need to consider the changes to data connector to based on volumes. |
|
Hello, Yes, our Audit Logs are this refered by the documentation: https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning#audit. The sample data is the same as the documentation:
About the volume, we don't have a huge amount of logs, we have something like 200 auditing events per day, divided in few documents inside the AWS S3. About the data connector changes, that is not a problem for us! :) You need more details? Thank you! |
|
Hi @quarterb4ck ,Could you please share sample csv file auditlogs/--/----.csv.gz to email i.e. (v-muuppugund@microsoft.com), so that I will test the changes. |
|
Hello @v-muuppugund, I sent you the sample data via email. My provider doesn't allow me to send .tar.gz files, so I've extracted the file and sent you the raw csv with the requested information. Any questions, just let me know! |
|
Hi @quarterb4ck ,received data on 12/01/2024,working on it,will update you,Thanks |
|
Hi @quarterb4ck ,Working on testing with changes, will update you once completed |
|
Hi @quarterb4ck the changes has been tested for admin audit logs,working on load test as there are many logs in cisco umbrella for any other issues |
|
Hello, please let me know when the tests are done :) |
Sure,Will update you |
|
Hi @quarterb4ck , WILL be Completing testing the scenarios,will get an update for the changes push by 09Apr24 |
|
Hi @quarterb4ck ,Please find package path https://github.com/Azure/Azure-Sentinel/raw/users/v-muppugund/ciscoumbrella/Solutions/CiscoUmbrella/Data%20Connectors/CiscoUmbrellaConn.zip and facing some environment issue at my end,will update you once fixed it,will share the results if needed will have a teams meeting for the same. |
|
|
Hi @quarterb4ck ,Corrected my environment, Could you please test the web package pointing to function app and let me know if any issues |
|
Hi @quarterb4ck ,Gentle reminder,Could you please update the status on testing the above package and let me know if any issues |
|
Hi @quarterb4ck ,As we didn't receive response, so as per process we are proceeding for closure for issue (#9699), Please feel free to reopen the issue, Thank you for your co-operation. |
|
@v-muuppugund we are also interested in this functionality. Is there a tentative date to pull it into prod solution? |
|
@v-muuppugund same here. keen to get this feature released so audit logs can be ingested. |
Is your feature request related to a problem? Please describe.
Yes. The Cisco Umbrella data connector doesn't consider audit logs that are being forwarded to the AWS S3 Bucket (the Umbrella console is already sending audit logs to the Bucket).
Describe the solution you'd like
I would like a data connector patch to consider the Cisco Umbrella audit logs to ingest inside the Azure Sentinel.
Describe alternatives you've considered
I've tried to create a new parser and add the auditlogs folder (according with the Umbrella documentation) inside the code, but it is not considering the audit files in the ingestion process.
Additional context
We are using the latest Cisco Umbrella data connector.
The text was updated successfully, but these errors were encountered: