Once you have configured the Identity services, you can configure a namespace to forward the DNS traffic from the DNS resolver service to the Identity service, ensuring that the information is then embedded in EDNS in DNS queries forwarded to Cisco Umbrella for processing. The following section outlines a configuration scenario:
Configuring Identity security
The Identity security feature enhances your query logs by appending identity information. Additionally, the identity metadata is sent with queries to Cisco Umbrella, allowing for policy enforcement based on user IDs.
Prerequisites
- The Service Point v4 instance must be running version 4.6.0 or higher. For more information on provisioning Service Point v4 instances, refer to Service Point v4.
- The DNS resolver service deployed must be running version 3.10.0 or higher. For more information on deploying DNS resolver service, refer to DNS resolver services.
- You must have deployed Identity service version 2.1.0 or higher. The identity service connects to the Azure Event Hub to retrieve the event logs. For more information on configuring Identity service, refer to Identity services.
Once you have deployed the identity service and DNS resolver service on the Service Point v4 instance:
- In the top navigation bar, click and select Sites.
- Click to add a site, or select an existing site and click Edit.
- To add identity information to queries, enable the Add identity information to queries parameter.
- If required, configure any additional information required within the site.
- Click Save to save the changes to the site.
Identity data will be added to the matching IP address for the ID-enabled sites.
Integrate the identity information with Cisco Umbrella
- In the top navigation bar, click and select Namespaces.
- Click to add a namespace, or select an existing site and click Edit.
- Select Cisco Umbrella integration to configure the
namespace to use the Cisco Umbrella integration. When you select this
option, you can also select Encrypt queries using DNS over
HTTPS which ensures queries that are routed to Cisco
Umbrella are encrypted.
Selecting Cisco Umbrella integration displays a message indicating that the two applicable Cisco Umbrella IP addresses have been added to the Forwarders field.
- If required, configure any additional information required within the namespace.
- Click Save.
Verifying identity logs
Once you have enabled the feature to add identity information to queries, you can verify that the identity data is being captured as part of the logs.
- Click the DNS activity tab.
- Click to select the columns you want
displayed in the tab. In the Select Columns window,
select the available columns on the left, then click Update
Tab. You can click and drag a selected column on the right
to re-order the columns.
Add the User ID entry to the Selected column to include information about user identities in the DNS activity feed.
The queries populated in the Query Log table include the user identity information under the User ID column.