Security teams are constantly flooded with alerts from multiple systems. Using the Cisco Umbrella Reporting API, security analysts can programmatically pull contextual threat intelligence from the Global Network into their Security Management, Incident, Orchestration and Response environment. The benefit? IT security teams are provided global context with each alert and can enforce security policies on or off the network by integrating Cortex XSOAR with Umbrella. This reduces the time spent flipping between intel tools and gives security teams more time to focus on critical incidents.
What can I do with Umbrella?
- Manage provisioning, policies and deployment using Enforcement API. This helps, security teams to take action by allowing or blocking domains programmatically
- Reporting and Enrichment will help get to know security KPIs and awareness of actions going in your environment with Reporting API. Threat Hunters can then investigate on the alerts with contextual enrichment using Investigate API
This blog, will talk about Reporting API, sample Use Cases for Cortex XSOAR using Reporting API. Lastly, how Loginsoft can help you build these integrations.
The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. With the Umbrella Reporting v2 API, you can access and create targeted reports, widgets, and dashboards.
Source: https://developer.cisco.com/docs/cloud-security/#reporting-v2-introduction-overview
Use Cases in SOAR Workflow Triggering for Activity Search Create automated workflows to:
- Provision your networks
- Create and manage destination lists
- Research security events and access network and security reports
Use Case#1: Support automated dispositioning of indicators and to enrich data collected from other sources
Following Cisco Umbrella Reporting API endpoints can be used for dispositioning of indicators:
The below table lists possible Cortex XSOAR commands for this use case:
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details:
- Get Domain Verdict
Base Command: GET_DOMAIN_VERDICT - Get IP Verdict
Base Command: GET_IP_VERDICT - Get URL Verdict
Base Command: GET_URL_VERDICT - Get Port Verdict
Base Command: GET_PORT_VERDICT - Get SHA-256 Verdict
Base Command: GET_SHA-256_VERDICT
Use Case#2: Serve as a source of information related to threats actively being observed within our computing environment
There are Cisco Umbrella Reporting API endpoints that provide information related to threats observed in the organization either by threat types or threat names.
The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:
- Get Top Threats Base Command: GET_TOP_THREATS
- Get Threat Types Base Command: GET_THREAT_TYPES
Use Case#3: Provide valuable context surrounding actual activity observed within the infrastructure
There are Cisco Umbrella Reporting API endpoints that provide context surrounding actual activity observed within the infrastructure based on the input provided to the API endpoint. Input parameters could be Domain, IP, URL, etc. within a given time period.
The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:
- Get Domain Activity Base Command: GET_DOMAIN_ACTIVITY
Get IP Activity Base Command: GET_IP_ACTIVITY
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
