Forum Discussion
Issue with Cisco Umbrella template
Hi All,
Not sure if anyone else has run into this issue when deploying the preview editon of the Umbrella Connector. The expected data types in the pre-built queries is Cisco_Umbrella, however the Function app created the following data types
- Cisco_Umbrella_dns_CL
- Cisco_Umbrella_proxy
- Cisco_Umbrella_ip_CL
- Cisco Umberlla_cloudfirewall_Cl
So none of out of the box queries work, and it isn't a simple action to swap in the correct data types. You need to rewrite the query with the correct fields.
Curious to see if anyone has had the same issues?
Regards
John
- CliveWatson
Microsoft
I suspect you need the Parser: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/CiscoUmbrella/Cisco_Umbrella
This is mentioned at the top of the "next steps" page when you go to the Data Connector in Azure Sentinel.
