Collect Cisco Umbrella Cloud Firewall logs
This document explains how to ingest Cisco Umbrella Cloud Firewall logs into Google Security Operations using Amazon S3.
Cisco Umbrella Cloud Firewall (CDFW) provides cloud-delivered firewall protection that inspects and controls network traffic based on IP addresses, ports, and protocols. CDFW enforces firewall policies for users connecting through IPsec tunnels or roaming clients, blocking malicious traffic and unauthorized applications, while providing detailed visibility into network activity with comprehensive logging of all firewall events, including packet counts, byte transfers, application identification, and posture information.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Cisco Umbrellaconsole with Full Admin role
- Privileged access to AWS(S3, Identity and Access Management (IAM))
Configure Cisco Umbrella for S3 log export
Cisco Umbrella supports two S3 export options: Cisco-managed buckets and self-managed buckets. This guide covers the Cisco-managed option for simplified setup.
- Sign in to the Cisco Umbrella Dashboardat https://dashboard.umbrella.com
- Go to Admin > Log Management.
- In the Amazon S3section, click Use a Cisco-managed Amazon S3 bucket.
- In the Select a Regiondropdown, select the AWS region closest to your location (available options: US East (N. Virginia), US West (Oregon), EU (Frankfurt), AP (Sydney)).
-
In the Select a Retention Durationdropdown, select your preferred retention period ( 7 days, 14 days, or 30 days).
-
Click Save.
-
Click Continueto confirm the configuration.
-
Wait for Umbrella to provision the S3 bucket. When it is complete, the Amazon S3 Summarypage displays.
-
Copy and securely save the following credentials:
- Access Key(displayed in the Accessfield)
- Secret Key(displayed in the Secretfield)
- S3 URI(displayed in the S3 URIfield, in the format
s3://cisco-managed-<region>/<organization-id>/)
-
Select the Got itcheckbox.
-
Click Continue.
Umbrella begins uploading firewall logs to the S3 bucket every 10 minutes in gzipped CSV format.
S3 bucket folder structure
-
Umbrella organizes Cloud Firewall logs in the S3 bucket using the following structure:
s3://cisco-managed-<region>/<organization-id>/firewalllogs/YYYY-MM-DD/YYYY-MM-DD-HH-MM-<xxxx>.csv.gzFor example:
s3://cisco-managed-us-west-2/1234567890/firewalllogs/2026-02-03/2026-02-03-14-30-0001.csv.gz
Configure AWS S3 bucket and IAM for Google SecOps
Since Cisco manages the S3 bucket, you must create an IAM user with read-only access to retrieve logs for Google SecOps ingestion.
- Create a Userby following this user guide: Creating an IAM user .
- Select the created User.
- Select the Security credentialstab.
- Click Create Access Keyin the Access Keyssection.
- Select Third-party serviceas Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download .csv fileto save the Access Keyand Secret Access Keyfor future reference.
- Click Done.
- Select Permissionstab.
- Click Add permissionsin the Permissions policiessection.
- Select Add permissions.
- Select Attach policies directly.
- Search for the AmazonS3ReadOnlyAccesspolicy.
- Select the policy.
- Click Next.
-
Click Add permissions.
Configure a feed in Google SecOps to ingest Cisco Umbrella Cloud Firewall logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- Enter a unique name for the Feed name.
- Select Amazon S3 V2as the Source type.
- Select UMBRELLA_FIREWALLas the Log type.
- Click Nextand then click Submit.
-
Specify values for the following fields:
- S3 URI: Enter the S3 URI from step 9 of Cisco Umbrella configuration (for example,
s3://cisco-managed-us-west-2/1234567890/firewalllogs/). -
Source deletion option: Select Do not delete transferred files.
-
Maximum File Age: Include files modified in the last number of days (default is 180 days).
-
Access Key ID: Enter the access key from step 9 of AWS IAM configuration.
-
Secret Access Key: Enter the secret key from step 9 of AWS IAM configuration.
-
Asset namespace: The asset namespace .
-
Ingestion labels: The label to be applied to the events from this feed.
- S3 URI: Enter the S3 URI from step 9 of Cisco Umbrella configuration (for example,
-
Click Nextand then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
dns_question
|
additional.fields | Merged from dns_return_message_label |
|
daction
|
security_result.action_details | Value copied directly from sec_action |
|
verdict, security_action
|
security_result.action | Value from verdict if in ALLOW/DENY/DROP/ALLOW_WITH_MODIFICATION, else from security_action mapped to ALLOW or BLOCK |
|
ruleId, column20
|
security_result.rule_id | Value from ruleId, or from column20 if integer |
|
verdict, pcdetails, tcdetails, phost, thost
|
security_result.category_details | Value from verdict if not in standard actions, else from pcdetails or tcdetails or phost or thost if not in specific host types |
|
originId
|
intermediary.resource.id | Value copied directly |
|
identity
|
intermediary.resource.name | Value copied directly |
|
dataCenter
|
intermediary.location.name | Value copied directly |
|
intermediary
|
intermediary | Merged from intermediary object |
|
metadata.event_type
|
metadata.event_type | Set to "NETWORK_CONNECTION" initially, then "STATUS_UPDATE" if has_principal true and has_target false, else "GENERIC_EVENT" if both false |
|
desc
|
metadata.description | Value copied directly |
|
proto
|
network.ip_protocol | Value set to "ICMP" if ipProtocol 1, "TCP" if 6, "UDP" if 17 |
|
packetSize, response_size
|
network.received_bytes | Value from packetSize if direction INBOUND, or from response_size |
|
packetSize
|
network.sent_bytes | Value from packetSize if direction OUTBOUND |
|
direction
|
network.direction | Value copied directly if in BROADCAST/INBOUND/OUTBOUND |
|
http_method
|
network.http.method | Value copied directly |
|
http_reponse_code
|
network.http.response_code | Converted to integer from http_reponse_code |
|
usr_agent
|
network.http.user_agent | Value copied directly |
|
refer_url
|
network.http.referral_url | Value copied directly |
|
dns_question
|
network.dns.questions | Merged from dns_question |
|
response_code
|
network.dns.response_code | Converted to numeric code from response_code mappings |
|
principal_ip, principalip, sourceIp, _internalip, _externalip
|
principal.ip | Value from principal_ip (direction) if IP, else principalip (packetSize) if IP, else sourceIp, else _internalip if IP, else _externalip if IP and different |
|
principal_ip, principalip, sourceIp, _internalip, _externalip
|
principal.asset.ip | Value from principal_ip (direction) if IP, else principalip (packetSize) if IP, else sourceIp, else _internalip if IP, else _externalip if IP and different |
|
sourcePort
|
principal.port | Value copied directly |
|
prin_host, phost
|
principal.hostname | Value from prin_host if in specific types, else from phost if in specific types |
|
phost
|
principal.asset.hostname | Value copied directly if in specific host types |
|
organization_id_label, most_granular_identity_label
|
principal.asset.attribute.labels | Merged from organization_id_label and most_granular_identity_label |
|
destinationIp
|
target.ip | Value copied directly |
|
destinationIp
|
target.asset.ip | Value copied directly |
|
destinationPort
|
target.port | Converted to integer from destinationPort |
|
target_host, thost
|
target.hostname | Value from target_host if in specific types, else from thost if in specific types |
|
thost
|
target.asset.hostname | Value copied directly if in specific host types |
|
target_url
|
target.url | Value copied directly |
|
granular_identity_label
|
target.asset.attribute.labels | Merged from granular_identity_label |
| |
metadata.vendor_name | Set to "Cisco" |
| |
metadata.product_name | Set to "Umbrella Cloud Firewall" |
Need more help? Get answers from Community members and Google SecOps professionals.
