I was wondering if anyone has Cisco Umbrella working as a data source in Insight IDR. I have followed the guide but I am not getting any data. No error either as far as I could tell, just no data.
I think this may have something to do with the credentials I’m using. I’m unclear what those credentials are supposed to be. Right now I’m using the access key and secret key for my creds. Is it supposed to be another set of credentials?
Thanks for any help you can offer.
Paul
@pherrera I hopped onto the backend and took a look, I think the configuration is wrong
I’m seeing this error in the collector logs as an exception while listing objects
The specified key does not exist. (Service: Amazon S3; Status Code: 404; Error Code: NoSuchKey
If you look at your Cisco Umbrella event source, you currently have the event source configured with the s3 bucket name and key prefix. This can be a little confusing but its outlined here
https://docs.rapid7.com/insightidr/cisco-umbrella/#how-to-configure-this-event-source
s3:// in the bucket name.Cisco Managed: your bucket would look something like this: my-managed-bucket/abcd1234. Your S3 Bucket Name would then only be my-managed-bucket.
In your case it would be cisco-managed-us-west-1
my-managed-bucket/abcd1234 , then your Key Prefix would then be abcd1234/ . Note that the / goes at the end of the prefix, and not the beginning.in your case you would use the bit that comes after the cisco-managed-us-west-1/ the long string
David
Hi David. That resolved it. Thank you for your help!