Skip to content

cisco_umbrella: add support for log schema version v13 #15791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 30, 2025
Merged

cisco_umbrella: add support for log schema version v13 #15791

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e6778c0
cisco_umbrella: add support for log schema version v13
navnit-elastic Oct 29, 2025
7aecb79
update pr number in changelog.yml
navnit-elastic Oct 29, 2025
979a778
add documentation link in readme, fix spelling mistake
navnit-elastic Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/cisco_umbrella/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It include

### Compatibility

This integration supports the log schema version 8 and 9.
This integration supports the log [schema version 13](https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning#log-schema-versions).

## What do I need to use this integration?

Expand Down
5 changes: 5 additions & 0 deletions packages/cisco_umbrella/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.33.0"
changes:
- description: Add support for log schema version v13.
type: enhancement
link: https://github.com/elastic/integrations/pull/15791
- version: "1.32.0"
changes:
- description: Update the Cisco Umbrella README to add compatibility information.
Expand Down
2 changes: 1 addition & 1 deletion ...sco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,4 +215,4 @@
}
}
]
}
}
3 changes: 2 additions & 1 deletion ...ges/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,OUTBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,ALLOW
2020-07-23 18:03:46,[211039844],Passive Monitor,CDFW Tunnel Device,INBOUND,1,84,172.17.3.4,,67.43.156.12,,ams1.edc,12,BLOCK
"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","","67.43.156.12", "","ams1.edc","12","ALLOW","google.com,apple.com","44,66"
"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","","67.43.156.12", "","ams1.edc","12","ALLOW","google.com,apple.com","44,66"
"2024-06-14 18:59:57","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","60951","67.43.156.12","443","ams1.edc","12","ALLOW","google.com,apple.com","44,66","1718391597","1718391597","3","3","1108","755","39-42","","eu-central-2b","","","","","\[]","","","","2204063","67.43.156.12","TRUE"
113 changes: 112 additions & 1 deletion ...ella/data_stream/log/_dev/test/pipeline/test-umbrella-cloudfirewalllogs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,117 @@
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2024-06-14T18:59:57.000Z",
"cisco": {
"umbrella": {
"casi_category_ids": "\\[]",
"datacenter": "ams1.edc",
"destination_lists_id": "44,66",
"egress": "TRUE",
"first_packet_timestamp": "2024-06-14T18:59:57.000Z",
"fqdns": [
"google.com",
"apple.com"
],
"identities": [
"Passive Monitor"
],
"identity_types": [
"CDFW Tunnel Device"
],
"last_packet_timestamp": "2024-06-14T18:59:57.000Z",
"origin_id": "[211039844]"
}
},
"cloud": {
"availability_zone": "eu-central-2b"
},
"destination": {
"address": "67.43.156.12",
"as": {
"number": 35908
},
"bytes": 755,
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.12",
"packets": 3,
"port": 443
},
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "fw-connection-ALLOW",
"category": [
"network"
],
"id": "39-42",
"kind": "event",
"original": "\"2024-06-14 18:59:57\",\"[211039844]\",\"Passive Monitor\", \"CDFW Tunnel Device\",\"OUTBOUND\",\"1\",\"84\",\"172.17.3.4\",\"60951\",\"67.43.156.12\",\"443\",\"ams1.edc\",\"12\",\"ALLOW\",\"google.com,apple.com\",\"44,66\",\"1718391597\",\"1718391597\",\"3\",\"3\",\"1108\",\"755\",\"39-42\",\"\",\"eu-central-2b\",\"\",\"\",\"\",\"\",\"\\[]\",\"\",\"\",\"\",\"2204063\",\"67.43.156.12\",\"TRUE\"",
"type": [
"allowed",
"connection"
]
},
"log": {
"file": {
"path": "/test/path/cloudfirewalllogs"
}
},
"network": {
"bytes": 1863,
"community_id": "1:7y0Rtnc087ycVA+d/fCa/8i5fTo=",
"direction": "outbound",
"name": [
"Passive Monitor"
],
"packets": 6,
"transport": "1"
},
"observer": {
"product": "Umbrella",
"type": "firewall",
"vendor": "Cisco"
},
"organization": {
"id": "2204063"
},
"related": {
"hosts": [
"google.com",
"apple.com"
],
"ip": [
"172.17.3.4",
"67.43.156.12"
]
},
"rule": {
"id": "12"
},
"source": {
"address": "172.17.3.4",
"bytes": 1108,
"ip": "172.17.3.4",
"nat": {
"ip": "67.43.156.12"
},
"packets": 3,
"port": 60951
},
"tags": [
"preserve_original_event"
]
}
]
}
}
3 changes: 2 additions & 1 deletion packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential"
"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential"
"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential","","","dlpprivateresource","","https","67.43.156.12","443","8247177"
98 changes: 96 additions & 2 deletions ...cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
}
},
"network": {
"application": "Dropbox",
"application": "dropbox",
Copy link
Contributor Author

@navnit-elastic navnit-elastic Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Normalizing network.application field to lowercase as per ECS recommendation.

"name": "Network1"
},
"observer": {
Expand All @@ -69,6 +69,100 @@
"path": "",
"scheme": "http"
}
},
{
"@timestamp": "2022-02-15T12:05:45.000Z",
"cisco": {
"umbrella": {
"data_classification": "classification-2",
"data_identifier": "classifier-2.1",
"file_label": "Confidential",
"private_resource_name": "dlpprivateresource",
"severity": "CRITICAL"
}
},
"destination": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.12",
"port": 443
},
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "dlp-BLOCK",
"category": [
"network",
"file"
],
"id": "f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6",
"kind": "event",
"original": "\"2022-02-15 12:05:45\",\"Real Time\",\"f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6\",\"CRITICAL\",\"Network1\",\"\",\"first.xlsx\",\"Dropbox\",\"http://google.com\",\"BLOCK\",\"rule-1\",\"classification-2\",\"classifier-2.1\",\"text/html\",\"48\",\"abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab\", \"Confidential\",\"\",\"\",\"dlpprivateresource\",\"\",\"https\",\"67.43.156.12\",\"443\",\"8247177\"",
"provider": "Real Time",
"severity": 4,
"type": [
"denied",
"connection",
"info"
]
},
"file": {
"hash": {
"sha256": "abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab"
},
"mime_type": "text/html",
"name": "first.xlsx",
"size": 48
},
"log": {
"file": {
"path": "/test/path/dlplogs"
}
},
"network": {
"application": "dropbox",
"name": "Network1",
"protocol": "https"
},
"observer": {
"product": "Umbrella",
"type": "dlp",
"vendor": "Cisco"
},
"organization": {
"id": "8247177"
},
"related": {
"hash": [
"abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab"
],
"ip": [
"67.43.156.12"
]
},
"rule": {
"name": "rule-1"
},
"tags": [
"preserve_original_event"
],
"url": {
"domain": "google.com",
"original": "http://google.com",
"path": "",
"scheme": "http"
}
}
]
}
}
1 change: 1 addition & 0 deletions packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@
"2023-05-05 12:50:00","Ca_redacted, Ch_redacted ([email protected])","Ca_redacted, Ch_redacted ([email protected]),5CG0310TQZ","192.168.1.79","89.160.20.128","Allowed","1 (A)","NOERROR","presence.gcc.teams.microsoft.com.","Software/Technology,Business Services,Allow List,Infrastructure and Content Delivery Networks,Online Meetings,Application,Cloud and Data Centers","AD Users","AD Users,Anyconnect Roaming Client","Allow List"
"2023-05-05 12:40:01","G_redacted, Er_redacted R ([email protected])","G_redacted, Er_redacted R ([email protected]),Mega Corp,MXL952303K","10.245.149.68","81.2.69.144","Allowed","1 (A)","NOERROR","outlook.office365.com.","Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration","AD Users","AD Users,Networks,Anyconnect Roaming Client","Allow List"
"2023-05-05 12:40:01","LastName, Tiredacted M (Ti) ([email protected])","LastName, Tiredacted M (Ti) ([email protected]),5CG0310TPJ","192.168.4.66","81.2.69.192","Allowed","1 (A)","NOERROR","outlook.office365.com.","Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Online Document Sharing and Collaboration","AD Users","AD Users,Anyconnect Roaming Client","Allow List"
"2024-09-11 18:46:00","Active Directory User ([[email protected]](mailto:[email protected]))","Active Directory User ([[email protected]](mailto:[email protected])),WIN11-SNG01-Example","192.168.4.66","81.2.69.192","Blocked","1 (A)","NOERROR","domain-visited.com.","Chat,Social Networking","AD Users","AD Users,Anyconnect Roaming Client","Social Networking","506165","","8234970"
100 changes: 99 additions & 1 deletion ...cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1353,6 +1353,104 @@
"id": "[email protected]",
"name": "Tiredacted.LastName"
}
},
{
"@timestamp": "2024-09-11T18:46:00.000Z",
"cisco": {
"umbrella": {
"blocked_categories": [
"Social Networking"
],
"categories": [
"Chat",
"Social Networking"
],
"identities": [
"Active Directory User ([[email protected]](mailto:[email protected]))",
"WIN11-SNG01-Example"
],
"identity": "Active Directory User ([[email protected]](mailto:[email protected]))",
"identity_types": [
"AD Users",
"Anyconnect Roaming Client"
],
"policy_identity_type": "AD Users"
}
},
"dns": {
"question": {
"name": "domain-visited.com",
"registered_domain": "domain-visited.com",
"top_level_domain": "com",
"type": "1 (A)"
},
"response_code": "NOERROR",
"type": "query"
},
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "dns-request-Blocked",
"category": [
"network"
],
"kind": "event",
"original": "\"2024-09-11 18:46:00\",\"Active Directory User ([[email protected]](mailto:[email protected]))\",\"Active Directory User ([[email protected]](mailto:[email protected])),WIN11-SNG01-Example\",\"192.168.4.66\",\"81.2.69.192\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"domain-visited.com.\",\"Chat,Social Networking\",\"AD Users\",\"AD Users,Anyconnect Roaming Client\",\"Social Networking\",\"506165\",\"\",\"8234970\"",
"type": [
"denied",
"connection"
]
},
"host": {
"name": "win11-sng01-example"
},
"log": {
"file": {
"path": "/test/path/dnslogs"
}
},
"observer": {
"product": "Umbrella",
"type": "dns",
"vendor": "Cisco"
},
"organization": {
"id": "8234970"
},
"related": {
"hosts": [
"win11-sng01-example",
"domain-visited.com"
],
"ip": [
"192.168.4.66",
"81.2.69.192"
],
"user": [
"adusername"
]
},
"rule": {
"id": "506165"
},
"source": {
"address": "192.168.4.66",
"ip": "192.168.4.66",
"nat": {
"ip": "81.2.69.192"
}
},
"tags": [
"preserve_original_event"
],
"user": {
"domain": "example.net",
"email": "[email protected]",
"full_name": "Active Directory User",
"id": "[email protected]",
"name": "adusername"
}
}
]
}
}
3 changes: 2 additions & 1 deletion packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
"2022-04-12 16:14:09","Firewall Tunnel 1","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","172.17.3.4","33010","67.43.156.12","443","Would Block"
"2022-04-12 16:14:09","Firewall Tunnel 1","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","172.17.3.4","33010","67.43.156.12","443","Would Block"
"2024-09-11 23:17:13","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","50516","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","172.17.3.4","80","67.43.156.12","40762","Would Block","IDS","50516","S2C","21171","PROFILE","eu-central-2b","","\[]","DEN1","8151514","67.43.156.12","TRUE","FTD","12321321312",""
Loading