Collect Cisco Secure Access logs
Supported in:
This document explains how to ingest Cisco Secure Access logs to Google Security Operations using Amazon S3.
Cisco Secure Access is a cloud-delivered Security Service Edge (SSE) solution that provides zero trust network access, secure web gateway, cloud-delivered firewall, DNS-layer security, and data loss prevention. It unifies multiple security functions to protect users and devices accessing applications from any location.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Cisco Secure Accesswith the Full Adminuser role
- Privileged access to AWS(S3, IAM)
Configure an Amazon S3 bucket for Cisco Secure Access
- Sign in to the AWS Management Console .
- Go to Amazon S3 > Buckets.
- Click Create bucket.
-
Enter a unique Bucket name(for example,
cisco-secure-access-logs). -
Select the AWS Regionwhere the bucket should be created.
-
Leave the remaining settings as default and click Create bucket.
-
Select the newly created bucket.
-
Go to Permissions > Bucket policy.
-
Click Editand paste the following JSON policy, replacing
bucketnamewith your actual bucket name:{ "Version" : "2008-10-17" , "Statement" : [ { "Sid" : "" , "Effect" : "Allow" , "Principal" : { "AWS" : "arn:aws:iam::568526795995:user/logs" }, "Action" : "s3:PutObject" , "Resource" : "arn:aws:s3:::bucketname/*" }, { "Sid" : "" , "Effect" : "Deny" , "Principal" : { "AWS" : "arn:aws:iam::568526795995:user/logs" }, "Action" : "s3:GetObject" , "Resource" : "arn:aws:s3:::bucketname/*" }, { "Sid" : "" , "Effect" : "Allow" , "Principal" : { "AWS" : "arn:aws:iam::568526795995:user/logs" }, "Action" : "s3:GetBucketLocation" , "Resource" : "arn:aws:s3:::bucketname" }, { "Sid" : "" , "Effect" : "Allow" , "Principal" : { "AWS" : "arn:aws:iam::568526795995:user/logs" }, "Action" : "s3:ListBucket" , "Resource" : "arn:aws:s3:::bucketname" } ] } -
Click Save changes.
Configure an AWS S3 IAM user for Google SecOps
- In the AWS Management Console, go to IAM > Users.
- Create a Userfollowing this user guide: Creating an IAM user .
- Select the created User.
- Select Security credentialstab.
- Click Create Access Keyin section Access Keys.
- Select Third-party serviceas Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download .csv fileto save the Access Keyand Secret Access Keyfor future reference.
- Click Done.
- Select Permissionstab.
- Click Add permissionsin section Permissions policies.
- Select Add permissions.
- Select Attach policies directly.
- Search for AmazonS3FullAccesspolicy.
- Select the policy.
- Click Next.
- Click Add permissions.
Configure Cisco Secure Access to export logs to your S3 bucket
- Sign in to the Cisco Secure Access Dashboardat https://dashboard.sse.cisco.com .
- Go to Admin > Log Management.
- In the Amazon S3area, select Use your company-managed Amazon S3 bucket.
- In the Amazon S3 Bucketfield, enter the exact name of the S3 bucket you created (for example,
cisco-secure-access-logs). -
Click Verify.
-
Open the
README_FROM_UMBRELLA.txtfile that Cisco Secure Access saved to your S3 bucket. -
Copy the token listed in the file.
-
Paste the token into the Token Numberfield in the Cisco Secure Access dashboard.
-
Click Save.
Configure a feed in Google SecOps to ingest Cisco Secure Access logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- Enter a unique name for the Feed name(for example,
Cisco Secure Access Logs). - Select Amazon S3 V2as the Source type.
- Select Cisco Secure Accessas the Log type.
- Click Nextand then click Submit.
-
Specify values for the following fields:
- S3 URI:
s3://<BUCKET_NAME>/Replace<BUCKET_NAME>with the name of your S3 bucket (for example,cisco-secure-access-logs). - Source deletion option: Select the deletion option according to your preference
- Maximum File Age: Include files modified in the last number of days (default is 180 days)
- Access Key ID: User access key with access to the S3 bucket
- Secret Access Key: User secret key with access to the S3 bucket
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
- S3 URI:
-
Click Nextand then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
_field
|
additional.fields
|
Merged |
column10_label
|
additional.fields
|
Merged |
column11_label
|
additional.fields
|
Merged |
column15
|
additional.fields
|
Mapped: [null]
→ column15_label
|
column15_label
|
additional.fields
|
Merged |
column16_label
|
additional.fields
|
Merged |
column22_label
|
additional.fields
|
Merged |
column23_label
|
additional.fields
|
Merged |
column24_label
|
additional.fields
|
Merged |
column27_label
|
additional.fields
|
Merged |
column28_label
|
additional.fields
|
Merged |
column29_label
|
additional.fields
|
Merged |
column30
|
additional.fields
|
Mapped: ^[0-9]+$
→ column30_label
|
column30_label
|
additional.fields
|
Merged |
column33_label
|
additional.fields
|
Merged |
column42_label
|
additional.fields
|
Merged |
column43
|
additional.fields
|
Mapped: "true", "false"
→ column43_label
|
column43_label
|
additional.fields
|
Merged |
column44_label
|
additional.fields
|
Merged |
column45
|
additional.fields
|
Mapped: ,
→ column45_label
|
column45_label
|
additional.fields
|
Merged |
column51_label
|
additional.fields
|
Merged |
column52_label
|
additional.fields
|
Merged |
column53_label
|
additional.fields
|
Merged |
column55_label
|
additional.fields
|
Merged |
column6_label
|
additional.fields
|
Merged |
column9_label
|
additional.fields
|
Merged |
key
|
additional.fields
|
Mapped: `"col13_label", "col14_label", "col17_label", "col18_label", "col19_label", "col25_l... |
auth_event
|
extensions.auth.type
|
Mapped: true
→ AUTHTYPE_UNSPECIFIED
|
intermediary_entity
|
intermediary
|
Merged |
column1
|
metadata.event_timestamp
|
Parsed as ISO8601
|
auth_event
|
metadata.event_type
|
Mapped: true
→ USER_LOGIN
|
has_principal
|
metadata.event_type
|
Mapped: true
→ NETWORK_CONNECTION
, true
→ STATUS_UPDATE
|
has_user
|
metadata.event_type
|
Mapped: true
→ USER_UNCATEGORIZED
|
column26
|
metadata.product_log_id
|
Directly mapped |
column26
|
network.http.method
|
Directly mapped |
column10
|
network.http.user_agent
|
Directly mapped |
column34
|
network.ip_protocol
|
Directly mapped |
column15
|
network.received_bytes
|
Mapped: ^-?[0-9]+$
→ uinteger
|
p_bytes
|
network.received_bytes
|
Directly mapped |
p_bytes
|
network.sent_bytes
|
Directly mapped |
column20
|
network.session_id
|
Directly mapped |
column12
|
principal.application
|
Directly mapped |
column2
|
principal.asset.hostname
|
Directly mapped |
column3
|
principal.asset.hostname
|
Directly mapped |
column7
|
principal.asset.hostname
|
Directly mapped |
p_hostname
|
principal.asset.hostname
|
Directly mapped |
column15
|
principal.asset.ip
|
Merged |
column4
|
principal.asset.ip
|
Mapped: DISCONNECTED
→ column15
|
p_ip
|
principal.asset.ip
|
Merged |
p_ip_from_host
|
principal.asset.ip
|
Merged |
user_ip
|
principal.asset.ip
|
Merged |
column31
|
principal.asset.product_object_id
|
Directly mapped |
software_obj
|
principal.asset.software
|
Merged |
column2
|
principal.hostname
|
Directly mapped |
column3
|
principal.hostname
|
Directly mapped |
column7
|
principal.hostname
|
Directly mapped |
p_hostname
|
principal.hostname
|
Directly mapped |
column15
|
principal.ip
|
Merged |
column4
|
principal.ip
|
Mapped: DISCONNECTED
→ column15
|
p_ip
|
principal.ip
|
Merged |
p_ip_from_host
|
principal.ip
|
Merged |
user_ip
|
principal.ip
|
Merged |
column7
|
principal.platform_version
|
Directly mapped |
column41
|
principal.process.file.full_path
|
Directly mapped |
column40
|
principal.process.pid
|
Directly mapped |
column2
|
principal.user.email_addresses
|
Mapped: ^.+@.+$
→ column2
|
email
|
principal.user.email_addresses
|
Mapped: ^.+@.+$
→ email
|
column4
|
principal.user.group_identifiers
|
Merged |
column3
|
principal.user.user_display_name
|
Directly mapped |
user_display_name
|
principal.user.user_display_name
|
Directly mapped |
column43
|
principal.user.userid
|
Directly mapped |
column7
|
principal.user.userid
|
Directly mapped |
column45
|
principal.user.windows_sid
|
Directly mapped |
sid
|
principal.user.windows_sid
|
Directly mapped |
security_result_entry
|
security_result
|
Merged |
security_result_present
|
security_result
|
Mapped: true
→ security_result_entry
|
column21
|
target.asset.hostname
|
Directly mapped |
column5
|
target.asset.hostname
|
Directly mapped |
column16
|
target.asset.ip
|
Merged |
column4
|
target.asset.ip
|
Mapped: DISCONNECTED
→ column16
|
column5
|
target.asset.ip
|
Merged |
t_ip
|
target.asset.ip
|
Merged |
column21
|
target.hostname
|
Directly mapped |
column5
|
target.hostname
|
Directly mapped |
column16
|
target.ip
|
Merged |
column4
|
target.ip
|
Mapped: DISCONNECTED
→ column16
|
column5
|
target.ip
|
Merged |
t_ip
|
target.ip
|
Merged |
column33
|
target.port
|
Directly mapped |
|
N/A
|
extensions.auth.type
|
Constant: AUTHTYPE_UNSPECIFIED
|
|
N/A
|
metadata.event_type
|
Constant: USER_LOGIN
|
|
N/A
|
metadata.product_name
|
Constant: Secure Access
|
|
N/A
|
metadata.vendor_name
|
Constant: Cisco
|
|
N/A
|
network.application_protocol
|
Constant: DNS
|
Need more help? Get answers from Community members and Google SecOps professionals.
