With Cisco Umbrella logs in Perch, you can do all the wonderful Perchy things you expect like store, search, report, and get notified. Or have the SOC review your logs from Umbrella for signs of threat.
To start logging your Cisco Umbrella logs to Perch through the available integration, you will need a few pieces of information from Umbrella. You can review Cisco Umbrella Log Management documentation to setup Cisco Umbrella to enable the integration.
Perch will accept all Cisco Umbrella logs but you may choose to either:
When you create a policy, activity logs are by default saved to the North America – California, US Cisco-managed S3 bucket for your organization.
You may optionally configure Umbrella to log to your own S3 bucket. Perch is compatible with all Cisco-managed S3 buckets or your corporate S3 bucket.
A Cisco-managed S3 bucket is the easiest to configure. You can follow these steps to log to the Cisco-managed S3 bucket. Data can be stored for up to 30 days in the S3 bucket, but with the Perch integration you can store your Cisco Umbrella data for as long as you like.
When you activate logging, you will be presented with information necessary to setup the Perch integration with Cisco Umbrella.
Keep track of your Data Path (including AWS Region), Access Key, and Secret Key in secure location. You will enter this information into Perch.
To connect Perch to your Cisco Umbrella logs, login to Perch. Select the company name from the organization picker for which you will setup the integration. Navigate the Settings on the left hand navigation. Scroll down to the Integrations section of the settings page. You will see a list of integrations that include Cisco Umbrella.
Click “Install” next to the right of the Cisco Umbrella icon in Integrations section. Installation just takes a second to enable your account. You will see a successful message pop up at the bottom of the screen. After a successful install you will be taken to the Perch page to configure integration.
Now just fill out the integration settings with the required information.
Insert your Access Key, Secret Key, and Data Path in the Authentication Section. Additionally, you will need to select the AWS Region.
You can then Save or Save and Test your configuration. Once the configuration is saved, you can toggle on Cisco Umbrella log collection in the Configuration section.
Perch will report integration health every time it pulls logs. If there is an error, you will see it in the integration health section. You can get more details from the API call about why an error may be occurring. If there is an error, it is likely related to credentials or network issues between Perch cloud and the Cisco-managed AWS bucket.
If you need assistance with this integration you can reach us at firstname.lastname@example.org.