Issue with Cisco Umbrella template

%3CLINGO-SUB%20id%3D%22lingo-sub-2347299%22%20slang%3D%22en-US%22%3EIssue%20with%20Cisco%20Umbrella%20template%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2347299%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%20if%20anyone%20else%20has%20run%20into%20this%20issue%20when%20deploying%20the%20preview%20editon%20of%20the%20Umbrella%20Connector.%20The%20expected%20data%20types%20in%20the%20pre-built%20queries%20is%20Cisco_Umbrella%2C%20however%20the%20Function%20app%26nbsp%3B%20created%20the%20following%20data%20types%3C%2FP%3E%3CP%3E-%20Cisco_Umbrella_dns_CL%3C%2FP%3E%3CP%3E-%20Cisco_Umbrella_proxy%3C%2FP%3E%3CP%3E-%20Cisco_Umbrella_ip_CL%3C%2FP%3E%3CP%3E-%20Cisco%20Umberlla_cloudfirewall_Cl%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20none%20of%20out%20of%20the%20box%20queries%20work%2C%20and%20it%20isn't%20a%20simple%20action%20to%20swap%20in%20the%20correct%20data%20types.%20You%20need%20to%20rewrite%20the%20query%20with%20the%20correct%20fields.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurious%20to%20see%20if%20anyone%20has%20had%20the%20same%20issues%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EJohn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2347922%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20Cisco%20Umbrella%20template%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2347922%22%20slang%3D%22en-US%22%3EI%20suspect%20you%20need%20the%20Parser%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FParsers%2FCiscoUmbrella%2FCisco_Umbrella%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FParsers%2FCiscoUmbrella%2FCisco_Umbrella%3C%2FA%3E%20%3CBR%20%2F%3EThis%20is%20mentioned%20at%20the%20top%20of%20the%20%22next%20steps%22%20page%20when%20you%20go%20to%20the%20Data%20Connector%20in%20Azure%20Sentinel.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

 

Not sure if anyone else has run into this issue when deploying the preview editon of the Umbrella Connector. The expected data types in the pre-built queries is Cisco_Umbrella, however the Function app  created the following data types

- Cisco_Umbrella_dns_CL

- Cisco_Umbrella_proxy

- Cisco_Umbrella_ip_CL

- Cisco Umberlla_cloudfirewall_Cl

 

So none of out of the box queries work, and it isn't a simple action to swap in the correct data types. You need to rewrite the query with the correct fields.

 

Curious to see if anyone has had the same issues?

 

Regards

John

1 Reply
I suspect you need the Parser: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/CiscoUmbrella/Cisco_Umbrella
This is mentioned at the top of the "next steps" page when you go to the Data Connector in Azure Sentinel.