Help Documentation

Cloud Detection and Response

Cisco Umbrella S3 Log Forwarding Removal

Updated Oct 30, 2023

Remove Cisco Umbrella from your AWS environment

You can remove Cisco Umbrella® from your Amazon Web Services (AWS)® environment.

Cisco Umbrella is a cloud-delivered security platform that collects information about services, incidents, and threats found on your network to provide Domain Name System (DNS) layer security. Requests are forwarded from your network to Cisco Umbrella, which then inspects and blocks threats.

Arctic Wolf® can ingest logs directly from Cisco Umbrella using the Umbrella Reporting API to provide 24x7 monitoring and tailored alerting on security logs or events. Log forwarding from an AWS Simple Storage Service (S3) bucket is no longer required.

Requirements

Before you begin

Steps

  1. Stop Cisco Umbrella log forwarding to S3.
  2. Remove Cisco Umbrella log forwarding configurations.

Step 1: Stop Cisco Umbrella log forwarding to S3

  1. Sign in to the Cisco Umbrella console with administrator permissions.
  2. In the navigation menu, click Admin > Log Management.
  3. In the Amazon S3 section, click STOP LOGGING.
  4. Click STOP LOGGING again.

Step 2: Remove Cisco Umbrella log forwarding configurations

  1. Sign in to the AWS Management Console.

  2. In the search bar, enter CloudFormation.

  3. Click CloudFormation.

  4. In the navigation menu, click Stacks

  5. Find the S3LogForward stack that is dedicated to Cisco Umbrella log forwarding. This stack was given a unique label upon creation. For example, Cisco-umbrella-logging. The S3LogForward stack description shown in CloudFormation® is similar to Arctic Wolf Networks: Configure forwarding logs stored in S3.

    Note: This stack is not the CloudTrail® base stack, which usually has a variation of Arctic Wolf in its name. The CloudTrail base stack has 7 nested stacks. These are shown as NESTED in Stacks table. The S3LogForward stack is a stand-alone stack.

  6. Select the desired stack, and then click Delete

  7. When prompted, click Delete stack.

    Legacy Cisco Umbrella log forwarding configurations are removed from your Cisco Umbrella environment.

Note: The S3 bucket dedicated to Cisco Umbrella log forwarding no longer receives logs, but is still available for auditing purposes. If you have no more use for this S3 bucket or the data it contains, delete this S3 bucket. See Working with buckets for more information.