Cisco Umbrella Reporting Integration with Cortex XSOAR

March 31, 2022

Security teams are constantly flooded with alerts from multiple systems. Using the Cisco Umbrella Reporting API, security analysts can programmatically pull contextual threat intelligence from the Global Network into their Security Management, Incident, Orchestration and Response environment. The benefit? IT security teams are provided global context with each alert and can enforce security policies on or off the network by integrating Cortex XSOAR with Umbrella. This reduces the time spent flipping between intel tools and gives security teams more time to focus on critical incidents.

What can I do with Umbrella?

This blog, will talk about Reporting API, sample Use Cases for Cortex XSOAR using Reporting API. Lastly, how Loginsoft can help you build these integrations.

The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. With the Umbrella Reporting v2 API, you can access and create targeted reports, widgets, and dashboards.

Source: https://developer.cisco.com/docs/cloud-security/#reporting-v2-introduction-overview

Use Cases in SOAR Workflow Triggering for Activity Search Create automated workflows to:

Use Case#1: Support automated dispositioning of indicators and to enrich data collected from other sources

Following Cisco Umbrella Reporting API endpoints can be used for dispositioning of indicators:

table { border-collapse: collapse; width: 100%; margin: 20px 0; border-radius: 8px; font-family: 'Plus Jakarta Sans', sans-serif; /* Webflow-friendly font */ font-size: 14px; color: #1a313f; } th, td { padding: 8px 20px; border: 1px solid rgba(255, 255, 255, 0.2); text-align: left; } th { font-weight: bold; background-color: rgb(26 49 63); color: #FFF; } tr:nth-child(odd) { background-color: rgba(0, 0, 0, 0.05); /* Added subtle banding for visual clarity */ }
# Umbrella Reporting API endpoint Request Parameter
1 Activity (all) 1. domains – A domain name or comma-delimited list of domain name
2. urls – A URL or comma-delimited list of URLs
3. ip – An IP address
4. ports – A port number or comma-delimited list of port number
2 Activity DNS 1. domains – A domain name or comma-delimited list of domain name
2. ip – An IP address
3 Activity Proxy 1. domains – A domain name or comma-delimited list of domain name
2. urls – A URL or comma-delimited list of URLs
3. ip – An IP address
4. ports – A port number or comma-delimited list of port number
4 Activity Firewall 1. ip – An IP address
2. ports – A port number or comma-delimited list of port number
5 Activity IP 1. ip – An IP address
2. ports – A port number or comma-delimited list of port number
6 Activity AMP 1. sha256 – A SHA-256 hash

The below table lists possible Cortex XSOAR commands for this use case:

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details:

Use Case#2: Serve as a source of information related to threats actively being observed within our computing environment

There are Cisco Umbrella Reporting API endpoints that provide information related to threats observed in the organization either by threat types or threat names.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

Use Case#3: Provide valuable context surrounding actual activity observed within the infrastructure

There are Cisco Umbrella Reporting API endpoints that provide context surrounding actual activity observed within the infrastructure based on the input provided to the API endpoint. Input parameters could be Domain, IP, URL, etc. within a given time period.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

Get IP Activity Base Command: GET_IP_ACTIVITY

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

BLOGS AND RESOURCES

Latest Articles

RansomHub Revealed: Threats, Tools, and Tactics

December 9, 2024

The Rise of INTERLOCK Ransomware

November 13, 2024

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

October 23, 2024