Cisco Umbrella is a secure web gateway that collects information about services, incidents, and threats on your network. Panther can collect, normalize, and monitor Cisco Umbrella logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a data lake powered by AWS or the cloud-native data platform, Snowflake.
Use Cases for Cisco Umbrella Logs
Panther supports the ingestion of Cloud Firewall, DNS, IP, and Proxy log types via Cisco Umbrella. Some common SIEM use cases for these log types include:
- Monitoring for suspicious, malicious, or blocked domains
- Identifying lookups to suspicious domains that may indicate a phishing attack
- Detecting DNS requests to sites posing as SSO domains
Onboarding Cisco Umbrella Logs in Panther
Panther’s integration for Cisco Umbrella is simple to configure, allowing you to onboard logs in just a few minutes. Simply select Cisco Umbrella from the list of log sources in the Panther console, choose your preferred data transport method, and configure Cisco Umbrella to push logs to your data transport source.
For more details on onboarding Cisco Umbrella logs or for supported log schema, you can view our Cisco Umbrella documentation here.
Parsing, Normalizing, & Analyzing
As Panther ingests Cisco Umbrella logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to write detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all of your log sources. You can then use Panther’s various search tools - such as Query Builder, Data Explorer, and Indicator Search - to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
Built-in and Easily Customizable Detections
A number of pre-built detections for Cisco Umbrella are available by default in Panther, offering users immediate value for monitoring common IoCs and DNS threats. You can explore our built-in detection coverage for Cisco Umbrella logs here.
With Panther, you aren’t confined to restrictive detections or proprietary languages as seen in most SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther generates alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Cisco Umbrella logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring Cisco Umbrella logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Cisco Umbrella logs.
Replacing Traditional SIEM for Cisco Umbrella
With Panther, your team doesn’t have to pay excessive costs to keep up with the growth of cloud app data, struggle with restrictive detection logic, or waste time and resources on operational overhead. Panther was founded by a team of security engineers who struggled with today’s SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM solution for Cisco Umbrella, request a demo today.