Cisco Umbrella
Cisco Umbrella uses the internet infrastructure to block malicious destinations before a connection is ever established.
Cisco Umbrella configuration
You can find how to configure this service by following the official documentation on its official website. Furthermore, it is mandatory to configure that the logs generated by this service would be exported to an S3 bucket. You can find how to do that in the log management section of the official documentation.
Wazuh configuration
Note
It is required to append the type of logs inside path
tag as in the next example. dnslogs, proxylogs, and iplogs are currently supported. Each one require to be defined in an independent bucket
tag.
Open the Wazuh configuration file (
/var/ossec/etc/ossec.conf
) and add the following block (this example is for dnslogs and proxylogs, it is not required to add both):<wodle name="aws-s3"> <disabled>no</disabled> <interval>10m</interval> <run_on_start>yes</run_on_start> <skip_on_error>yes</skip_on_error> <bucket type="cisco_umbrella"> <name>cisco-managed-us-east-1</name> <path>123456_abcdef0123456789/dnslogs</path> <aws_profile>default</aws_profile> </bucket> <bucket type="cisco_umbrella"> <name>cisco-managed-us-east-1</name> <path>123456_abcdef0123456789/proxylogs</path> <aws_profile>default</aws_profile> </bucket> </wodle>
Note
Check the AWS S3 module reference manual to learn more about each setting.
Restart Wazuh in order to apply the changes:
If you're configuring a Wazuh manager:
For Systemd:
# systemctl restart wazuh-manager
For SysV Init:
# service wazuh-manager restart
If you're configuring a Wazuh agent:
For Systemd:
# systemctl restart wazuh-agent
For SysV Init:
# service wazuh-agent restart