SOCFortress Integrations — Cisco Umbrella (Virtual Appliance)

SOCFortress
3 min readJan 9, 2024

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Cisco Umbrella DNS forwarder (Virtual Appliance) security events using a single pane of glass.

About Umbrella virtual appliances (VAs)

Umbrella virtual appliances (VAs) are lightweight virtual machines that are compatible with VMWare ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Microsoft Azure, Google Cloud Platform, and Amazon Web Services cloud platforms.

When utilized as conditional DNS forwarders on your network, Umbrella VAs record the internal IP address information of DNS requests for usage in reports, security enforcement, and category filtering policies. Additionally, VAs encrypt and authenticate DNS data for enhanced security.

VAs also enable Active Directory (AD) integration, which expands on the VAs’ functionality to include AD identity information in addition to internal IP address visibility and DNS encryption.

Architecture:

Benefits of Virtual Appliances

  • Granular Identity Information: If you’re already pointing DNS to Umbrella, or plan to, all the DNS traffic visible in your Umbrella reports come from a single Network identity. The VAs provide internal IP visibility, allowing you to track down malicious or inappropriate traffic within your network to a specific IP address.
  • Without Virtual Appliances: Security and DNS traffic-related investigations cannot be traced back to an individual computer or IP address.
  • With Virtual Appliances: VAs record the internal IP address of every DNS request. Security and DNS traffic-related investigations allow you to associate traffic to an individual, internal IP address.
  • With AD integration (added as a supplementary feature):The VAs also record the AD user, group, or computer, depending on Umbrella’s policies.
  • Granular Policy Management: Set different policies for “bring your own device” (BYOD) corporate networks, guest Wi-Fi, server-only networks, and more, by specifying the internal IP or IP range. Granular policy control makes it easy to filter unwanted content and malicious traffic on a per-network basis.
  • No Endpoint Software: No client-side software required. No OS image to reconfigure.
  • Lightweight Footprint: A VA only requires a minimum of one virtual CPU core and 512MB to process millions of DNS queries per day.
  • Active Directory Integration: VAs enable AD integration, which provides user, group, or computer name granularity in both reports and policies.

Ingesting Umbrella VA logs and events

Reference: https://docs.umbrella.com/deployment-umbrella/docs/appendix-e-other-configurations#syslog

Remote syslog forwarder in Umbrella VA

Visualizations

Quick stats in landing page:

Total nbr of DNS requests and requests by Umbrella VA:

Quersies by Host ID and User ID (if integrated with MS-AD)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).