Cisco Umbrella

Integration version: 13.0

Configure Cisco Umbrella to work with Google Security Operations SOAR

Get the Enforcement token

To retrieve your key:

Navigate to Policies > Policy Components > Integrations.
Expand the appropriate integration or click Add to generate a custom integration.

Reference: https://docs.umbrella.com/investigate-api/reference#reference-getting-started

Get the Investigate token

To create your first API Access token:

Click Create new token.
Give the token a name and click Create. The generated token includes the email address of the person who created it and the creation date. To revoke the token, click Delete.

Reference: https://docs.umbrella.com/investigate-api/reference#about-the-api-and-authentication

Configure Cisco Umbrella integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Add Domain

Description

Add a domain to the OpenDNS block list.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Delete Domain

Description

Delete a domain from the OpenDNS block list.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Get Associated Domains

Description

Get associated domains for a particular host name.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic-When to apply
cisco_umbrella_Domains	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

[{
    "EntityResult": ["google.com", "twilio.com", "gmail.com"],
    "Entity": "example.com"
}]

Get Domain Security Info

Description

Provide security information about a domain (as an attachment).

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
found	Returns if it exists in JSON result
popularity	Returns if it exists in JSON result
geodiversity_normalized	Returns if it exists in JSON result
dga_score	Returns if it exists in JSON result
rip_score	Returns if it exists in JSON result
asn_score	Returns if it exists in JSON result
securerank2	Returns if it exists in JSON result
geoscore	Returns if it exists in JSON result
attack	Returns if it exists in JSON result
ks_test	Returns if it exists in JSON result
pagerank	Returns if it exists in JSON result
geodiversity	Returns if it exists in JSON result
prefix_score	Returns if it exists in JSON result
perplexity	Returns if it exists in JSON result
entropy	Returns if it exists in JSON result
fastflux	Returns if it exists in JSON result
threat_type	Returns if it exists in JSON result
tld_geodiversity	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

[{
   "EntityResult":
       {
         "found": false,
         "popularity": 0.0,
         "geodiversity_normalized": [],
         "dga_score": -16.878373381058395,
         "rip_score": 0.0,
         "asn_score": 0.0,
         "securerank2": 0.0,
         "geoscore": 0.0,
         "attack": "",
         "ks_test": 0.0,
         "pagerank": 0.0,
         "geodiversity": [],
         "prefix_score": 0.0,
         "perplexity": 0.9961472993373601,
         "entropy": 2.2516291673878226,
         "fastflux": false,
         "threat_type": "",
         "tld_geodiversity": []
       },
   "Entity": "zahav1.ru"
}]

Get Domain Status

Description

Provide the status of a domain, its categories of content, and security.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
content_categories	Returns if it exists in JSON result
status	Returns if it exists in JSON result
security_categories	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

[{
   "EntityResult":
   {   "content_categories": "Ecommerce/Shopping",
       "status": "1",
       "security_categories": ""
   },
  "Entity": "example.com"
}]

Get Malicious Domains

Description

Get malicious domains for an IP address.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
192.168.0.2	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
  "192.168.0.2":
     [  "d.applovin.com.doesntexist.com",
        "atdmt.com.doesntexist.com",
        "Adservice.google.com.doesntexist.com"
      ]
}

Get Whois

Description

Retrieve the WHOIS information for the stated email address(es), nameserver(s), and domains.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Hostname entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic - When to apply
billingContactState	Returns if it exists in JSON result
administrativeContactPostalCode	Returns if it exists in JSON result
zoneContactCity	Returns if it exists in JSON result
address	Returns if it exists in JSON result
registrantFaxExt	Returns if it exists in JSON result
auditUpdatedDate	Returns if it exists in JSON result
administrativeContactCity	Returns if it exists in JSON result
administrativeContactEmail	Returns if it exists in JSON result
technicalContactFax	Returns if it exists in JSON result
billingContactOrganization	Returns if it exists in JSON result
billingContactEmail	Returns if it exists in JSON result
technicalContactPostalCode	Returns if it exists in JSON result
registrantOrganization	Returns if it exists in JSON result
zoneContactPostalCode	Returns if it exists in JSON result
registrantState	Returns if it exists in JSON result
administrativeContactName	Returns if it exists in JSON result
billingContactFaxExt	Returns if it exists in JSON result
billingContactCity	Returns if it exists in JSON result
technicalContactEmail	Returns if it exists in JSON result
registrantCountry	Returns if it exists in JSON result
technicalContactFaxExt	Returns if it exists in JSON result
administrativeContactStreet	Returns if it exists in JSON result
administrativeContactOrganization	Returns if it exists in JSON result
billingContactCountry	Returns if it exists in JSON result
billingContactName	Returns if it exists in JSON result
registrarName	Returns if it exists in JSON result
technicalContactTelephoneExt	Returns if it exists in JSON result
administrativeContactFax	Returns if it exists in JSON result
zoneContactFax	Returns if it exists in JSON result
timestamp	Returns if it exists in JSON result
registrantCity	Returns if it exists in JSON result
administrativeContactTelephoneExt	Returns if it exists in JSON result
status	Returns if it exists in JSON result
updated	Returns if it exists in JSON result
expires	Returns if it exists in JSON result
whoisServers	Returns if it exists in JSON result
technicalContactName	Returns if it exists in JSON result
technicalContactState	Returns if it exists in JSON result
nameServers	Returns if it exists in JSON result
zoneContactFaxExt	Returns if it exists in JSON result
recordExpired	Returns if it exists in JSON result
registrantFax	Returns if it exists in JSON result
registrantTelephoneExt	Returns if it exists in JSON result
billingContactFax	Returns if it exists in JSON result
technicalContactOrganization	Returns if it exists in JSON result
administrativeContactState	Returns if it exists in JSON result
zoneContactOrganization	Returns if it exists in JSON result
billingContactPostalCode	Returns if it exists in JSON result
zoneContactStreet	Returns if it exists in JSON result
zoneContactName	Returns if it exists in JSON result
registrantPostalCode	Returns if it exists in JSON result
billingContactTelephone	Returns if it exists in JSON result
emails	Returns if it exists in JSON result
registrantTelephone	Returns if it exists in JSON result
administrativeContactCountry	Returns if it exists in JSON result
technicalContactCity	Returns if it exists in JSON result
administrativeContactTelephone	Returns if it exists in JSON result
created	Returns if it exists in JSON result
registrarIANAID	Returns if it exists in JSON result
registrantStreet	Returns if it exists in JSON result
domainName	Returns if it exists in JSON result
technicalContactCountry	Returns if it exists in JSON result
billingContactStreet	Returns if it exists in JSON result
timeOfLatestRealtimeCheck	Returns if it exists in JSON result
zoneContactState	Returns if it exists in JSON result
registrantEmail	Returns if it exists in JSON result
administrativeContactFaxExt	Returns if it exists in JSON result
billingContactTelephoneExt	Returns if it exists in JSON result
zoneContactCountry	Returns if it exists in JSON result
zoneContactEmail	Returns if it exists in JSON result
zoneContactTelephoneExt	Returns if it exists in JSON result
technicalContactTelephone	Returns if it exists in JSON result
technicalContactStreet	Returns if it exists in JSON result
zoneContactTelephone	Returns if it exists in JSON result
hasRawText	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

[{
   "EntityResult":
      {
        "billingContactState": null,
        "administrativeContactPostalCode": "89507",
        "zoneContactCity": null,
        "addresses": ["p.o. box 8102"],
        "registrantFaxExt": null,
        "registrantName": "Hostmaster, Amazon Legal Dept.",
        "auditUpdatedDate": "2019-01-08 12:03:30.000 UTC",
        "administrativeContactCity": "Reno",
        "administrativeContactEmail": "john_doe@example.com",
        "technicalContactFax": "12062667010",
        "billingContactOrganization": null,
        "billingContactEmail": null,
        "technicalContactPostalCode": "89507",
        "registrantOrganization": "Amazon Technologies, Inc.",
        "zoneContactPostalCode": null,
        "registrantState": "NV",
        "administrativeContactName": "Hostmaster, Amazon Legal Dept.",
        "billingContactFaxExt": null,
        "billingContactCity": null,
        "technicalContactEmail": "john_doe@example.com",
        "registrantCountry": "UNITED STATES",
        "technicalContactFaxExt": null,
        "administrativeContactStreet": ["p.o. box 8102"],
        "administrativeContactOrganization": "Amazon Technologies, Inc.",
        "billingContactCountry": null,
        "billingContactName": null,
        "registrarName": "MarkMonitor, Inc.",
        "technicalContactTelephoneExt": null,
        "administrativeContactFax": null,
        "zoneContactFax": null,
        "timestamp": null,
        "registrantCity": "Reno",
        "administrativeContactTelephoneExt": null,
        "status": [
                   "clientDeleteProhibited clientTransferProhibited clientUpdateProhibited serverDeleteProhibited serverTransferProhibited serverUpdateProhibited"],
        "updated": "2014-04-30",
        "expires": "2022-10-31",
        "whoisServers": "whois.markmonitor.com",
        "technicalContactName": "Hostmaster, Amazon Legal Dept.",
        "technicalContactState": "NV",
        "nameServers": [
                        "ns1.p31.dynect.net",
                        "Ns2.p31.dynect.net",
                        "Ns3.p31.dynect.net"
                       ],
        "zoneContactFaxExt": null,
        "recordExpired": false,
        "registrantFax": "12062667010",
        "registrantTelephoneExt": null,
        "billingContactFax": null,
        "technicalContactOrganization": "Amazon Technologies, Inc.",
        "administrativeContactState": "NV",
        "zoneContactOrganization": null,
        "billingContactPostalCode": null,
        "zoneContactStreet": [],
        "zoneContactName": null,
        "registrantPostalCode": "89507",
        "billingContactTelephone": null,
        "emails": ["hostmaster@example.com"],
        "registrantTelephone": "12062664064",
        "administrativeContactCountry": "UNITED STATES",
        "technicalContactCity": "Reno",
        "administrativeContactTelephone": "12062664064",
        "created": "1994-11-01",
        "registrarIANAID": "292",
        "registrantStreet": ["p.o. box 8102"],
        "domainName": "example.com",
        "technicalContactCountry": "UNITED STATES",
        "billingContactStreet": [],
        "timeOfLatestRealtimeCheck": 1547718689211,
        "zoneContactState": null,
        "registrantEmail": "john_doe@example.com",
        "administrativeContactFaxExt": null,
        "billingContactTelephoneExt": null,
        "zoneContactCountry": null,
        "zoneContactEmail": null,
        "zoneContactTelephoneExt": null,
        "technicalContactTelephone": "12062664064",
        "technicalContactStreet": ["p.o. box 8102"],
        "zoneContactTelephone": null,
        "hasRawText": true
     },
  "Entity": "example.com"
}]

Ping

Description

Test Connectivity.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A