Forum Discussion

arshad80's avatar
arshad80
Copper Contributor
May 08, 2020

Adding Connectors for Cisco Umbrella / Cisco Stealth Watch / and Cisco ISE

Hello Team,

 

Are you folks planning to add connectors for the following products some time soon.

Adding Connectors for Cisco Umbrella / Cisco Stealth Watch / and Cisco ISE

Regards

Arshad

  • AdiGrio's avatar
    AdiGrio
    Brass Contributor

    arshad80 

     

    Cisco ISE would simply send the logs to they Sentinel syslog collector. There is no need for a dedicated connector, maybe just a parser in Sentinel. As far as I know they don't know "CEF" so they will arrive in the Syslog table and from there a parser can be built to extract data of interest.

     

    Umbrella logs can be sent an AWS S3 bucket and from there downloaded locally. Once there, they can be sent to Sentinel. One can also deploy a Sentinel playbook to retrieve the data of interest at regular intervals through their REST API (https://docs.umbrella.com/umbrella-api/docs/list-of-apis). The later would by my preferred method. 

     

    Stealthwatch again has an API that can be used.

     

    I agree that it would be nice to have the API integration already done by Microsoft. However, there are quite a few products that are probably on the "roadmap" and unless their release is imminent, one can invest the time to build the API-based log collector that can be reused for practially any platform that exposes a REST API.

     

    Adrian Grigorof

    www.managedsentinel.com

Resources