Cisco Umbrella CCF: Public Preview Expands Data Visibility with 10 New Log Tables

What Changed

Cisco Umbrella solution v3.1.0 introduces a new CCF-based data connector alongside the existing Function App connector, expanding log ingestion from 4 legacy tables to 14 comprehensive data sources. The parser has been updated to union both legacy and new table formats for backward compatibility.

New Data Sources Unlocked

The CCF connector adds 10 new log tables with granular visibility:

Network Security:

• CiscoUmbrellaCloudFirewall_CL: Network traffic, firewall rules, and connection metadata
• CiscoUmbrellaIPS_CL: Intrusion prevention system events and threat signatures
• CiscoUmbrellaRemoteAccessVPN_CL: VPN session logs and remote access patterns

DNS and Web Traffic:

• CiscoUmbrellaDNS_CL: Enhanced DNS query logging with policy enforcement details
• CiscoUmbrellaWebTraffic_CL: HTTP/HTTPS traffic analysis with content inspection results

Zero Trust and Access Control:

• CiscoUmbrellaZeroTrustAccess_CL: Zero Trust Network Access (ZTNA) policy decisions
• CiscoUmbrellaZeroTrustAccessFlow_CL: ZTNA traffic flow analysis
• CiscoUmbrellaAdminAudit_CL: Administrative actions and configuration changes

Data Protection:

• CiscoUmbrellaDLP_CL: Data Loss Prevention policy violations and content analysis
• CiscoUmbrellaFileEvent_CL: File upload/download events and malware analysis results

Security Impact (Visibility & Fidelity)

This expansion significantly reduces detection blind spots:

• Administrative Oversight: Admin audit logs now capture configuration changes, user management, and policy modifications that were previously invisible
• Network Lateral Movement: Cloud firewall and IPS logs provide visibility into internal traffic patterns and intrusion attempts
• Data Exfiltration: DLP and file event logs enable detection of sensitive data movement and unauthorized file transfers
• Zero Trust Violations: ZTNA access logs reveal policy bypasses and suspicious access patterns
• Enhanced DNS Analysis: New DNS table provides richer context than legacy format, including policy enforcement details and identity mapping

Parser Compatibility

The updated parser maintains backward compatibility by using union isfuzzy=true to combine:

• Legacy tables: Cisco_Umbrella_dns_CL, Cisco_Umbrella_proxy_CL, etc.
• New CCF tables: CiscoUmbrellaDNS_CL, CiscoUmbrellaWebTraffic_CL, etc.

Field mappings have been standardized to use proper data types (todatetime(), tostring(), toreal()) rather than generic column_ifexists() calls, improving query reliability and performance.

Deployment Considerations

This is a Public Preview release requiring explicit enablement. Organizations can deploy the CCF connector alongside existing Function App connectors without disruption. The parser automatically handles data from both sources, enabling gradual migration strategies.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaAdminAudit_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaCloudFirewall_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaDLP_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaDNS_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaFileEvent_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaIPS_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaRemoteAccessVPN_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaWebTraffic_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaZeroTrustAccessFlow_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CiscoUmbrellaZeroTrustAccess_CL.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaAdminAudit_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaCloudFirewall_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaDLP_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaDNS_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaFileEvent_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaIPS_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaRemoteAccessVPN_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaWebTraffic_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaZeroTrustAccessFlow_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrellaZeroTrustAccess_table.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_DCR.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_DataConnectorDefinition.json
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_CCP/CiscoUmbrella_PollingConfig.json
Solutions/CiscoUmbrella/Package/testParameters.json
Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella.yaml
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, createUiDefinition.json, mainTemplate.json)