Skip to main content

Cisco Umbrella Enforcement

This Integration is part of the Cisco Umbrella Enforcement Pack.#

Add and remove domains in Cisco OpenDNS. This integration was integrated and tested with version 1.0 of Cisco Umbrella Enforcement. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure Cisco Umbrella Enforcement on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco Umbrella Enforcement.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlServer URL (e.g., https://example.net\)True
    api_keyAPI KeyTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

umbrella-domain-event-add#


Posts a malware event to the API for processing and optionally adding to a customer's domain lists.

Base Command#

umbrella-domain-event-add

Input#

Argument NameDescriptionRequired
alert_timeAlert time of the new event in datetime format, e.g., 2013-02-08T09:30:26.0Z.Required
device_idDevice ID of the new event.Required
destination_domainDestination domain of the new event.Required
destination_urlDestination URL of the new event.Required
device_versionDevice version for the new event.Required
destination_ipThe destination IP address of the domain, specified in IPv4 dotted-decimal notation e.g., '8.8.8.8'.Optional
event_severityThe partner threat level or rating, e.g., severe, bad, high, and so on.Optional
event_typeCommon name or classification of the threat.Optional
event_descriptionVariant or other descriptor of the event type.Optional
file_namePath to the file exhibiting malicious behavior.Optional
file_hashSHA-1 of file reported by the appliance.Optional
sourceIP/Host of the infected computer/device that was patient 0 for the event.Optional

Context Output#

There is no context output for this command.

Command Example#

!umbrella-domain-event-add alert_time=2013-02-08T09:30:26.0Z device_id=ba6a58f4-e692-4724-ba36-c28132c761de destination_domain=test6.com device_version=13.7a destination_url=test6.com

Context Example#

{}

Human Readable Output#

New event was added successfully, The Event id is 31bb0adb,8f27,4423,a081-3b5773260f87.

umbrella-domains-list#


List of domains.

Base Command#

umbrella-domains-list

Input#

Argument NameDescriptionRequired
pageNumber of page to return. Default is "1".Optional
limitThe maximum number of queries per page. Default is "50". Default is 50.Optional

Context Output#

PathTypeDescription
UmbrellaEnforcement.Domains.nameStringName of the domains.
UmbrellaEnforcement.Domains.idNumberID of the domains.
UmbrellaEnforcement.Domains.IsDeletedBooleanTrue if the domain has been deleted from list.

Command Example#

!umbrella-domains-list

Context Example#

{
"UmbrellaEnforcement": {
"Domains": [
{
"IsDeleted": false,
"id": 3569571,
"name": "test6.com"
},
{
"IsDeleted": false,
"id": 3790609,
"name": "test7.com"
},
{
"IsDeleted": false,
"id": 3912159,
"name": "test8.com"
},
{
"IsDeleted": false,
"id": 3912161,
"name": "test9.com"
},
{
"IsDeleted": false,
"id": 54637170,
"name": "badinterner4.com"
}
]
}
}

Human Readable Output#

List of Domains#

idname
3569571test6.com
3790609test7.com
3912159test8.com
3912161test9.com
54637170badinterner4.com

umbrella-domain-delete#


Delete domain.

Base Command#

umbrella-domain-delete

Input#

Argument NameDescriptionRequired
idID of the domain.Optional
nameName of the domain.Optional

Context Output#

There is no context output for this command.

Command Example#

!umbrella-domain-delete name=test6.com

Context Example#

{}

Human Readable Output#

test6.com domain was removed from blacklist