Cisco Umbrella is a platform for monitoring and maintaining the DNS-layer security across your network. It monitors network activity and detects behavior like DNS hijacking, spoofing, and other attacks. It can then reroute or block potentially malicious requests before they reach endpoints. However, while Umbrella’s DNS-layer security blocks malicious domains, the sheer volume of DNS and proxy logs it generates can overwhelm security teams.
Datadog’s Cisco Umbrella DNS integration enables you to collect and process DNS and proxy logs. Security teams can then visualize, generate metrics, and alert on data including DNS requests, blocked domains, proxied traffic—all from a centralized platform. In this post, we’ll look at how you can use Datadog Cloud SIEM to get out-of-the-box automatic detection of suspicious network activity as well as enhanced visibility into your security posture with enhanced dashboards.
Centralize Your Cisco Umbrella DNS Logs
With Datadog’s content pack for Cisco Umbrella DNS logs, you can get started quickly by deploying threat detection rules and accessing a customizable dashboard. From the content pack, you can seamlessly enable the integration and begin ingesting DNS and proxy logs. Datadog Log Management’s log-processing pipeline normalizes and enriches these logs, allowing for efficient searching, and analysis at any scale.
You can retain all of your Cisco Umbrella logs for a standard 15 months, or variably with Flex Logs to accommodate different use cases. Either way, being able to cost-effectively store log data supports historical investigations of deeply embedded threats and sophisticated attacks that usually occur across long periods of time.
Automatically detect threats with detection rules
Datadog Cloud SIEM continuously scans your Cisco Umbrella DNS logs as it ingests and processes them, and generates security signals if it detects potentially malicious activity. You can then seamlessly correlate security signals with observability data and third-party alerts, providing comprehensive threat visibility. You can create custom detection rules or use out-of-the-box rules developed by our dedicated security research team (which are aligned with the MITRE ATT&CK® framework) to automate alerts and remediation for suspicious activities. Pre-configured rules trigger high- or medium-priority signals for events such as access to personal networks or unsafe URL requests, ensuring swift and effective incident response.
Detect access to a personal network
The Access to a Personal Network detection rule identifies when a host accesses content related to personal VPNs or dynamic and residential IPs, indicating that a user may have connected to their personal network through a proxy. This rule is critical for preventing unauthorized or risky behavior that could bypass organizational security controls. Once triggered, the response involves verifying whether the access complies with company policies, contacting the user to confirm their intent, blocking the URL if access is not permitted, and initiating incident response if the activity requires further investigation. This helps ensure that personal network access does not expose the organization to potential risks.
Detect allowed requests to an unsafe URL category
The Access to Unsafe Categories detection rule monitors proxy logs for allowed requests to URLs associated with unsafe categories, such as hacking, illegal activities, terrorism, and explicit content. This rule helps identify potential security risks by flagging user access to harmful or inappropriate content. Once triggered, the response involves evaluating whether the site violates the organization’s acceptable use policy, contacting the user for clarification, blocking the URL if necessary, and escalating to incident response if further investigation is required. This proactive monitoring helps protect the network from malicious or high-risk content.
If Datadog detects any of this activity, it generates a security signal with additional context and possible remediation steps. You can easily triage and prioritize signals from a unified explorer. You can also customize signals to trigger notifications, including through Datadog On-Call, so that security teams are alerted to critical issues.
Monitor Cisco Umbrella DNS logs and understand network activity with out-of-the-box dashboards
Datadog provides two customizable out-of-the-box dashboards that deliver a high-level view of DNS and proxied network activity, offering essential insights that help security teams quickly assess the health and security of their environment.
The DNS Traffic dashboard includes key widgets that summarize total requests, blocked requests, and allowed requests to provide an immediate snapshot of overall traffic, allowing users to gauge how effectively their security measures are working.
The dashboard also highlights critical data points such as Top DNS Query Types and Top Identities, helping teams identify the most frequent DNS queries and the users or devices generating the most traffic. The ability to analyze both external and internal DNS requests, along with categorized traffic details, offers a more granular understanding of potential threats and network behavior.
The Cisco Umbrella Proxied Traffic dashboard visualizes key metrics like total, blocked, and allowed proxied traffic. The Proxied Traffic Over Time widget highlights trends and patterns, helping to identify spikes or anomalies in web traffic that may indicate security issues.
Additionally, the dashboard provides detailed insights into traffic drivers, displaying top internal and external IPs, categories, and web content types to help identify key sources of web traffic. With further data on request distribution, bytes sent and received, and top identities, security teams can track how data is moving through the network and identify any unusual or unauthorized activity. This detailed view enables more effective security monitoring and quicker threat detection.
Get deeper security visibility into your Cisco Umbrella logs with Datadog Cloud SIEM
Datadog’s Cisco Umbrella DNS logs integration and Cloud SIEM content pack provide you with deep visibility into your network traffic to quickly detect and remediate security issues to secure your environment against threats. For more information, you can view the integration configuration guide. If you’re already a Datadog customer, you can start exploring the Cisco Umbrella DNS Logs content pack now. Or you can get started today with a 14-day free trial.