umbrella-s3-dns-logs
Scan DNS log files from Cisco Umbrella S3 export bucket.
Syntax
umbrella-s3-dns-logs [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
Options
- profile=PROFILE
- Optional. Cisco Umbrella S3 connect profile code
- duration=NUM{mon|w|d|h|m|s}
- Optional. Scan only recent data. Use s(second), m(minute), h(hour), d(day), mon(month) time unit.
- from=yyyyMMddHHmmss
- Optional. Start time of range. yyyyMMddHHmmss format.
- to=yyyyMMddHHmmss
- Optional. End time of range. yyyyMMddHHmmss format.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | e.g. 2026-04-12 23:39:45 |
| profile | String | Profile | Cisco Umbrella S3 connect profile code |
| domain | String | Domain | e.g. www.google.com |
| action | String | Action | e.g. Allowed |
| query_type | String | Query Type | e.g. 1 (A) |
| response_code | String | Response Code | e.g. NOERROR |
| external_ip | IP address | External IP | e.g. 198.51.100.1 |
| internal_ip | IP address | Internal IP | e.g. 198.51.100.1 |
| identity | String | Identity | e.g. Logpresso_Guest |
| identity_type | String | Identity Type | e.g. Networks |
| identities | String | Identities | e.g. Logpresso_Guest |
| identity_types | String | Identity Types | e.g. Networks |
| categories | String | Categories | e.g. Search Engines, Application |
| blocked_categories | String | Blocked Categories | e.g. Malware |
| rule_id | String | Rule ID | e.g. 12345 |
| destination_countries | String | Destination Countries | e.g. US |
| org_id | String | Org ID | e.g. 8395347 |