Cisco Umbrella Enforcement
Cisco Umbrella Enforcement Pack.#
This Integration is part of theAdd and remove domains in Cisco OpenDNS. This integration was integrated and tested with version 1.0 of Cisco Umbrella Enforcement. Supported Cortex XSOAR versions: 5.0.0 and later.
#
Configure Cisco Umbrella Enforcement in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g., https://example.net\) | True |
api_key | API Key | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
umbrella-domain-event-addPosts a malware event to the API for processing and optionally adding to a customer's domain lists.
#
Base Commandumbrella-domain-event-add
#
InputArgument Name | Description | Required |
---|---|---|
alert_time | Alert time of the new event in datetime format, e.g., 2013-02-08T09:30:26.0Z. | Required |
device_id | Device ID of the new event. | Required |
destination_domain | Destination domain of the new event. | Required |
destination_url | Destination URL of the new event. | Required |
device_version | Device version for the new event. | Required |
destination_ip | The destination IP address of the domain, specified in IPv4 dotted-decimal notation e.g., '8.8.8.8'. | Optional |
event_severity | The partner threat level or rating, e.g., severe, bad, high, and so on. | Optional |
event_type | Common name or classification of the threat. | Optional |
event_description | Variant or other descriptor of the event type. | Optional |
file_name | Path to the file exhibiting malicious behavior. | Optional |
file_hash | SHA-1 of file reported by the appliance. | Optional |
source | IP/Host of the infected computer/device that was patient 0 for the event. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!umbrella-domain-event-add alert_time=2013-02-08T09:30:26.0Z device_id=ba6a58f4-e692-4724-ba36-c28132c761de destination_domain=test6.com device_version=13.7a destination_url=test6.com
#
Context Example#
Human Readable OutputNew event was added successfully, The Event id is 31bb0adb,8f27,4423,a081-3b5773260f87.
#
umbrella-domains-listList of domains.
#
Base Commandumbrella-domains-list
#
InputArgument Name | Description | Required |
---|---|---|
page | Number of page to return. Default is "1". | Optional |
limit | The maximum number of queries per page. Default is "50". Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
UmbrellaEnforcement.Domains.name | String | Name of the domains. |
UmbrellaEnforcement.Domains.id | Number | ID of the domains. |
UmbrellaEnforcement.Domains.IsDeleted | Boolean | True if the domain has been deleted from list. |
#
Command Example!umbrella-domains-list
#
Context Example#
Human Readable Output#
List of Domains
id name 3569571 test6.com 3790609 test7.com 3912159 test8.com 3912161 test9.com 54637170 badinterner4.com
#
umbrella-domain-deleteDelete domain.
#
Base Commandumbrella-domain-delete
#
InputArgument Name | Description | Required |
---|---|---|
id | ID of the domain. | Optional |
name | Name of the domain. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!umbrella-domain-delete name=test6.com
#
Context Example#
Human Readable Outputtest6.com domain was removed from block list