Collect Cisco Secure Access logs
Supported in:
This document explains how to ingest Cisco Secure Access logs to Google Security Operations using Amazon S3.
Cisco Secure Access is a cloud-delivered Security Service Edge (SSE) solution that provides zero trust network access, secure web gateway, cloud-delivered firewall, DNS-layer security, and data loss prevention. It unifies multiple security functions to protect users and devices accessing applications from any location.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to Cisco Secure Access with the Full Admin user role
- Privileged access to AWS (S3, IAM)
Configure an Amazon S3 bucket for Cisco Secure Access
- Sign in to the AWS Management Console.
- Go to Amazon S3 > Buckets.
- Click Create bucket.
Enter a unique Bucket name (for example,
cisco-secure-access-logs).Select the AWS Region where the bucket should be created.
Leave the remaining settings as default and click Create bucket.
Select the newly created bucket.
Go to Permissions > Bucket policy.
Click Edit and paste the following JSON policy, replacing
bucketnamewith your actual bucket name:{ "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucketname/*" }, { "Sid": "", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucketname/*" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:GetBucketLocation", "Resource": "arn:aws:s3:::bucketname" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::568526795995:user/logs" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucketname" } ] }Click Save changes.
Configure an AWS S3 IAM user for Google SecOps
- In the AWS Management Console, go to IAM > Users.
- Create a User following this user guide: Creating an IAM user.
- Select the created User.
- Select Security credentials tab.
- Click Create Access Key in section Access Keys.
- Select Third-party service as Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download .csv file to save the Access Key and Secret Access Key for future reference.
- Click Done.
- Select Permissions tab.
- Click Add permissions in section Permissions policies.
- Select Add permissions.
- Select Attach policies directly.
- Search for AmazonS3FullAccess policy.
- Select the policy.
- Click Next.
- Click Add permissions.
Configure Cisco Secure Access to export logs to your S3 bucket
- Sign in to the Cisco Secure Access Dashboard at https://dashboard.sse.cisco.com.
- Go to Admin > Log Management.
- In the Amazon S3 area, select Use your company-managed Amazon S3 bucket.
- In the Amazon S3 Bucket field, enter the exact name of the S3 bucket you created (for example,
cisco-secure-access-logs). Click Verify.
Open the
README_FROM_UMBRELLA.txtfile that Cisco Secure Access saved to your S3 bucket.Copy the token listed in the file.
Paste the token into the Token Number field in the Cisco Secure Access dashboard.
Click Save.
Configure a feed in Google SecOps to ingest Cisco Secure Access logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- Enter a unique name for the Feed name (for example,
Cisco Secure Access Logs). - Select Amazon S3 V2 as the Source type.
- Select Cisco Secure Access as the Log type.
- Click Next and then click Submit.
Specify values for the following fields:
- S3 URI:
s3://<BUCKET_NAME>/Replace<BUCKET_NAME>with the name of your S3 bucket (for example,cisco-secure-access-logs). - Source deletion option: Select the deletion option according to your preference
- Maximum File Age: Include files modified in the last number of days (default is 180 days)
- Access Key ID: User access key with access to the S3 bucket
- Secret Access Key: User secret key with access to the S3 bucket
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
- S3 URI:
Click Next and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
_field |
additional.fields |
Merged |
column10_label |
additional.fields |
Merged |
column11_label |
additional.fields |
Merged |
column15 |
additional.fields |
Mapped: [null] → column15_label |
column15_label |
additional.fields |
Merged |
column16_label |
additional.fields |
Merged |
column22_label |
additional.fields |
Merged |
column23_label |
additional.fields |
Merged |
column24_label |
additional.fields |
Merged |
column27_label |
additional.fields |
Merged |
column28_label |
additional.fields |
Merged |
column29_label |
additional.fields |
Merged |
column30 |
additional.fields |
Mapped: ^[0-9]+$ → column30_label |
column30_label |
additional.fields |
Merged |
column33_label |
additional.fields |
Merged |
column42_label |
additional.fields |
Merged |
column43 |
additional.fields |
Mapped: "true", "false" → column43_label |
column43_label |
additional.fields |
Merged |
column44_label |
additional.fields |
Merged |
column45 |
additional.fields |
Mapped: , → column45_label |
column45_label |
additional.fields |
Merged |
column51_label |
additional.fields |
Merged |
column52_label |
additional.fields |
Merged |
column53_label |
additional.fields |
Merged |
column55_label |
additional.fields |
Merged |
column6_label |
additional.fields |
Merged |
column9_label |
additional.fields |
Merged |
key |
additional.fields |
Mapped: `"col13_label", "col14_label", "col17_label", "col18_label", "col19_label", "col25_l... |
auth_event |
extensions.auth.type |
Mapped: true → AUTHTYPE_UNSPECIFIED |
intermediary_entity |
intermediary |
Merged |
column1 |
metadata.event_timestamp |
Parsed as ISO8601 |
auth_event |
metadata.event_type |
Mapped: true → USER_LOGIN |
has_principal |
metadata.event_type |
Mapped: true → NETWORK_CONNECTION, true → STATUS_UPDATE |
has_user |
metadata.event_type |
Mapped: true → USER_UNCATEGORIZED |
column26 |
metadata.product_log_id |
Directly mapped |
column26 |
network.http.method |
Directly mapped |
column10 |
network.http.user_agent |
Directly mapped |
column34 |
network.ip_protocol |
Directly mapped |
column15 |
network.received_bytes |
Mapped: ^-?[0-9]+$ → uinteger |
p_bytes |
network.received_bytes |
Directly mapped |
p_bytes |
network.sent_bytes |
Directly mapped |
column20 |
network.session_id |
Directly mapped |
column12 |
principal.application |
Directly mapped |
column2 |
principal.asset.hostname |
Directly mapped |
column3 |
principal.asset.hostname |
Directly mapped |
column7 |
principal.asset.hostname |
Directly mapped |
p_hostname |
principal.asset.hostname |
Directly mapped |
column15 |
principal.asset.ip |
Merged |
column4 |
principal.asset.ip |
Mapped: DISCONNECTED → column15 |
p_ip |
principal.asset.ip |
Merged |
p_ip_from_host |
principal.asset.ip |
Merged |
user_ip |
principal.asset.ip |
Merged |
column31 |
principal.asset.product_object_id |
Directly mapped |
software_obj |
principal.asset.software |
Merged |
column2 |
principal.hostname |
Directly mapped |
column3 |
principal.hostname |
Directly mapped |
column7 |
principal.hostname |
Directly mapped |
p_hostname |
principal.hostname |
Directly mapped |
column15 |
principal.ip |
Merged |
column4 |
principal.ip |
Mapped: DISCONNECTED → column15 |
p_ip |
principal.ip |
Merged |
p_ip_from_host |
principal.ip |
Merged |
user_ip |
principal.ip |
Merged |
column7 |
principal.platform_version |
Directly mapped |
column41 |
principal.process.file.full_path |
Directly mapped |
column40 |
principal.process.pid |
Directly mapped |
column2 |
principal.user.email_addresses |
Mapped: ^.+@.+$ → column2 |
email |
principal.user.email_addresses |
Mapped: ^.+@.+$ → email |
column4 |
principal.user.group_identifiers |
Merged |
column3 |
principal.user.user_display_name |
Directly mapped |
user_display_name |
principal.user.user_display_name |
Directly mapped |
column43 |
principal.user.userid |
Directly mapped |
column7 |
principal.user.userid |
Directly mapped |
column45 |
principal.user.windows_sid |
Directly mapped |
sid |
principal.user.windows_sid |
Directly mapped |
security_result_entry |
security_result |
Merged |
security_result_present |
security_result |
Mapped: true → security_result_entry |
column21 |
target.asset.hostname |
Directly mapped |
column5 |
target.asset.hostname |
Directly mapped |
column16 |
target.asset.ip |
Merged |
column4 |
target.asset.ip |
Mapped: DISCONNECTED → column16 |
column5 |
target.asset.ip |
Merged |
t_ip |
target.asset.ip |
Merged |
column21 |
target.hostname |
Directly mapped |
column5 |
target.hostname |
Directly mapped |
column16 |
target.ip |
Merged |
column4 |
target.ip |
Mapped: DISCONNECTED → column16 |
column5 |
target.ip |
Merged |
t_ip |
target.ip |
Merged |
column33 |
target.port |
Directly mapped |
| N/A | extensions.auth.type |
Constant: AUTHTYPE_UNSPECIFIED |
| N/A | metadata.event_type |
Constant: USER_LOGIN |
| N/A | metadata.product_name |
Constant: Secure Access |
| N/A | metadata.vendor_name |
Constant: Cisco |
| N/A | network.application_protocol |
Constant: DNS |
Need more help? Get answers from Community members and Google SecOps professionals.