IBM QRadar

Can they put these files in an S3 bucket? If yes, this is the recommended method of consuming these logs in QRadar. I will note that CSV is heavy regex/parsing-wise because you are counting in commas to identify what you need to retrieve to parse values from the payload, but it is definitely possible and there is a write-up on this.

Cisco has a good integration article here: https://support.umbrella.com/hc/en-us/articles/231248488-Configuring-QRadar-for-use-with-Cisco-Umbrella-Log-Management-in-AWS-S3

If they can put this info in an S3 bucket, you should be able to grab the data. The Cisco write-up covers the setup in detail, along with the LSX required to do this integration. Not sure if this answers your question from an MSP perspective, but having read only access on an S3 bucket and following the linked setup is likely the best way to get this data.

------------------------------
Jonathan Pechta
QRadar Support Content Lead

Official Support forums: https://ibm.biz/qradarforums

Original Message:
Sent: 02-28-2019 07:35 AM
From: Shjajad Ashraf
Subject: QRADAR and Managed Cisco Umbrella

Hello All,

We have a managed DNS service with Cisco (Umbrella) and this is administered by them.

We receive DNS logs at intervals to a network share on our network but these compressed files contain a CSV file without headers.

I was looking at using a custom universal DSM with SMB protocol and then use a log source extension.

Has anyone managed to ingest Cisco Umbrella Logs from a managed service perspective and if yes, what was your approach please?

Thank you.

------------------------------
Shjajad Ashraf
------------------------------

Can they put these files in an S3 bucket? If yes, this is the recommended method of consuming these logs in QRadar. I will note that CSV is heavy regex/parsing-wise because you are counting in commas to identify what you need to retrieve to parse values from the payload, but it is definitely possible and there is a write-up on this.

Cisco has a good integration article here: https://support.umbrella.com/hc/en-us/articles/231248488-Configuring-QRadar-for-use-with-Cisco-Umbrella-Log-Management-in-AWS-S3

If they can put this info in an S3 bucket, you should be able to grab the data. The Cisco write-up covers the setup in detail, along with the LSX required to do this integration. Not sure if this answers your question from an MSP perspective, but having read only access on an S3 bucket and following the linked setup is likely the best way to get this data.

------------------------------
Jonathan Pechta
QRadar Support Content Lead

Official Support forums: https://ibm.biz/qradarforums

Original Message:
Sent: 02-28-2019 07:35 AM
From: Shjajad Ashraf
Subject: QRADAR and Managed Cisco Umbrella

Hello All,

We have a managed DNS service with Cisco (Umbrella) and this is administered by them.

We receive DNS logs at intervals to a network share on our network but these compressed files contain a CSV file without headers.

I was looking at using a custom universal DSM with SMB protocol and then use a log source extension.

Has anyone managed to ingest Cisco Umbrella Logs from a managed service perspective and if yes, what was your approach please?

Thank you.

------------------------------
Shjajad Ashraf
------------------------------

Can they put these files in an S3 bucket? If yes, this is the recommended method of consuming these logs in QRadar. I will note that CSV is heavy regex/parsing-wise because you are counting in commas to identify what you need to retrieve to parse values from the payload, but it is definitely possible and there is a write-up on this.

Cisco has a good integration article here: https://support.umbrella.com/hc/en-us/articles/231248488-Configuring-QRadar-for-use-with-Cisco-Umbrella-Log-Management-in-AWS-S3

If they can put this info in an S3 bucket, you should be able to grab the data. The Cisco write-up covers the setup in detail, along with the LSX required to do this integration. Not sure if this answers your question from an MSP perspective, but having read only access on an S3 bucket and following the linked setup is likely the best way to get this data.

------------------------------
Jonathan Pechta
QRadar Support Content Lead

Official Support forums: https://ibm.biz/qradarforums

Original Message:
Sent: 02-28-2019 07:35 AM
From: Shjajad Ashraf
Subject: QRADAR and Managed Cisco Umbrella

Hello All,

We have a managed DNS service with Cisco (Umbrella) and this is administered by them.

We receive DNS logs at intervals to a network share on our network but these compressed files contain a CSV file without headers.

I was looking at using a custom universal DSM with SMB protocol and then use a log source extension.

Has anyone managed to ingest Cisco Umbrella Logs from a managed service perspective and if yes, what was your approach please?

Thank you.

------------------------------
Shjajad Ashraf
------------------------------

Can they put these files in an S3 bucket? If yes, this is the recommended method of consuming these logs in QRadar. I will note that CSV is heavy regex/parsing-wise because you are counting in commas to identify what you need to retrieve to parse values from the payload, but it is definitely possible and there is a write-up on this.

Cisco has a good integration article here: https://support.umbrella.com/hc/en-us/articles/231248488-Configuring-QRadar-for-use-with-Cisco-Umbrella-Log-Management-in-AWS-S3

If they can put this info in an S3 bucket, you should be able to grab the data. The Cisco write-up covers the setup in detail, along with the LSX required to do this integration. Not sure if this answers your question from an MSP perspective, but having read only access on an S3 bucket and following the linked setup is likely the best way to get this data.

------------------------------
Jonathan Pechta
QRadar Support Content Lead

Official Support forums: https://ibm.biz/qradarforums

Original Message:
Sent: 02-28-2019 07:35 AM
From: Shjajad Ashraf
Subject: QRADAR and Managed Cisco Umbrella

Hello All,

We have a managed DNS service with Cisco (Umbrella) and this is administered by them.

We receive DNS logs at intervals to a network share on our network but these compressed files contain a CSV file without headers.

I was looking at using a custom universal DSM with SMB protocol and then use a log source extension.

Has anyone managed to ingest Cisco Umbrella Logs from a managed service perspective and if yes, what was your approach please?

Thank you.

------------------------------
Shjajad Ashraf
------------------------------

Can they put these files in an S3 bucket? If yes, this is the recommended method of consuming these logs in QRadar. I will note that CSV is heavy regex/parsing-wise because you are counting in commas to identify what you need to retrieve to parse values from the payload, but it is definitely possible and there is a write-up on this.

Cisco has a good integration article here: https://support.umbrella.com/hc/en-us/articles/231248488-Configuring-QRadar-for-use-with-Cisco-Umbrella-Log-Management-in-AWS-S3

If they can put this info in an S3 bucket, you should be able to grab the data. The Cisco write-up covers the setup in detail, along with the LSX required to do this integration. Not sure if this answers your question from an MSP perspective, but having read only access on an S3 bucket and following the linked setup is likely the best way to get this data.

------------------------------
Jonathan Pechta
QRadar Support Content Lead

Official Support forums: https://ibm.biz/qradarforums

Original Message:
Sent: 02-28-2019 07:35 AM
From: Shjajad Ashraf
Subject: QRADAR and Managed Cisco Umbrella

Hello All,

We have a managed DNS service with Cisco (Umbrella) and this is administered by them.

We receive DNS logs at intervals to a network share on our network but these compressed files contain a CSV file without headers.

I was looking at using a custom universal DSM with SMB protocol and then use a log source extension.

Has anyone managed to ingest Cisco Umbrella Logs from a managed service perspective and if yes, what was your approach please?

Thank you.

------------------------------
Shjajad Ashraf
------------------------------