Cisco Umbrella provides an API which allows for the retrieval of event data from Umbrella directly to your Blumira sensor.
Important: If you are a Managed Service Provider (MSP) or if you have a multi-tenant Umbrella account, this procedure does not accurately represent the steps you will go through in Umbrella before configuring Blumira. For example, you will need to obtain the same credentials for use by the Blumira platform, but the location and steps to obtain the credentials in Umbrella are different. Also, you must ensure all credentials and settings are at the customer level in Umbrella, not the global MSP level.
Before you begin
Before you can configure Blumira to retrieve logs from Cisco Umbrella, you must gather your Cisco Umbrella Organization ID and Reporting API Key and Secret. To gather this information:
- Go to the Umbrella Admin Console and follow the steps in Find Your Organization ID to obtain the Organization ID. This is typically a 7-digit number in the URL, shown as <OrgID> in the following example:
- Follow the steps in Generate an API Key to gather your Umbrella Reporting API Key and Secret.
Providing API credentials to Blumira
As a Blumira Administrator, configure a Blumira sensor to connect to the Umbrella API using the credentials in a new sensor module.
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the newest version of this integration's module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
- Enter the credentials that you gathered in the "Before you begin" section above.
- (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the "device_address" column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
- Click Install.
Note: To include client names in the Umbrella logs, you must configure Active Directory integration with Umbrella. See Cisco Umbrella AD Integration for more information.