Cisco Umbrella
| Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
|---|---|---|
 |
This guide describes all steps required to configure Cisco Umbrella to send logs to an S3 bucket and allows Samurai to access (read-only) and ingest the logs.
Cisco Umbrella integration requires a self managed AWS S3 bucket. For more information on Cisco Umbrella logging refer to the Cisco documentation Manage Your Logs.
If you already have an AWS S3 bucket configured and have enabled Cisco Umbrella logging then jump straight to Configure an existing AWS S3 bucket to allow Samurai access
If you have not enabled Cisco Umbrella logging to an AWS S3 bucket then follow the steps below to complete the integration:
1) Ensure you have been provided the following parameters from NTT
- IntegrationsID
- Passkey
These parameters will be made available to you during onboarding
2) Have an Amazon AWS Account
- If you do not have an AWS Account you can refer directly to Cisco Umbrella documentation Enable Logging to your own S3 bucket. This document makes reference to Amazon’s S3 documentation.
3) Decide on an S3 Data Retention Period
- Defined by you and your retention policy, this refers to automatic deletion of objects in the S3 bucket after X number of days. The default is 7 days, however you can override the value and select a maximum of 365 days.
4) From your browser
5) From your Cisco Umbrella console
Launch the integration stack and complete
Complete the following steps from your browser:
- Browse to:
We have simplified the integration through use of a CloudFormation Template that creates the following resources:
- SNS Topic
- S3 Bucket with SNS Notification of ObjectCreated Events
- Secure Bucket Policy, Allowing Samurai RO access
- SNS HTTPS Webhook Subscription to the Samurai Platform
Click on Launch Stack
Sign in to your AWS Account with administrative permissions
The Create Stack page will be shown:
- Select your AWS region to deploy the stack:
Click on Next
The Specify stack details page will be shown:
Specify a unique Stack name (optional) we default to NTTSamuraiS3Stack
Enter the following parameters previously provided to you by NTT:
- Samurai Cloud IntegrationsId
- Samurai Cloud Integrations Pass Key
Select Yes under Enabled Cisco Umbrella access to Cloud Integrations S3 Bucket via Bucket Policy
Leave The name of an existing Cisco Umbrella Bucket blank
Update the Samurai Cloud Integrations Bucket Data Retention period (as needed)
The default retention period is 7 days (we recommend 7 days but based on your retention policy you can override the value as necessary)
Click Next
The Configure stack options will be shown:
Click Next
You can now Review the steps worked through:
Click Create Stack
You will now be shown the stack Events:
- Select the Resources tab:
Make note of the S3 bucket name as you will need this when configuring Cisco Umbrella. The S3 bucket name is the Physical ID of the S3 Bucket and is also a hyperlink.
To verify the webhook has registered with Samurai, click on the hyperlink of the Physical ID of the SamuraiSNS Topic (Logical ID)
The Topic details page will open, you should see Status as Confirmed (see example below):
From your Cisco Umbrella console
Follow the Enable Logging section (Steps 1-3) in the Cisco Umbrella documentation:
Ensure you have the exact name of the AWS S3 bucket
Your integration is now complete. If you have any problems or questions please raise a ticket or reach out to your NTT point of contact.
Configure an existing AWS S3 bucket to allow Samurai access
If you already have Cisco Umbrella logging to a self managed AWS S3 bucket then follow the steps below:
1) Ensure you have been provided the following parameters from NTT
- IntegrationsID
- Passkey
These parameters will be made available to you during onboarding
2) From your browser
Launch the integration stack and complete
Complete the following steps from your browser:
- Browse to:
We have simplified the integration through use of a CloudFormation Template that creates the following resources:
- SNS Topic
- SNS HTTPS Webhook Subscription to the Samurai Platform
Click on Launch Stack
Sign in to your AWS Account with administrative permissions
The Create Stack page will be shown:
- Select your AWS region to deploy the stack:
Click on Next
The Specify stack details page will be shown:
Specify a unique Stack name (optional) we default to NTTSamuraiS3Stack
Enter the following parameters previously provided to you by NTT:
- Samurai Cloud IntegrationsId
- Samurai Cloud Integrations Pass Key
Select Yes under Enabled Cisco Umbrella access to Cloud Integrations S3 Bucket via Bucket Policy
Under The name of an existing Cisco Umbrella Bucket enter the name of your existing S3 Bucket (an example is depicted in the graphic)
Update the Samurai Cloud Integrations Bucket Data Retention period (as needed)
The default retention period is 7 days (we recommend 7 days but based on your retention policy you can override the value as necessary)
Click Next
The Configure stack options will be shown:
Click Next
You can now Review the steps worked through:
Click Create Stack
You will now be shown the stack Events
You can view Resources created:
- You must now Create Event Notifications. Browse to your existing S3 Bucket Properties
- Click Create Event Notification
- The Create event notification window will be shown:
Scroll down for Destination
- Complete the following fields with the following parameters: (leave all other fields as default)
| Field Name | Parameter |
|---|---|
| Event name | whatever you want |
| Object creation | All object create events (enabled) |
| Destination | SNS Topic (selected) |
| Specify SNS topic | Select your method to specify the SNS topic |
| SNS Topic | Enter or choose from your topics the relevant Samurai entry |
Click Save Changes
You now need to add an S3 bucket policy. Browse to your existing S3 Bucket Properties
Select Edit and add the following statements:
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::600502389717:user/samurai-xdr-s3-reader-user" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::samurai-12a98319b803", "arn:aws:s3:::samurai-12a98319b803/*" ]}
Click Save changes
To verify the webhook has registered with Samurai. Go to the Resources tab of the Samurai Stack and click on the hyperlink of the Physical ID of the SamuraiSNS Topic*(Logical ID)***
The Topic details page will open, you should see Status as Confirmed (see example below):
You now need to ensure the S3 Object Ownership of your existing S3 bucket to ensure Samurai is able to download the logs. Sign-in to the AWS Management Console and open the Amazon S3 console (if you have not already done so!) at https://console.aws.amazon.com/s3/
In the Buckets list choose the name of the bucket that you want to apply an S3 Object Ownership setting to
Choose the Permissions tab
Under the Object Ownership, choose Edit
Under Object Ownership ensure Bucket owner preferred is enabled (as depicted in the graphic below)
Click Save changes
If you have ACLs disabled, your integration is now complete***.***
If you have ACLs enabled you will need to edit the ACL
In the Buckets list choose the name of the bucket that you want to set permission for
Choose Permissions
Under Access control list, choose Edit
Under Access for other AWS account, click Add grantee
Enter 5501afb2b26d7609fe4051b3d23916c6c185da004301607ebbb71883d12d4142 as the canonical ID
Click List (under Objects) and Read (under Bucket ACL)
- Click Save Changes
Your integration is now complete. If you have any problems or questions please raise a ticket or reach out to your NTT point of contact.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.