Collect Cisco Umbrella Cloud Firewall logs
This document explains how to ingest Cisco Umbrella Cloud Firewall logs into Google Security Operations using Amazon S3.
Cisco Umbrella Cloud Firewall (CDFW) provides cloud-delivered firewall protection that inspects and controls network traffic based on IP addresses, ports, and protocols. CDFW enforces firewall policies for users connecting through IPsec tunnels or roaming clients, blocking malicious traffic and unauthorized applications, while providing detailed visibility into network activity with comprehensive logging of all firewall events, including packet counts, byte transfers, application identification, and posture information.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Cisco Umbrella console with Full Admin role
- Privileged access to AWS (S3, Identity and Access Management (IAM))
Configure Cisco Umbrella for S3 log export
Cisco Umbrella supports two S3 export options: Cisco-managed buckets and self-managed buckets. This guide covers the Cisco-managed option for simplified setup.
- Sign in to the Cisco Umbrella Dashboard at https://dashboard.umbrella.com
- Go to Admin > Log Management.
- In the Amazon S3 section, click Use a Cisco-managed Amazon S3 bucket.
- In the Select a Region dropdown, select the AWS region closest to your location (available options: US East (N. Virginia), US West (Oregon), EU (Frankfurt), AP (Sydney)).
In the Select a Retention Duration dropdown, select your preferred retention period (7 days, 14 days, or 30 days).
Click Save.
Click Continue to confirm the configuration.
Wait for Umbrella to provision the S3 bucket. When it is complete, the Amazon S3 Summary page displays.
Copy and securely save the following credentials:
- Access Key (displayed in the Access field)
- Secret Key (displayed in the Secret field)
- S3 URI (displayed in the S3 URI field, in the format
s3://cisco-managed-<region>/<organization-id>/)
Select the Got it checkbox.
Click Continue.
Umbrella begins uploading firewall logs to the S3 bucket every 10 minutes in gzipped CSV format.
S3 bucket folder structure
Umbrella organizes Cloud Firewall logs in the S3 bucket using the following structure:
s3://cisco-managed-<region>/<organization-id>/firewalllogs/YYYY-MM-DD/YYYY-MM-DD-HH-MM-<xxxx>.csv.gzFor example:
s3://cisco-managed-us-west-2/1234567890/firewalllogs/2026-02-03/2026-02-03-14-30-0001.csv.gz
Configure AWS S3 bucket and IAM for Google SecOps
Since Cisco manages the S3 bucket, you must create an IAM user with read-only access to retrieve logs for Google SecOps ingestion.
- Create a User by following this user guide: Creating an IAM user.
- Select the created User.
- Select the Security credentials tab.
- Click Create Access Key in the Access Keys section.
- Select Third-party service as Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download .csv file to save the Access Key and Secret Access Key for future reference.
- Click Done.
- Select Permissions tab.
- Click Add permissions in the Permissions policies section.
- Select Add permissions.
- Select Attach policies directly.
- Search for the AmazonS3ReadOnlyAccess policy.
- Select the policy.
- Click Next.
Click Add permissions.
Configure a feed in Google SecOps to ingest Cisco Umbrella Cloud Firewall logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- Enter a unique name for the Feed name.
- Select Amazon S3 V2 as the Source type.
- Select UMBRELLA_FIREWALL as the Log type.
- Click Next and then click Submit.
Specify values for the following fields:
- S3 URI: Enter the S3 URI from step 9 of Cisco Umbrella configuration (for example,
s3://cisco-managed-us-west-2/1234567890/firewalllogs/). Source deletion option: Select Do not delete transferred files.
Maximum File Age: Include files modified in the last number of days (default is 180 days).
Access Key ID: Enter the access key from step 9 of AWS IAM configuration.
Secret Access Key: Enter the secret key from step 9 of AWS IAM configuration.
Asset namespace: The asset namespace.
Ingestion labels: The label to be applied to the events from this feed.
- S3 URI: Enter the S3 URI from step 9 of Cisco Umbrella configuration (for example,
Click Next and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| dns_question | additional.fields | Merged from dns_return_message_label |
| daction | security_result.action_details | Value copied directly from sec_action |
| verdict, security_action | security_result.action | Value from verdict if in ALLOW/DENY/DROP/ALLOW_WITH_MODIFICATION, else from security_action mapped to ALLOW or BLOCK |
| ruleId, column20 | security_result.rule_id | Value from ruleId, or from column20 if integer |
| verdict, pcdetails, tcdetails, phost, thost | security_result.category_details | Value from verdict if not in standard actions, else from pcdetails or tcdetails or phost or thost if not in specific host types |
| originId | intermediary.resource.id | Value copied directly |
| identity | intermediary.resource.name | Value copied directly |
| dataCenter | intermediary.location.name | Value copied directly |
| intermediary | intermediary | Merged from intermediary object |
| metadata.event_type | metadata.event_type | Set to "NETWORK_CONNECTION" initially, then "STATUS_UPDATE" if has_principal true and has_target false, else "GENERIC_EVENT" if both false |
| desc | metadata.description | Value copied directly |
| proto | network.ip_protocol | Value set to "ICMP" if ipProtocol 1, "TCP" if 6, "UDP" if 17 |
| packetSize, response_size | network.received_bytes | Value from packetSize if direction INBOUND, or from response_size |
| packetSize | network.sent_bytes | Value from packetSize if direction OUTBOUND |
| direction | network.direction | Value copied directly if in BROADCAST/INBOUND/OUTBOUND |
| http_method | network.http.method | Value copied directly |
| http_reponse_code | network.http.response_code | Converted to integer from http_reponse_code |
| usr_agent | network.http.user_agent | Value copied directly |
| refer_url | network.http.referral_url | Value copied directly |
| dns_question | network.dns.questions | Merged from dns_question |
| response_code | network.dns.response_code | Converted to numeric code from response_code mappings |
| principal_ip, principalip, sourceIp, _internalip, _externalip | principal.ip | Value from principal_ip (direction) if IP, else principalip (packetSize) if IP, else sourceIp, else _internalip if IP, else _externalip if IP and different |
| principal_ip, principalip, sourceIp, _internalip, _externalip | principal.asset.ip | Value from principal_ip (direction) if IP, else principalip (packetSize) if IP, else sourceIp, else _internalip if IP, else _externalip if IP and different |
| sourcePort | principal.port | Value copied directly |
| prin_host, phost | principal.hostname | Value from prin_host if in specific types, else from phost if in specific types |
| phost | principal.asset.hostname | Value copied directly if in specific host types |
| organization_id_label, most_granular_identity_label | principal.asset.attribute.labels | Merged from organization_id_label and most_granular_identity_label |
| destinationIp | target.ip | Value copied directly |
| destinationIp | target.asset.ip | Value copied directly |
| destinationPort | target.port | Converted to integer from destinationPort |
| target_host, thost | target.hostname | Value from target_host if in specific types, else from thost if in specific types |
| thost | target.asset.hostname | Value copied directly if in specific host types |
| target_url | target.url | Value copied directly |
| granular_identity_label | target.asset.attribute.labels | Merged from granular_identity_label |
| metadata.vendor_name | Set to "Cisco" | |
| metadata.product_name | Set to "Umbrella Cloud Firewall" |
Need more help? Get answers from Community members and Google SecOps professionals.