Cisco Umbrella Reporting Integration with Cortex XSOAR

Q: What type of data is ingested from Cisco Umbrella?

Cisco Umbrella provides DNS logs for domain requests, proxy logs for Secure Web Gateway traffic, firewall logs covering IP, port, and protocol activity, and administrative audit logs that track configuration and policy changes.

Q: How does this integration benefit SOC teams?

The integration provides SOC teams with centralized visibility across security tools such as SIEM, EDR, and threat intelligence platforms. This improves threat detection accuracy, reduces alert noise, and enables faster, automated incident response.

Introduction

Cisco Umbrella provides DNS-layer security and detailed threat activity logs, while Cortex XSOAR orchestrates workflows and automates investigations. The integration enables Cisco Umbrella Cortex XSOAR workflows where Umbrella alerts and reports are enriched, correlated, and acted upon automatically within XSOAR playbooks.

Key Takeaways

Integrating Cisco Umbrella Reporting API with Cortex XSOAR gives security teams global threat context with alerts to reduce tool switching and speed up response.
The Umbrella Reporting v2 API enables visibility into network activity and security logs for targeted reporting and dashboards.
Automated SOAR workflows using Umbrella data can enrich indicators and support security event investigations.
The integration supports multiple API commands in XSOAR playbooks to fetch verdicts, activity, and threat insights.

Security teams are constantly flooded with alerts from multiple systems. Using the Cisco Umbrella Reporting API, security analysts can programmatically pull contextual threat intelligence from the Global Network into their Security Management, Incident, Orchestration and Response environment. The benefit? IT security teams are provided global context with each alert and can enforce security policies on or off the network by integrating Cortex XSOAR with Umbrella. This reduces the time spent flipping between intel tools and gives security teams more time to focus on critical incidents.

What can I do with Umbrella?

Manage provisioning, policies and deployment using Enforcement API. This helps, security teams to take action by allowing or blocking domains programmatically
Reporting and Enrichment will help get to know security KPIs and awareness of actions going in your environment with Reporting API. Threat Hunters can then investigate on the alerts with contextual enrichment using Investigate API

This blog, will talk about Reporting API, sample Use Cases for Cortex XSOAR using Reporting API. Lastly, how Loginsoft can help you build these integrations.

The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs. With the Umbrella Reporting v2 API, you can access and create targeted reports, widgets, and dashboards.

Source: https://developer.cisco.com/docs/cloud-security/#reporting-v2-introduction-overview

Use Cases in SOAR Workflow Triggering for Activity Search Create automated workflows to:

Provision your networks
Create and manage destination lists
Research security events and access network and security reports

Use Case#1: Support automated dispositioning of indicators and to enrich data collected from other sources

Following Cisco Umbrella Reporting API endpoints can be used for dispositioning of indicators:

#	Umbrella Reporting API endpoint	Request Parameter
1	Activity (all)	1. domains - A domain name or comma-delimited list of domain name 2. urls - A URL or comma-delimited list of URLs 3. ip - An IP address 4. ports - A port number or comma-delimited list of port number
2	Activity DNS	1. domains - A domain name or comma-delimited list of domain name 2. ip - An IP address
3	Activity Proxy	1. domains - A domain name or comma-delimited list of domain name 2. urls - A URL or comma-delimited list of URLs
4	Activity Firewall	1. ip - An IP address 2. ports - A port number or comma-delimited list of port number
5	Activity IP	1. ip - An IP address 2. ports - A port number or comma-delimited list of port number
6	Activity AMP	1. sha256 - A SHA-256 hash

The below table lists possible Cortex XSOAR commands for this use case:

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details:

Get Domain Verdict
Base Command: GET_DOMAIN_VERDICT
Get IP Verdict
Base Command: GET_IP_VERDICT
Get URL Verdict
Base Command: GET_URL_VERDICT
Get Port Verdict
Base Command: GET_PORT_VERDICT
Get SHA-256 Verdict
Base Command: GET_SHA-256_VERDICT

Use Case#2: Serve as a source of information related to threats actively being observed within our computing environment

There are Cisco Umbrella Reporting API endpoints that provide information related to threats observed in the organization either by threat types or threat names.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

Get Top Threats Base Command: GET_TOP_THREATS
Get Threat Types Base Command: GET_THREAT_TYPES

Use Case#3: Provide valuable context surrounding actual activity observed within the infrastructure

There are Cisco Umbrella Reporting API endpoints that provide context surrounding actual activity observed within the infrastructure based on the input provided to the API endpoint. Input parameters could be Domain, IP, URL, etc. within a given time period.

The below list is by no means exhaustive but gives an idea of XSOAR commands that can be developed for this use case:

Get Domain Activity Base Command: GET_DOMAIN_ACTIVITY

Get IP Activity Base Command: GET_IP_ACTIVITY

Conclusion

The blog highlights that integrating Cisco Umbrella with Cortex XSOAR strengthens security operations by combining deep DNS-layer visibility with automated orchestration. Through Cisco Umbrella Cortex XSOAR integration, security teams can automatically ingest Umbrella reports, enrich incidents with actionable context, and execute consistent response workflows. This integration improves response speed, reduces manual investigation, and enhances overall SOC efficiency.

FAQs

Q1. What is Cisco Umbrella?

Cisco Umbrella is a cloud-based security service that protects users and devices from online threats before they cause harm, which acts as a secure internet gateway by blocking malicious websites at the DNS level and controlling access to cloud applications. By combining DNS security, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS) into a single platform, Umbrella delivers consistent, always-on protection for users, whether they’re on the corporate network or working remotely.

Q2. What role does Cortex XSOAR play in this integration?

In an integration, Cortex XSOAR acts as the central Security Orchestration, Automation, and Response (SOAR) platform that connects and coordinates various security tools and IT systems into unified, automated workflows.

Q3. Why integrate Cisco Umbrella with Cortex XSOAR?

Integrating Cisco Umbrella with Cortex XSOAR centralizes security operations and automates incident response. It enriches alerts with real-time threat context and enforces security actions across the network, reducing manual effort and significantly speeding up threat detection and remediation.

Q4. What type of data is ingested from Cisco Umbrella?

Cisco Umbrella collects key security logs that give full visibility into internet activity and threats. This includes DNS logs for domain requests, proxy logs for web traffic through the Secure Web Gateway, firewall logs for IP, port, and protocol activity, and admin audit logs that track configuration changes.

Q5. How does this integration benefit SOC teams?

Integrating security tools such as SIEM, EDR, and threat intelligence platforms gives SOC teams centralized visibility across their environment. This improves threat detection accuracy, cuts down alert noise, and enables faster, automated incident response.