Adding Connectors for Cisco Umbrella / Cisco Stealth Watch / and Cisco ISE

%3CLINGO-SUB%20id%3D%22lingo-sub-1375770%22%20slang%3D%22en-US%22%3EAdding%20Connectors%20for%20Cisco%20Umbrella%20%2F%20Cisco%20Stealth%20Watch%20%2F%20and%20Cisco%20ISE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1375770%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20folks%20planning%20to%20add%20connectors%20for%20the%20following%20products%20some%20time%20soon.%3C%2FP%3E%3CP%3EAdding%20Connectors%20for%20Cisco%20Umbrella%20%2F%20Cisco%20Stealth%20Watch%20%2F%20and%20Cisco%20ISE%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EArshad%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1375770%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%20Data%20Connector%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378336%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20Connectors%20for%20Cisco%20Umbrella%20%2F%20Cisco%20Stealth%20Watch%20%2F%20and%20Cisco%20ISE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378336%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570807%22%20target%3D%22_blank%22%3E%40arshad80%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECisco%20ISE%20would%20simply%20send%20the%20logs%20to%20they%20Sentinel%20syslog%20collector.%20There%20is%20no%20need%20for%20a%20dedicated%20connector%2C%20maybe%20just%20a%20parser%20in%20Sentinel.%20As%20far%20as%20I%20know%20they%20don't%20know%20%22CEF%22%20so%20they%20will%20arrive%20in%20the%20Syslog%20table%20and%20from%20there%20a%20parser%20can%20be%20built%20to%20extract%20data%20of%20interest.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUmbrella%20logs%20can%20be%20sent%20an%20AWS%20S3%20bucket%20and%20from%20there%20downloaded%20locally.%20Once%20there%2C%20they%20can%20be%20sent%20to%20Sentinel.%20One%20can%20also%20deploy%20a%20Sentinel%20playbook%20to%20retrieve%20the%20data%20of%20interest%20at%20regular%20intervals%20through%20their%20REST%20API%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.umbrella.com%2Fumbrella-api%2Fdocs%2Flist-of-apis%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.umbrella.com%2Fumbrella-api%2Fdocs%2Flist-of-apis%3C%2FA%3E).%20The%20later%20would%20by%20my%20preferred%20method.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStealthwatch%20again%20has%20an%20API%20that%20can%20be%20used.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20that%20it%20would%20be%20nice%20to%20have%20the%20API%20integration%20already%20done%20by%20Microsoft.%20However%2C%20there%20are%20quite%20a%20few%20products%20that%20are%20probably%20on%20the%20%22roadmap%22%20and%20unless%20their%20release%20is%20imminent%2C%20one%20can%20invest%20the%20time%20to%20build%20the%20API-based%20log%20collector%20that%20can%20be%20reused%20for%20practially%20any%20platform%20that%20exposes%20a%20REST%20API.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdrian%20Grigorof%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.managedsentinel.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewww.managedsentinel.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1379331%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20Connectors%20for%20Cisco%20Umbrella%20%2F%20Cisco%20Stealth%20Watch%20%2F%20and%20Cisco%20ISE%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1379331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFYI%2C%20Nathan%20wrote%20a%20piece%20on%20Umbrella%20last%20year%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fcurious-case-saas-3rd-party-azure-sentinel-nathan-swift%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fcurious-case-saas-3rd-party-azure-sentinel-nathan-swift%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello Team,

 

Are you folks planning to add connectors for the following products some time soon.

Adding Connectors for Cisco Umbrella / Cisco Stealth Watch / and Cisco ISE

Regards

Arshad

2 Replies

@arshad80 

 

Cisco ISE would simply send the logs to they Sentinel syslog collector. There is no need for a dedicated connector, maybe just a parser in Sentinel. As far as I know they don't know "CEF" so they will arrive in the Syslog table and from there a parser can be built to extract data of interest.

 

Umbrella logs can be sent an AWS S3 bucket and from there downloaded locally. Once there, they can be sent to Sentinel. One can also deploy a Sentinel playbook to retrieve the data of interest at regular intervals through their REST API (https://docs.umbrella.com/umbrella-api/docs/list-of-apis). The later would by my preferred method. 

 

Stealthwatch again has an API that can be used.

 

I agree that it would be nice to have the API integration already done by Microsoft. However, there are quite a few products that are probably on the "roadmap" and unless their release is imminent, one can invest the time to build the API-based log collector that can be reused for practially any platform that exposes a REST API.

 

Adrian Grigorof

www.managedsentinel.com