Consolidated Web Security Reporting with Cisco Advanced Web Security Reporting (AWSR) Guide

 

Introduction

The Cisco^® Web Security Reporting application is a reporting solution that rapidly indexes and analyzes logs produced by Cisco Secure Web Appliance and Umbrella. This tool provides scalable reporting for customers with high traffic and storage needs. It allows reporting administrators to gather detailed insight into web usage and malware threats.

Starting from the AWSR 6.2 release, support has been added for Cisco Umbrella logs to provide predefined consolidated web security reports across Secure Web Appliance and Umbrella.

Customers can also perform searches using filters, a timeline view, web-tracking forms, and customized dashboards. The integration of Umbrella logs with Advanced Web Security Reporting (AWSR) is done using the Amazon Web Services (AWS) S3 bucket. Secure Web Appliance logs are exported using syslog or FTP. Below is the logical diagram on Consolidated Web Security Reporting architecture (Figure 1).

Consolidated web security reporting architecture

Cisco AWSR 6.2 provides a new tab called as Consolidated Web Security Reports (Figure 2).

Consolidated web security reports tab

Step 1: Exporting logs from Cisco umbrella

To export logs from Cisco Umbrella, you have to setup a S3 bucket in AWS.

1.     In the Umbrella console go to Settings > Log Management.

2.     Click on the “Click here” link for more details on how to setup the S3 bucket in AWS.

For help, visit: https://support.umbrella.com/hc/en-us/articles/231248448.

3.     After setting up the S3 bucket, click the Amazon S3 link.

4.     This will take you to the screen where you have to enter the name of the S3 bucket.

5.     After entering the S3 bucket name (example: ismeet-umb), click VERIFY.

6.      The screen will display “Verification Successful.” If it fails, please return to Step 2.

7.     Now enter the token from the “README_FROM_UMBRELLA” file hosted in the S3 bucket.

8.     Click on the file name and download it to your local system.

9.     Extract the token from this file as seen below:

10.  Mention the token in the Umbrella Log Management console and click on SAVE.

11.  The status will now change to green, and it will say as “Enabled.”

This concludes the configuration on the Umbrella console.

12.  Please check the Dnslogs folder in your S3 bucket to see if you are getting logs.

Step 2: Exporting the access key from the AWS console

1.     Please log in to the AWS console with your user name and password.

2.     Go to IAM > Users > [User Name] > Security Credentials.

3.     Create an access key and download the CSV file. (Keep the key handy.)

4.     The screen will show that the key is active.

Step 3: Configuring AWSR to integrate umbrella logs using the S3 bucket

1.     Log in to the AWSR and make sure you are running AWSR version 6.2 or later.

2.     Go to Settings > Data > Data inputs.

3.     Under data inputs click on the Cisco CWS/Umbrella logs.

4.      Click on new.

Enter the following:

Name: Umbrella Logs

Client ID: [S3 bucket name] (example: ismeet-umb)

S3_Key: [access key ID] (downloaded from the AWS Access Keys file)

S3_secret: [Secret access key] (download from the AWS Access Keys file)

Click the checkbox for more settings and enter the following:

Interval: 3600 (change it to 60 seconds to check the logs; and later you can be change it back to 3600 or longer)

Source type: [From list]

Select sourcetype: ciscoumbrella

Host: ciscoumbrealla

Index: default

5.     Click Save to start populating the logs.

Step 4: Consolidated web security reporting tab

This tab consolidates data for both the Secure Web Appliance and the Umbrella logs.

Overview

The Overview gives you a complete picture of web activities within the time period selected by the administrator. A specific data source (Secure Web Appliance or Umbrella) can also be selected.

Activity search

You can run a joint search on both Secure Web Appliance and Umbrella based on users and identities, domains, transaction types, multiple URL categories, multiple malware categories, and even hosts.

You can export these searches to PDF, CSV, XML, and JSON files.

Security activity

This panel focuses on malware. You can look at both Secure Web Appliance and Umbrella data.

Top Domains

In this panel you can view the top 10 domains browsed during the time frame selected by the admin. Here the data source is Secure Web Appliance. (This is an example of using filters.)

You can drill down in these domains. For example, you can see activity on Poker.com.

Top categories

In the panel you can see the top 10 categories from both Secure Web Appliance and Umbrella. Here the Transaction Type filter Blocked has been chosen.

You can drill down in a specific category. (For example, Secure Web Appliance: Gambling).

Top users

This panel lists the top 10 users. It shows the solution requests and then calculates the total requests in conjunction with Secure Web Appliance and Umbrella logs.

More precise details can be displayed in the User drilldown panel.

Top security categories

This panel lists the top 10 malware categories seen by Secure Web Appliance and Umbrella solution.

You can get more detailed information in the drilldown panel. (Example: UMB:Malware.)

Step 5: Using custom filters for customized reports

We have data coming in from both Secure Web Appliance and Umbrella. We can therefore create a consolidated customized dashboards and reports that can be presented to the management or consumers. An example of a custom filters and customized dashboard is shown here:

For more detail on the custom filters, please refer to Chapter 2 of the AWSR 6.0 User Guide.

For more information

For more information about Cisco Advanced Web Security Reporting, please read the data sheet.