Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Consolidated Web Security Reporting with Cisco Advanced Web Security Reporting (AWSR) Guide

Available Languages

Download Options

  • PDF
    (4.6 MB)
    View with Adobe Reader on a variety of devices
Updated:March 25, 2021

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (4.6 MB)
    View with Adobe Reader on a variety of devices
Updated:March 25, 2021
 

 

Introduction

The Cisco® Web Security Reporting application is a reporting solution that rapidly indexes and analyzes logs produced by Cisco Secure Web Appliance and Umbrella. This tool provides scalable reporting for customers with high traffic and storage needs. It allows reporting administrators to gather detailed insight into web usage and malware threats.

Starting from the AWSR 6.2 release, support has been added for Cisco Umbrella logs to provide predefined consolidated web security reports across Secure Web Appliance and Umbrella.

Customers can also perform searches using filters, a timeline view, web-tracking forms, and customized dashboards. The integration of Umbrella logs with Advanced Web Security Reporting (AWSR) is done using the Amazon Web Services (AWS) S3 bucket. Secure Web Appliance logs are exported using syslog or FTP. Below is the logical diagram on Consolidated Web Security Reporting architecture (Figure 1).

Consolidated web security reporting architecture

Figure 1.            

Consolidated web security reporting architecture

Cisco AWSR 6.2 provides a new tab called as Consolidated Web Security Reports (Figure 2).

Consolidated web security reports tab

Figure 2.            

Consolidated web security reports tab

Step 1: Exporting logs from Cisco umbrella

To export logs from Cisco Umbrella, you have to setup a S3 bucket in AWS.

1.     In the Umbrella console go to Settings > Log Management.

2.     Click on the “Click here” link for more details on how to setup the S3 bucket in AWS.

Log Management

For help, visit: https://support.umbrella.com/hc/en-us/articles/231248448.

3.     After setting up the S3 bucket, click the Amazon S3 link.

4.     This will take you to the screen where you have to enter the name of the S3 bucket.

Amazon

5.     After entering the S3 bucket name (example: ismeet-umb), click VERIFY.

6.      The screen will display “Verification Successful.” If it fails, please return to Step 2.

VERIFY

7.     Now enter the token from the “README_FROM_UMBRELLA” file hosted in the S3 bucket.

README_FROM_UMBRELLA

8.     Click on the file name and download it to your local system.

9.     Extract the token from this file as seen below:

Token

10.  Mention the token in the Umbrella Log Management console and click on SAVE.

11.  The status will now change to green, and it will say as “Enabled.”

Enabled

This concludes the configuration on the Umbrella console.

12.  Please check the Dnslogs folder in your S3 bucket to see if you are getting logs.

Step 2: Exporting the access key from the AWS console

1.     Please log in to the AWS console with your user name and password.

2.     Go to IAM > Users > [User Name] > Security Credentials.

3.     Create an access key and download the CSV file. (Keep the key handy.)

Security Credentials

4.     The screen will show that the key is active.

Create Access Key

Step 3: Configuring AWSR to integrate umbrella logs using the S3 bucket

1.     Log in to the AWSR and make sure you are running AWSR version 6.2 or later.

2.     Go to Settings > Data > Data inputs.

Data inputs

3.     Under data inputs click on the Cisco CWS/Umbrella logs.

Cisco CWS/Umbrella logs

4.      Click on new.

New

Enter the following:

Name: Umbrella Logs

Client ID: [S3 bucket name] (example: ismeet-umb)

S3_Key: [access key ID] (downloaded from the AWS Access Keys file)

S3_secret: [Secret access key] (download from the AWS Access Keys file)

Umbrella Logs

Click the checkbox for more settings and enter the following:

More settings

Interval: 3600 (change it to 60 seconds to check the logs; and later you can be change it back to 3600 or longer)

Source type: [From list]

Select sourcetype: ciscoumbrella

Host: ciscoumbrealla

Index: default

5.     Click Save to start populating the logs.

Step 4: Consolidated web security reporting tab

This tab consolidates data for both the Secure Web Appliance and the Umbrella logs.

Consolidated web security reporting tab

Overview

The Overview gives you a complete picture of web activities within the time period selected by the administrator. A specific data source (Secure Web Appliance or Umbrella) can also be selected.

Overview

Activity search

You can run a joint search on both Secure Web Appliance and Umbrella based on users and identities, domains, transaction types, multiple URL categories, multiple malware categories, and even hosts.

Activity search

You can export these searches to PDF, CSV, XML, and JSON files.

Security activity

This panel focuses on malware. You can look at both Secure Web Appliance and Umbrella data.

Security activity

Top Domains

In this panel you can view the top 10 domains browsed during the time frame selected by the admin. Here the data source is Secure Web Appliance. (This is an example of using filters.)

Top Domains

You can drill down in these domains. For example, you can see activity on Poker.com.

Poker.com

Top categories

In the panel you can see the top 10 categories from both Secure Web Appliance and Umbrella. Here the Transaction Type filter Blocked has been chosen.

Top categories

You can drill down in a specific category. (For example, Secure Web Appliance: Gambling).

Secure Web Appliance

Top users

This panel lists the top 10 users. It shows the solution requests and then calculates the total requests in conjunction with Secure Web Appliance and Umbrella logs.

Top users

More precise details can be displayed in the User drilldown panel.

User drilldown panel

Top security categories

This panel lists the top 10 malware categories seen by Secure Web Appliance and Umbrella solution.

Top security categories

You can get more detailed information in the drilldown panel. (Example: UMB:Malware.)

UMB:Malware

Step 5: Using custom filters for customized reports

We have data coming in from both Secure Web Appliance and Umbrella. We can therefore create a consolidated customized dashboards and reports that can be presented to the management or consumers. An example of a custom filters and customized dashboard is shown here:

Step 5: Using custom filters for customized reports

For more detail on the custom filters, please refer to Chapter 2 of the AWSR 6.0 User Guide.

For more information

For more information about Cisco Advanced Web Security Reporting, please read the data sheet.

 

 

 

Learn more