/
/
Cisco Umbrella Reporting Integration with Cortex XSOAR

Cisco Umbrella Reporting Integration with Cortex XSOAR

Article
March 31, 2022
Profile Icon

Jason Franscisco

Security teams are constantly flooded with alerts from multiple systems. Using the Cisco Umbrella Reporting API, security analysts can programmatically pull contextual threat intelligence from the Global Network into their Security Management, Incident, Orchestration and Response environment. The benefit? IT security teams are provided global context with each alert and can enforce security policies on or off the network by integrating Cortex XSOAR with Umbrella. This reduces the time spent flipping between intel tools and gives security teams more time to focus on critical incidents.

What can I do with Umbrella?

  • Manage provisioning, policies and deployment using Enforcement API. This helps, security teams to take action by allowing or blocking domains programmatically
  • Reporting and Enrichment will help get to know security KPIs and awareness of actions going in your environment with Reporting API. Threat Hunters can then investigate on the alerts with contextual enrichment using Investigate API

This blog, will talk about Reporting API, sample Use Cases for Cortex XSOAR using Reporting API. Lastly, how Loginsoft can help you build these integrations.

The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. With the Umbrella Reporting v2 API, you can access and create targeted reports, widgets, and dashboards.

Source: https://developer.cisco.com/docs/cloud-security/#reporting-v2-introduction-overview

Use Cases in SOAR Workflow Triggering for Activity Search Create automated workflows to:

  • Provision your networks
  • Create and manage destination lists
  • Research security events and access network and security reports

Use Case#1: Support automated dispositioning of indicators and to enrich data collected from other sources

Following Cisco Umbrella Reporting API endpoints can be used for dispositioning of indicators:

# Umbrella Reporting API endpoint Request Parameter
1 Activity (all) 1. domains – A domain name or comma-delimited list of domain name
2. urls – A URL or comma-delimited list of URLs
3. ip – An IP address
4. ports – A port number or comma-delimited list of port number
2 Activity DNS 1. domains – A domain name or comma-delimited list of domain name
2. ip – An IP address
3 Activity Proxy 1. domains – A domain name or comma-delimited list of domain name
2. urls – A URL or comma-delimited list of URLs
3. ip – An IP address
4. ports – A port number or comma-delimited list of port number
4 Activity Firewall 1. ip – An IP address
2. ports – A port number or comma-delimited list of port number
5 Activity IP 1. ip – An IP address
2. ports – A port number or comma-delimited list of port number
6 Activity AMP 1. sha256 – A SHA-256 hash

The below table lists possible Cortex XSOAR commands for this use case:

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details:

  • Get Domain Verdict
    Base Command: GET_DOMAIN_VERDICT
  • Get IP Verdict
    Base Command: GET_IP_VERDICT
  • Get URL Verdict
    Base Command: GET_URL_VERDICT
  • Get Port Verdict
    Base Command: GET_PORT_VERDICT
  • Get SHA-256 Verdict
    Base Command: GET_SHA-256_VERDICT

Use Case#2: Serve as a source of information related to threats actively being observed within our computing environment

There are Cisco Umbrella Reporting API endpoints that provide information related to threats observed in the organization either by threat types or threat names.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

  • Get Top Threats Base Command: GET_TOP_THREATS
  • Get Threat Types Base Command: GET_THREAT_TYPES

Use Case#3: Provide valuable context surrounding actual activity observed within the infrastructure

There are Cisco Umbrella Reporting API endpoints that provide context surrounding actual activity observed within the infrastructure based on the input provided to the API endpoint. Input parameters could be Domain, IP, URL, etc. within a given time period.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

  • Get Domain Activity Base Command: GET_DOMAIN_ACTIVITY

Get IP Activity Base Command: GET_IP_ACTIVITY

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Learn more
white arrow pointing top right

About Loginsoft

For over 16 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media and more have come to rely on Loginsoft as a trusted resource for technology talent. Whether Onsite, Offsite, or Offshore, we deliver.

Loginsoft is a leading Cybersecurity services company providing Security Advisory Research to generate metadata for vulnerabilities in Open source components, Discovering ZeroDay Vulnerabilities, Developing Vulnerability Detection signatures using MITRE OVAL Language.

Expertise in Integrations with Threat Intelligence and Security Products, integrated more than 200+ integrations with leading TIP, SIEM, SOAR and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar, IBM Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency APIs with Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet and so on.

Interested to learn more? Let’s start a conversation.

Book a meeting

IN-HOUSE EXPERTISE

Latest Articles

Get practical solutions to real-world challenges, straight from experts who conquered them.

View all our articles

Sign up to our Newsletter