Share via

Configuration problem with Sentinel connector for Cisco Umbrella

Geoffrey Day 20 Reputation points
2024-10-19T07:22:43.27+00:00

In attempting to deploy the Microsoft Sentinel connector Cisco Umbrella (using Azure Functions) and following what appears to be an incomplete explanation at https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-umbrella which does seem to omit some vital information. The connector requires Subscription, Resource Group, Region, Function Name, Workspace ID, Workspace Key, S3Bucket, AWS Access Key ID, AWS Secret Access Key and App Insights Workspace Resource ID. It is the App Insights Workspace Resource ID that fails. The information bubble states "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury (not my typo but in info bubble) 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}".

Is this a new Operational Insights workspace that needs to created prior to deploying this connector, or is it part of the workspace that Sentinel is deployed in? I have tried both options unsuccessfully, and can not work out how to resolve this last step. I have all of the other information.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,911 questions
Microsoft Security | Microsoft Sentinel
0 comments
Accepted answer
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-10-23T08:43:34.86+00:00

    Hello @Geoffrey Day

    Based on the information you provided, it seems that you are having trouble finding the App Insights Workspace Resource ID required for deploying the Cisco Umbrella connector using Azure Functions.

    The App Insights Workspace Resource ID is a fully qualified resourceId in the format /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}.

    To find the App Insights Workspace Resource ID, you can follow these steps:

    1. Go to the Azure portal and navigate to your Log Analytics workspace.
    2. Click on the 'Properties' blade of the workspace.
    3. Look for the 'Resource ID' property value. This is the fully qualified resourceId that you need to use for the App Insights Workspace Resource ID parameter when deploying the Cisco Umbrella connector using Azure Functions.

    This should get you started.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator
    2024-10-19T21:41:14.8433333+00:00

    If you haven't already, you'll need to create a Log Analytics Workspace in Azure. This workspace will be used to collect and analyze the data from Cisco Umbrella,

    https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-asa-ftd-via-ama

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **

    0 comments
  2. Geoffrey Day 20 Reputation points
    2024-10-19T21:54:26.27+00:00

    We currently have a Log Analytics Workspace for Microsoft Sentinel and another Log Analytics Workspace created. Neither are accepted as the Operational Insights workspace.

    The link provided in the above answer is for a Cisco ASA Firewall. Cisco Umbrella logs are copied into an Amazon S3 bucket by Umbrella and it is this bucket the connector needs to get log data from.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.