Cisco Umbrella Reporting Integration with Cortex XSOAR

Security teams are constantly flooded with alerts from multiple systems. Using the Cisco Umbrella Reporting API, security analysts can programmatically pull contextual threat intelligence from the Global Network into their Security Management, Incident, Orchestration and Response environment. The benefit? IT security teams are provided global context with each alert and can enforce security policies on or off the network by integrating Cortex XSOAR with Umbrella. This reduces the time spent flipping between intel tools and gives security teams more time to focus on critical incidents.

What can I do with Umbrella?

• Manage provisioning, policies and deployment using Enforcement API. This helps, security teams to take action by allowing or blocking domains programmatically
• Reporting and Enrichment will help get to know security KPIs and awareness of actions going in your environment with Reporting API. Threat Hunters can then investigate on the alerts with contextual enrichment using Investigate API

This blog, will talk about Reporting API, sample Use Cases for Cortex XSOAR using Reporting API. Lastly, how Loginsoft can help you build these integrations.

The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. With the Umbrella Reporting v2 API, you can access and create targeted reports, widgets, and dashboards.

Source: https://developer.cisco.com/docs/cloud-security/#reporting-v2-introduction-overview

Use Cases in SOAR Workflow Triggering for Activity Search Create automated workflows to:

• Provision your networks
• Create and manage destination lists
• Research security events and access network and security reports

Use Case#1: Support automated dispositioning of indicators and to enrich data collected from other sources

Following Cisco Umbrella Reporting API endpoints can be used for dispositioning of indicators:

The below table lists possible Cortex XSOAR commands for this use case:

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details:

• Get Domain Verdict
  Base Command: GET_DOMAIN_VERDICT
• Get IP Verdict
  Base Command: GET_IP_VERDICT
• Get URL Verdict
  Base Command: GET_URL_VERDICT
• Get Port Verdict
  Base Command: GET_PORT_VERDICT
• Get SHA-256 Verdict
  Base Command: GET_SHA-256_VERDICT

Use Case#2: Serve as a source of information related to threats actively being observed within our computing environment

There are Cisco Umbrella Reporting API endpoints that provide information related to threats observed in the organization either by threat types or threat names.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

• Get Top Threats Base Command: GET_TOP_THREATS
• Get Threat Types Base Command: GET_THREAT_TYPES

Use Case#3: Provide valuable context surrounding actual activity observed within the infrastructure

There are Cisco Umbrella Reporting API endpoints that provide context surrounding actual activity observed within the infrastructure based on the input provided to the API endpoint. Input parameters could be Domain, IP, URL, etc. within a given time period.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

• Get Domain Activity Base Command: GET_DOMAIN_ACTIVITY

Get IP Activity Base Command: GET_IP_ACTIVITY