Cisco Umbrella

Cisco Umbrella uses the internet infrastructure to block malicious destinations before a connection is ever established.

Cisco Umbrella configuration

You can find how to configure this service by following the official documentation on its official website. Furthermore, it is mandatory to configure that the logs generated by this service would be exported to an S3 bucket. You can find how to do that in the log management section of the official documentation.

Policy configuration

To create a policy using the Amazon Web Services console, follow the AWS documentation.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the Wazuh user.

To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

Note

<bucket-name> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.

Wazuh configuration

Note

It is required to append the type of logs inside the path tag as in the next example. dnslogs, proxylogs, and iplogs are currently supported. Each one requires to be defined in an independent bucket tag.

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following block (this example is for dnslogs and proxylogs, it is not required to add both):

    <wodle name="aws-s3">
    
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
    
      <bucket type="cisco_umbrella">
        <name>cisco-managed-us-east-1</name>
        <path>123456_abcdef0123456789/dnslogs</path>
        <aws_profile>default</aws_profile>
      </bucket>
    
      <bucket type="cisco_umbrella">
        <name>cisco-managed-us-east-1</name>
        <path>123456_abcdef0123456789/proxylogs</path>
        <aws_profile>default</aws_profile>
      </bucket>
    
    </wodle>
    

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart Wazuh in order to apply the changes:

    • If you're configuring a Wazuh manager:

      # systemctl restart wazuh-manager
      
    • If you're configuring a Wazuh agent:

      # systemctl restart wazuh-agent