Cisco Umbrella S3 Log Forwarding Deactivation

Configuration Guide

Updated May 26, 2023

Cisco Umbrella S3 Log Forwarding Deactivation

Remove Cisco Umbrella from your AWS environment Direct link to this section

Cisco Umbrella is a cloud-delivered security platform that collects information about services, incidents, and threats found on your network to provide Domain Name System (DNS) layer security. Requests are forwarded from your network to Cisco Umbrella, which then inspects and blocks threats.

Arctic Wolf® can ingest logs directly from Cisco Umbrella using the Umbrella Reporting API to provide 24x7 monitoring and tailored alerting on security logs or events. Log forwarding from an Amazon Web Services (AWS) Simple Storage Service (S3) bucket is no longer required.

This guide details how to remove Cisco Umbrella from your AWS environment.

Note: This process requires you to have administrator access to the Cisco Umbrella console.

Before you begin Direct link to this section

You must:

  1. Complete Configure Cisco Umbrella monitoring to initiate your migration to an API-based Cisco Umbrella cloud sensor.

  2. Notify your Concierge Security® Team (CST) that you are decommissioning your legacy Cisco Umbrella monitoring setup.

Deactivate Cisco Umbrella log forwarding to S3 Direct link to this section

  1. Sign in to the Cisco Umbrella console as an administrator.
  2. In the navigation pane, click Admin > Log Management.
  3. In the Amazon S3 section, click STOP LOGGING.
  4. Confirm your request when prompted.
  5. Proceed to Remove Cisco Umbrella log forwarding configurations.

Remove Cisco Umbrella log forwarding configurations Direct link to this section

  1. Sign in to the AWS Management Console.

  2. Search for CloudFormation using the search field on the menu bar. Then, click CloudFormation.

  3. In the navigation pane, click Stacks

  4. Identify the S3LogForward stack that is dedicated to Cisco Umbrella log forwarding. This stack was given a unique label upon creation, such as “Cisco-umbrella-logging.” The S3LogForward stack description shown in CloudFormation is similar to Arctic Wolf Networks: Configure forwarding logs stored in S3.

    Note: This stack is not the CloudTrail base stack, which usually has a variation of “Arctic Wolf” in its name. The CloudTrail base stack has seven nested stacks, which are shown as NESTED in Stacks table. Conversely, the S3LogForward stack is a stand-alone stack.

  5. Select the desired stack. Then click Delete

  6. When prompted, click Delete stack. This removes legacy Cisco Umbrella log forwarding configurations from your AWS environment.

Note: The S3 bucket dedicated to Cisco Umbrella log forwarding no longer receives logs, but is still available for auditing purposes. If you have no further use for this S3 bucket or the data it contains, you may delete this S3 bucket. See Working with buckets in the Amazon S3 User Guide for instructions.