Cisco Cloud Security
Solution: CiscoUmbrella
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com/ |
| Categories | domains |
| Version | 3.0.10 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-04-01 |
| Last Updated | 2026-03-18 |
| Solution Folder | CiscoUmbrella |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (83%) |
The Cisco Cloud Security solution for Microsoft Sentinel enables you to ingest Cisco Secure Access and Cisco Umbrella logs stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API
Additional Information
📖 Vendor Documentation: Cisco Umbrella Log Formats - Log formats and versioning guide
Contents
Data Connectors
This solution provides 2 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 12 table(s):
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 26 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Playbooks | 4 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
Hunting Queries
Workbooks
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| CiscoUmbrella-AddIpToDestinationList | This playbook creates a team notification and once acted on team notification it adds the IP to Cisc... | - |
| CiscoUmbrella-AssignPolicyToIdentity | This playbook provides an automated way to associate an identity to an existing policy in Cisco Clou... | - |
| CiscoUmbrella-BlockDomain | This playbook showcases an example of triggering an incident within a targeted Teams channel and ope... | - |
| CiscoUmbrella-GetDomainInfo | This playbook is used to get Security Information about a particular domain. It provides details suc... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| Cisco_Umbrella | - | Cisco_Umbrella_audit_CL (read)Cisco_Umbrella_cloudfirewall_CL (read)Cisco_Umbrella_dlp_CL (read)Cisco_Umbrella_dns_CL (read)Cisco_Umbrella_fileevent_CL (read)Cisco_Umbrella_intrusion_CL (read)Cisco_Umbrella_ip_CL (read)Cisco_Umbrella_proxy_CL (read)Cisco_Umbrella_ravpnlogs_CL (read)Cisco_Umbrella_ztaflow_CL (read)Cisco_Umbrella_ztna_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
| 3.0.10 | 23-03-2026 | Added null-byte sanitization for corrupted state manager timestamps in Data Connector to prevent crashes on corrupted Azure File Share markers. Added null-byte stripping in date formatting to handle corrupted date fields from csv file. |
| 3.0.9 | 13-03-2026 | Moved csv.field_size_limit to module level so all 12 CSV parsers are covered. Added csv.Error guardrail to prevent a single oversized row from stalling ingestion. Consolidated null-byte stripping into unpack_file() to prevent _csv.Error on embedded NUL characters across all parsers. |
| 3.0.8 | 29-01-2026 | The Data connector has been updated to support large fields. |
| 3.0.7 | 28-11-2025 | The Data connector has been updated to support up to version 14 log versioning for the Cisco log format, and the parser to include all tables. |
| 3.0.6 | 01-09-2025 | Added a new data connector, 'CiscoUmbrella_API_FunctionApp_elasticpremium.json' |
| 3.0.5 | 21-06-2025 | To expand support for Cisco Umbrella data in KQL validation tests and to standardize the naming of analytic rules |
| 3.0.4 | 15-05-2025 | Updating documentation to reflect support for Cisco Umbrella log schema version 11 |
| 3.0.3 | 30-12-2024 | Update Playbooks AddIpToDestination, AssignPolicyToIdentity, GetDomainInfo as v1 version of CiscoUmbrella APIs are deprecated and Urls are also changed for this. Cisco Umbrella Enforcement API has not been deprecated. Repackage of solution. |
| 3.0.2 | 20-09-2024 | Update Analytic rules for Entity mapping and missing TTP and Updated the python runtime version to 3.11 |
| 3.0.1 | 03-05-2024 | Added Deploy to Azure Government button in Data connector
Fixed Parser issue for Parser name and ParentID mismatch|
| 3.0.0 | 28-09-2023 | Updated Data Connector with step by step guidelines |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊