Cisco Umbrella Investigate
Cisco Umbrella Investigate Pack.#
This Integration is part of theCisco Umbrella Investigate enable you to research domains, IPs, and URLs observed by the Umbrella resolvers. This integration was integrated and tested with version 2.0.0 of Cisco Umbrella Investigate.
#
Configure Cisco Umbrella Investigate in CortexParameter | Description | Required |
---|---|---|
API Key | API key and Secret | True |
API Secret | True | |
Source Reliability | True | |
Trust any certificate (not secure) | ||
Use system proxy settings | ||
Base URL | Cisco Umbrella Investigate base URL. | True |
DBot Score Suspicious Threshold (-100 to 100) | Make sure the suspicious threshold is greater than the Malicious threshold. | True |
Score Malicious Threshold (-100 to 100) | Make sure the Malicious threshold is less than the suspicious threshold. | True |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
umbrella-domain-categorizationGet the status, security, and content categories for the domain.
#
Base Commandumbrella-domain-categorization
#
InputArgument Name | Description | Required |
---|---|---|
domain | The name of the domain. For example: cnn.com. | Required |
show_label | Whether to display the security and content category labels in the response. Possible values are: true, false. Default is true. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the domain. |
Domain.SecurityCategories | Unknown | The Umbrella security categories that match this domain. |
Domain.ContentCategories | Unknown | The Umbrella content categories that match this domain. |
DBotScore.Indicator | String | The name of the domain. |
DBotScore.Vendor | String | The vendor reporting the score of the indicator. |
DBotScore.Type | String | The type of the indicator. |
DBotScore.Score | Number | The domain score. |
DBotScore.Reliability | String | The reliability of the source providing the intelligence data. |
#
Command example!umbrella-domain-categorization domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-domain-searchSearch for newly seen domains that match a regular expression pattern.
#
Base Commandumbrella-domain-search
#
InputArgument Name | Description | Required |
---|---|---|
regex | A standard regular expression pattern search. For example: exa[a-z]ple.com. | Required |
start | Filter for data that appears after this time (within the last 30 days). You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. Default is 1 week ago. | Optional |
stop | Filter for data that appears before this time (within the last 30 days). You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. Default is now. | Optional |
include_category | Whether to retrieve security categories in the response. Possible values are: true, false. | Optional |
type | Filter with the search database node type. Possible values are: URL, IP, HOST. | Optional |
page | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional |
page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the query. |
Domain.FirstSeen | String | The first time Umbrella related the domain for the resource record, specified in Unix epoch time. |
Domain.FirstSeenISO | String | The first time Umbrella related the domain for the resource record, specified in ISO date and time format. |
Domain.SecurityCategories | Unknown | The list of Umbrella security categories that match the domain. |
#
Command example!umbrella-domain-search regex=exa[a-z]ple.com limit=1
#
Human Readable OutputMetrics reported successfully.
#
umbrella-domain-co-occurrencesList the co-occurences for the specified domain. A co-occurrence is when two or more domains are accessed by the same users within a small window of time. Co-occurring domains are not necessarily problematic; legitimate sites co-occur with each other as a part of normal web activity. However, unusual or suspicious co-occurences can provide additional information regarding attacks. To determine co-occurrences for a domain, a small time window of traffic across all of our datacenters is taken. Umbrella Investigate checks the sites that end users visited before and after the domain was requested in the API call.
#
Base Commandumbrella-domain-co-occurrences
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. For example: cnn.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the domain. |
Domain.CoOccurrences.Name | String | The name of the co-occurrence domain. |
Domain.CoOccurrences.Score | Number | The score of the co-occurrence domain. |
#
Command example!umbrella-domain-co-occurrences domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-domain-relatedList domain names that are frequently requested around the same time (up to 60 seconds before or after) as the given domain name, but that are not frequently associated with other domain names.
#
Base Commandumbrella-domain-related
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain name. For example: cnn.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the domain. |
Domain.Related.Name | String | A related domain name. |
Domain.Related.Score | Number | The number of client IP requests to the site around the same time that the site is looked up. |
#
Command example!umbrella-domain-related domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-domain-securityGet multiple scores or security features for a domain. You can use the scores or security features to determine relevant data points and build insights on the reputation or security risk posed by the site.
#
Base Commandumbrella-domain-security
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain name. For example: cnn.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the domain. |
Domain.Security.DGA | Number | A domain generation algorithm (DGA) is used by malware to generate large lists of domain names. This score is created based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains that have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign). |
Domain.Security.Perplexity | Number | A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is used in conjunction with DGA. |
Domain.Security.Entropy | Number | The number of bits required to encode the domain name as a score. This score is used in conjunction with DGA and Perplexity. |
Domain.Security.SecureRank | Number | The suspicious rank for a domain that reviews are based on the lookup behavior of client IP for the domain. Secure rank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign). |
Domain.Security.PageRank | Number | A popularity score according to Google's PageRank algorithm. |
Domain.Security.ASNScore | Number | The ASN reputation score ranges from -100 to 0 where -100 is very suspicious. |
Domain.Security.PrefixScore | Number | The prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. The scores range from -100 to 0 where -100 is very suspicious. |
Domain.Security.RipScore | Number | The RIP ranks domains given their IP addresses and the reputation score of these IP addresses. The scores ranges from -100 to 0 where -100 is very suspicious. |
Domain.Security.Popularity | Number | The number of unique client IPs visiting this site, relative to all requests to all sites. A score of how many different client or unique IPs requested to this domain compared to others. |
Domain.Security.GeoScore | Number | A score that represents how far the different physical locations serving this name are from each other. |
Domain.Security.KolmoorovSmirnov | Number | A number that represents the Kolmogorov-Smirnov test on geo diversity. Zero indicates that the client traffic matches what is expected for this top-level domain. |
Domain.Security.AttackName | String | The name of any known attacks associated with this domain. |
Domain.Security.ThreatType | String | The type of the known attack, such as botnet or APT. |
Domain.tld_geodiversity | Unknown | The list of scores that represent the top-level domain country code geo diversity as a percentage of clients visiting the domain. |
Domain.GeodiversityNormalized.score | Number | Score that represents the amount of queries for clients visiting the domain (by country) |
Domain.GeodiversityNormalized.country_code | String | Country code for the score. |
Domain.Geodiversity.score | Number | Score that represents the amount of queries for clients visiting the domain (by country) |
Domain.Geodiversity.country_code | String | Country code for the score. |
#
Command example!umbrella-domain-security domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-domain-risk-scoreGet the domain risk score. The Umbrella Investigate Risk Score is based on an analysis of the lexical characteristics of the domain name, patterns in queries and requests to the domain. The risk score is scaled from 0 to 100 where 100 is the highest risk and 0 represents no risk at all.
#
Base Commandumbrella-get-domain-risk-score
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. For example: cnn.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The name of the domain. |
Umbrella.Domain.name | String | The name of the domain. |
Umbrella.Domain.risk_score | Number | The indicator risk score. |
Umbrella.Domain.Indicator.score | Number | The raw outcome score from the statistical algorithms. |
Umbrella.Domain.Indicator.normalized_score | Number | Normalized risk score. The risk score is scaled from 0 to 100 where 100 is the highest risk and 0 represents no risk at all. |
Umbrella.Domain.Indicator.indicator_id | String | The indicator ID. Each is a behavioral or lexical feature that contributes to the calculation of the risk score. |
Umbrella.Domain.Indicator.indicator | String | The name of the indicator. |
DBotScore.Indicator | String | The name of the domain. |
DBotScore.Vendor | String | The vendor reporting the score of the indicator. |
DBotScore.Type | String | The indicator type. |
DBotScore.Score | Number | The domain score. |
DBotScore.Reliability | String | The reliability of the source providing the intelligence data. |
#
Command example!umbrella-get-domain-risk-score domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-list-resource-recordList the Resource Record (RR) data for DNS responses, and categorization data, where the answer (or rdata) is the inserted value or list historical data from the Umbrella resolvers for domains, IPs, and other resource records (by using the type name).
#
Base Commandumbrella-list-resource-record
#
InputArgument Name | Description | Required |
---|---|---|
type | The type of the inserted value. Possible values are: IP, Domain, Raw, Name. | Required |
value | The text representation of the data. For example, when type is raw - %22abc%22. When type is IP - 8.8.8.8. When type is Domain - cisco.com. When type is Name - test . . | Required |
sort_order | Sort records by ascending (asc) or descending (desc) order. Possible values are: asc, desc. Default is desc. | Optional |
sort_by | Sort records by one of the following fields. Possible values are: Min Ttl, Max Ttl, First Seen, Last Seen. | Optional |
record_type | Comma-separated list of types of records. For example: A,Cname. Possible values are: A, Cname, Ns, Mx. | Optional |
include_features | Whether to add the feature sections to the response. If set to true, the response will contain additional information about the IP address, such as record counts and diversity metrics. Possible values are: true, false. | Optional |
min_first_seen | Select records that are first seen after the inserted value. You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. | Optional |
max_first_seen | Select records that are first seen before the inserted value. You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. | Optional |
min_last_seen | Select records that were last seen after the inserted value. You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. | Optional |
max_last_seen | Select records that were last seen before the inserted value. You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. | Optional |
sort_categories | Comma-separated list of security categories to sort the results. For example, Mobile Threats,Malware. Possible values are: All, Drive-by Downloads/Exploits, Mobile Threats, Dynamic DNS, High Risk Sites and Locations, Command and Control, Malware, Phishing, Newly Seen Domains, Potentially Harmful, DNS Tunneling VPN, Cryptomining. | Optional |
required_categories | Comma-separated list of security categories to filter for records that are assigned the specified categories. For example, Malware,Phishing. Possible values are: Drive-by Downloads/Exploits, Mobile Threats, Dynamic DNS, High Risk Sites and Locations, Command and Control, Malware, Phishing, Newly Seen Domains, Potentially Harmful, DNS Tunneling VPN, Cryptomining. . | Optional |
page | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional |
page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.ResourceRecord.value | String | The text representation of the data. |
Umbrella.ResourceRecord.last_seen_iso | Date | The last time Umbrella related the domain for the resource record, specified in ISO date and time format. |
Umbrella.ResourceRecord.first_seen_iso | Date | The first time Umbrella related the domain for the resource record, specified in ISO date and time format. |
Umbrella.ResourceRecord.content_categories | Unknown | The Umbrella content categories. |
Umbrella.ResourceRecord.security_categories | Unknown | The Umbrella security categories. |
Umbrella.ResourceRecord.type | String | The DNS record type. |
Umbrella.ResourceRecord.name | String | The name of the query. |
Umbrella.ResourceRecord.rr | String | The Resource Records, if any that match the domain. |
Umbrella.ResourceRecord.last_seen | Number | The last time Umbrella related the domain for the resource record, specified in Unix epoch time. |
Umbrella.ResourceRecord.first_seen | Number | The first time Umbrella related the domain for the resource record, specified in Unix epoch time. |
Umbrella.ResourceRecord.max_ttl | Number | The maximum TTL for the record in seconds. |
Umbrella.ResourceRecord.min_ttl | Number | The minimum TTL for the record in seconds. |
#
Command example!umbrella-list-resource-record value=cisco.com type=Name limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-list-domain-subdomainList sub-domains of a given domain.
#
Base Commandumbrella-list-domain-subdomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. For example: cnn.com. | Required |
offset_name | Specify the subdomain to filter the collection. For example api.cisco.com when domain is cisco.com. The default value is the target domain. | Optional |
all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.Domain.name | String | The name of the domain. |
Umbrella.Domain.SubDomain.name | String | The name of the sub-domain. |
Umbrella.Domain.SubDomain.first_seen | String | The first time Umbrella related the domain for the resource record, specified in Unix epoch time. |
Umbrella.Domain.SubDomain.security_categories | Unknown | The list of security categories that are tagged on this sub-domain. |
#
Command example!umbrella-list-domain-subdomain domain=cisco.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-ip-bgpGet data about ASN and IP relationships, showing how IP addresses are related to each other and to the regional registries. You can find out more about the IP space associated with an AS and correlate BGP routing information between AS.
#
Base Commandumbrella-get-ip-bgp
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IPv4 IP address where to obtain the AS information. For example: 1.2.3.4. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.BGPInformation.ip | String | The IP address. |
Umbrella.BGPInformation.creation_date | String | The date when the AS was first created. |
Umbrella.BGPInformation.ir | Number | The IR number corresponds to one of the 5 Regional Internet Registries (RIR). 1 - AfriNIC: Africa2 - APNIC: Asia, Australia, New Zealand, and neighboring countries.3 - ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica.4 - LACNIC: Latin America and parts of the Caribbean region.5 - RIPE NCC: Europe, Russia, the Middle East, and Central Asia.0 - Unknown / Not Available. |
Umbrella.BGPInformation.description | String | Network owner description as provided by the network owner. |
Umbrella.BGPInformation.asn | String | The autonomous system number (ASN) associated with the IP address. |
Umbrella.BGPInformation.cidr | String | The IP CIDR for the ASN. |
#
Command example!umbrella-get-ip-bgp ip=8.8.8.8
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-asn-bgpGet BGP Route Information for ASN. Each hash reference contains two keys: geo
and cidr
. Geo is a hash reference with the country name and country code (the code corresponds to the country code list for ISO-3166-1 alpha-2). CIDR contains the IP prefix for this ASN.
#
Base Commandumbrella-get-asn-bgp
#
InputArgument Name | Description | Required |
---|---|---|
asn | Autonomous System Number (ASN) for the AS. For example: 4134. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.BGPInformation.asn | String | The ASN. |
Umbrella.BGPInformation.cidr | String | A list of the CIDR range of IP addresses associated with this AS.The CIDR contains the IP prefix for the ASN. |
Umbrella.BGPInformation.Geo.country_name | Number | The country name of the geolocation. |
Umbrella.BGPInformation.Geo.country_code | String | The country code of the geolocation. |
#
Command example!umbrella-get-asn-bgp asn=3356
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
domainGet the WHOIS information for the specified domains.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. For example: cnn.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The domain name. |
Domain.Umbrella.RiskScore | String | Suspicious rank for a domain that has reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign). |
Domain.Umbrella.SecureRank | String | Suspicious rank for a domain that has reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign). |
Domain.Umbrella.FirstQueriedTime | String | The time when the attribution for this domain was made. |
DBotScore.Indicator | String | The Indicator name. |
DBotScore.Score | String | The DBot score. |
DBotScore.Type | String | The domain type. |
DBotScore.Vendor | String | The DBot score vendor. |
Domain.Umbrella.ContentCategories | String | The Umbrella content category or categories that match this domain. If none of them match, the return will be blank. |
Domain.Umbrella.MalwareCategories | String | string |
Domain.Malicious.Vendor | String | string |
Domain.Malicious.Description | String | string |
Domain.Admin.Country | String | string |
Domain.Admin.Email | String | string |
Domain.Admin.Name | String | string |
Domain.Admin.Phone | String | string |
Domain.Registrant.Country | String | string |
Domain.Registrant.Email | String | string |
Domain.Registrant.Name | String | string |
Domain.Registrant.Phone | String | string |
Domain.CreationDate | String | date |
Domain.DomainStatus | String | string |
Domain.UpdatedDate | String | date |
Domain.ExpirationDate | String | date |
Domain.Registrar.Name | String | string |
#
Command example!domain domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-whois-for-domainGet the WHOIS information for the specified domains. You can search by multiple email addresses or multiple nameservers.
#
Base Commandumbrella-get-whois-for-domain
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. For example: cnn.com. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.WHOIS.name | String | The domain name. |
Umbrella.WHOIS.Domain | String | The domain name. |
Umbrella.WHOIS.Data.RegistrarName | String | The domain registrar name. |
Umbrella.WHOIS.Data.LastRetrieved | String | Domain last retrieved date |
Umbrella.WHOIS.Data.Created | String | The domain created date. |
Umbrella.WHOIS.Data.Updated | String | The domain updated date. |
Umbrella.WHOIS.Data.Expires | String | The domain expiry date. |
Umbrella.WHOIS.Data.IANAID | String | The registrar IANA ID. |
Umbrella.WHOIS.Data.LastObserved | String | The domain last observed time. |
Umbrella.WHOIS.Data.Nameservers.Name | String | The domain’s name servers. |
Umbrella.WHOIS.Data.Emails.Name | String | The domain’s email. |
Domain.Admin.Country | String | The country of the domain administrator. |
Domain.name | String | The domain name. |
Domain.CreationDate | String | The date on which the domain was created. |
Domain.UpdatedDate | String | The date on which the domain was last updated. |
Domain.ExpirationDate | String | The expiration date of the domain. |
Domain.WHOIS.Admin.Email | String | The email address of the domain administrator. |
Domain.WHOIS.Admin.Name | String | The name of the domain administrator. |
Domain.WHOIS.Admin.Phone | String | The phone number of the domain administrator. |
Domain.WHOIS.Registrant.Country | String | The country of the registrant. |
Domain.WHOIS.Registrant.Email | String | The email address of the registrant. |
Domain.WHOIS.Registrant.Name | String | The phone number of the registrant. |
Domain.WHOIS.Registrant.Phone | String | The phone number of the registrant. |
Domain.WHOIS.DomainStatus | String | The status of the domain. |
Domain.WHOIS.Registrar.Name | String | The name of the registrar. |
Domain.Admin.Email | String | The email address of the domain administrator. |
Domain.Admin.Name | String | The name of the domain administrator. |
Domain.Admin.Phone | String | The phone number of the domain administrator. |
Domain.Registrant.Country | String | The country of the registrant. |
Domain.Registrant.Email | String | The email address of the registrant. |
Domain.Registrant.Name | String | The phone number of the registrant. |
Domain.Registrant.Phone | String | The phone number of the registrant. |
Domain.DomainStatus | String | The status of the domain. |
Domain.Registrar.Name | String | The name of the registrar. |
#
Command example!umbrella-get-whois-for-domain domain=cisco.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-domain-whois-historyGet a WHOIS response record for a single domain with available historical WHOIS data returned in an object. The information displayed varies by registrant.
#
Base Commandumbrella-get-domain-whois-history
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. For example: cnn.com. | Required |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.WHOIS.name | String | The name of the domain. |
Umbrella.WHOIS.DomainHistory.addresses | String | Addresses related to the domain. |
Umbrella.WHOIS.DomainHistory.administrative_contact_city | String | City of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_country | String | Country of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_email | String | Email of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_fax | String | Fax number of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_fax_ext | String | Fax extension of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_name | String | Name of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_organization | String | Organization of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_postal_code | String | Postal code of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_state | String | State of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_street | String | Street address of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_telephone | String | Telephone number of the administrative contact. |
Umbrella.WHOIS.DomainHistory.administrative_contact_telephone_ext | String | Telephone extension of the administrative contact. |
Umbrella.WHOIS.DomainHistory.audit_updated_date | String | Audit update date. |
Umbrella.WHOIS.DomainHistory.billing_contact_city | String | City of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_country | String | Country of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_email | String | Email of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_fax | String | Fax number of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_fax_ext | String | Fax extension of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_name | String | Name of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_organization | String | Organization of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_postal_code | String | Postal code of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_state | String | State of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_street | String | Street address of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_telephone | String | Telephone number of the billing contact. |
Umbrella.WHOIS.DomainHistory.billing_contact_telephone_ext | String | Telephone extension of the billing contact. |
Umbrella.WHOIS.DomainHistory.created | String | The domain created date. |
Umbrella.WHOIS.DomainHistory.domain_name | String | The domain name. |
Umbrella.WHOIS.DomainHistory.emails | String | Emails associated with the domain. |
Umbrella.WHOIS.DomainHistory.expires | String | The domain expiry date. |
Umbrella.WHOIS.DomainHistory.has_raw_text | String | Indicates if there is raw text. |
Umbrella.WHOIS.DomainHistory.name_servers | String | The domain’s name servers. |
Umbrella.WHOIS.DomainHistory.record_expired | String | Record expired status. |
Umbrella.WHOIS.DomainHistory.registrant_city | String | City of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_country | String | Country of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_email | String | Email of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_fax | String | Fax number of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_fax_ext | String | Fax extension of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_name | String | Name of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_organization | String | Organization of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_postal_code | String | Postal code of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_state | String | State of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_street | String | Street address of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_telephone | String | Telephone number of the registrant. |
Umbrella.WHOIS.DomainHistory.registrant_telephone_ext | String | Telephone extension of the registrant. |
Umbrella.WHOIS.DomainHistory.registrar_ianad | String | Registrar IANA ID. |
Umbrella.WHOIS.DomainHistory.registrar_name | String | Name of the registrar. |
Umbrella.WHOIS.DomainHistory.status | String | Domain status. |
Umbrella.WHOIS.DomainHistory.technical_contact_city | String | City of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_country | String | Country of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_email | String | Email of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_fax | String | Fax number of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_fax_ext | String | Fax extension of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_name | String | Name of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_organization | String | Organization of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_postal_code | String | Postal code of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_state | String | State of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_street | String | Street address of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_telephone | String | Telephone number of the technical contact. |
Umbrella.WHOIS.DomainHistory.technical_contact_telephone_ext | String | Telephone extension of the technical contact. |
Umbrella.WHOIS.DomainHistory.time_of_latest_realtime_check | String | Time of the latest realtime check. |
Umbrella.WHOIS.DomainHistory.timestamp | String | Timestamp of the record. |
Umbrella.WHOIS.DomainHistory.updated | String | The domain updated date. |
Umbrella.WHOIS.DomainHistory.whois_servers | String | WHOIS servers associated with the domain. |
Umbrella.WHOIS.DomainHistory.zone_contact_city | String | City of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_country | String | Country of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_email | String | Email of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_fax | String | Fax number of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_fax_ext | String | Fax extension of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_name | String | Name of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_organization | String | Organization of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_postal_code | String | Postal code of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_state | String | State of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_street | String | Street address of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_telephone | String | Telephone number of the zone contact. |
Umbrella.WHOIS.DomainHistory.zone_contact_telephone_ext | String | Telephone extension of the zone contact. |
#
Command example!umbrella-get-domain-whois-history domain=cisco.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-nameserver-whoisGet WHOIS information for the nameserver. A nameserver can potentially register hundreds or thousands of domains.
#
Base Commandumbrella-get-nameserver-whois
#
InputArgument Name | Description | Required |
---|---|---|
nameserver | The nameserver's domain name or comma-separated list of nameservers. For example ns1.google.com or ns1.google.com,ns2.google.com. | Required |
sort | Sort the results by. Possible values are: Created, Updated, Expires, Domain name. | Optional |
page | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. | Optional |
page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.WHOIS.Nameserver.name | String | The nameserver's domain name. |
Umbrella.WHOIS.Nameserver.Domain.current | Boolean | Whether the domain name is current. |
Umbrella.WHOIS.Nameserver.Domain.domain | String | The domain name. |
#
Command example!umbrella-get-nameserver-whois nameserver=nameserver1.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-email-whoisGet WHOIS information for the email address. Returns the email address or addresses of the registrar for the domain or domains. The results include the total number of results for domains registered by this email address and a list of the first 500 domains associated with this email.
#
Base Commandumbrella-get-email-whois
#
InputArgument Name | Description | Required |
---|---|---|
An email address that follows the RFC5322 conventions. For example, test@test.com. | Required | |
sort | Sort the results by. Possible values are: Created, Updated, Expires, Domain name. | Optional |
page | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional |
page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.WHOIS.Email.name | String | The email name. |
Umbrella.WHOIS.Email.Domain.current | Boolean | Whether the domain name is current. |
Umbrella.WHOIS.Email.Domain.domain | String | The domain name. |
#
Command example!umbrella-get-email-whois email=test@test.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-regex-whoisPerforms a regular expression (RegEx) search on the WHOIS data (domain, nameserver, and email fields) that was updated or created in the specified time range. Returns a list of ten WHOIS records that match the specified RegEx expression.
#
Base Commandumbrella-get-regex-whois
#
InputArgument Name | Description | Required |
---|---|---|
regex | A standard regular expression pattern search. For example, exa[a-z]ple.com. | Required |
search_field | Specifies the field name to use in the RegEx search. Possible values are: Domain, Nameserver, Email. | Required |
start | Filter for data that appears after this time (within the last 30 days). You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. Default is 1 week ago. | Optional |
stop | Filter for data that appears before this time (within the last 30 days). You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. Default is now. | Optional |
sort | Sort the results by. Possible values are: Created, Updated, Expires, Domain name. Default is Updated. | Optional |
page | The optional 0 based index of the page to retrieve. Must be an integer greater than or equal to 0. Default is 0. | Optional |
page_size | The optional size of the page to retrieve. Must be an integer greater than 0 or less than or equal to 1000. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.WHOIS.Regex.domain_name | String | The domain name. |
Umbrella.WHOIS.Regex.registrant_name | String | The domain registrar name. |
Umbrella.WHOIS.Regex.created | String | The domain created date. |
Umbrella.WHOIS.Regex.updated | String | The domain updated date. |
Umbrella.WHOIS.Regex.expires | String | The domain expiry date. |
Umbrella.WHOIS.Regex.registrar_ianad | String | Registrar IANA ID. |
Umbrella.WHOIS.Regex.name_servers | String | The domain’s name servers. |
Umbrella.WHOIS.Regex.emails | String | The domain’s email. |
Umbrella.WHOIS.Regex.administrative_contact_fax | String | Administrative contact fax number. |
Umbrella.WHOIS.Regex.whois_servers | String | WHOIS servers associated with the domain. |
Umbrella.WHOIS.Regex.addresses | String | Addresses related to the domain. |
Umbrella.WHOIS.Regex.administrative_contact_name | String | Name of the administrative contact. |
Umbrella.WHOIS.Regex.zone_contact_email | String | Zone contact email. |
Umbrella.WHOIS.Regex.billing_contact_fax | String | Billing contact fax number. |
Umbrella.WHOIS.Regex.administrative_contact_telephone_ext | String | Administrative contact telephone extension. |
Umbrella.WHOIS.Regex.administrative_contact_email | String | Administrative contact email. |
Umbrella.WHOIS.Regex.technical_contact_email | String | Technical contact email. |
Umbrella.WHOIS.Regex.technical_contact_fax | String | Technical contact fax number. |
Umbrella.WHOIS.Regex.zone_contact_name | String | Name of the zone contact. |
Umbrella.WHOIS.Regex.billing_contact_postal_code | String | Billing contact postal code. |
Umbrella.WHOIS.Regex.zone_contact_fax | String | Zone contact fax number. |
Umbrella.WHOIS.Regex.registrant_telephone_ext | String | Registrant telephone extension. |
Umbrella.WHOIS.Regex.zone_contact_fax_ext | String | Zone contact fax extension. |
Umbrella.WHOIS.Regex.technical_contact_telephone_ext | String | Technical contact telephone extension. |
Umbrella.WHOIS.Regex.billing_contact_city | String | Billing contact city. |
Umbrella.WHOIS.Regex.zone_contact_street | String | Street address of the zone contact. |
Umbrella.WHOIS.Regex.administrative_contact_city | String | City of the administrative contact. |
Umbrella.WHOIS.Regex.zone_contact_city | String | City of the zone contact. |
Umbrella.WHOIS.Regex.zone_contact_postal_code | String | Postal code of the zone contact. |
Umbrella.WHOIS.Regex.administrative_contact_fax_ext | String | Administrative contact fax extension. |
Umbrella.WHOIS.Regex.technical_contact_country | String | Country of the technical contact. |
Umbrella.WHOIS.Regex.administrative_contact_street | String | Street address of the administrative contact. |
Umbrella.WHOIS.Regex.status | String | Domain status. |
Umbrella.WHOIS.Regex.registrant_city | String | City of the registrant. |
Umbrella.WHOIS.Regex.billing_contact_country | String | Country of the billing contact. |
Umbrella.WHOIS.Regex.technical_contact_street | String | Street address of the technical contact. |
Umbrella.WHOIS.Regex.registrant_organization | String | Organization of the registrant. |
Umbrella.WHOIS.Regex.billing_contact_street | String | Street address of the billing contact. |
Umbrella.WHOIS.Regex.registrar_name | String | Name of the registrar. |
Umbrella.WHOIS.Regex.registrant_postal_code | String | Postal code of the registrant. |
Umbrella.WHOIS.Regex.zone_contact_telephone | String | Telephone number of the zone contact. |
Umbrella.WHOIS.Regex.registrant_email | String | Email of the registrant. |
Umbrella.WHOIS.Regex.technical_contact_fax_ext | String | Technical contact fax extension. |
Umbrella.WHOIS.Regex.technical_contact_organization | String | Organization of the technical contact. |
Umbrella.WHOIS.Regex.registrant_street | String | Street address of the registrant. |
Umbrella.WHOIS.Regex.technical_contact_telephone | String | Telephone number of the technical contact. |
Umbrella.WHOIS.Regex.technical_contact_state | String | State of the technical contact. |
Umbrella.WHOIS.Regex.technical_contact_city | String | City of the technical contact. |
Umbrella.WHOIS.Regex.registrant_fax | String | Fax number of the registrant. |
Umbrella.WHOIS.Regex.registrant_country | String | Country of the registrant. |
Umbrella.WHOIS.Regex.billing_contact_fax_ext | String | Billing contact fax extension. |
Umbrella.WHOIS.Regex.timestamp | String | Timestamp of the record. |
Umbrella.WHOIS.Regex.zone_contact_organization | String | Organization of the zone contact. |
Umbrella.WHOIS.Regex.administrative_contact_country | String | Country of the administrative contact. |
Umbrella.WHOIS.Regex.billing_contact_name | String | Name of the billing contact. |
Umbrella.WHOIS.Regex.registrant_state | String | State of the registrant. |
Umbrella.WHOIS.Regex.registrant_telephone | String | Telephone number of the registrant. |
Umbrella.WHOIS.Regex.administrative_contact_state | String | State of the administrative contact. |
Umbrella.WHOIS.Regex.registrant_fax_ext | String | Fax extension of the registrant. |
Umbrella.WHOIS.Regex.technical_contact_postal_code | String | Postal code of the technical contact. |
Umbrella.WHOIS.Regex.zone_contact_telephone_ext | String | Telephone extension of the zone contact. |
Umbrella.WHOIS.Regex.administrative_contact_organization | String | Organization of the administrative contact. |
Umbrella.WHOIS.Regex.billing_contact_telephone | String | Telephone number of the billing contact. |
Umbrella.WHOIS.Regex.billing_contact_telephone_ext | String | Telephone extension of the billing contact. |
Umbrella.WHOIS.Regex.zone_contact_state | String | State of the zone contact. |
Umbrella.WHOIS.Regex.administrative_contact_telephone | String | Telephone number of the administrative contact. |
Umbrella.WHOIS.Regex.billing_contact_organization | String | Organization of the billing contact. |
Umbrella.WHOIS.Regex.technical_contact_name | String | Name of the technical contact. |
Umbrella.WHOIS.Regex.administrative_contact_postal_code | String | Postal code of the administrative contact. |
Umbrella.WHOIS.Regex.zone_contact_country | String | Country of the zone contact. |
Umbrella.WHOIS.Regex.billing_contact_state | String | State of the billing contact. |
Umbrella.WHOIS.Regex.audit_updated_date | String | Audit update date. |
Umbrella.WHOIS.Regex.record_expired | String | Record expired status. |
Umbrella.WHOIS.Regex.time_of_latest_realtime_check | String | Time of the latest realtime check. |
Umbrella.WHOIS.Regex.has_raw_text | String | Indicates if there is raw text. |
#
Command example!umbrella-get-regex-whois search_field=Email regex=t[a-z]@test.com start="20 days ago"
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-top-most-seen-domainList the most seen domains in Umbrella. The popularity list contains Cisco Umbrella most queried domains based on passive DNS usage across Umbrella global network. The metric does not only consist of browser-based http requests from users but also takes into account the number of unique client IPs invoking this domain relative to the sum of all requests to all domains. The ranking reflects the domain's relative internet activity agnostic to the invocation protocols and applications where as site ranking models (such as Alexa) focus on the web activity over port 80 (primarily from browsers). In addition, the Umbrella popularity algorithm also applies data normalization techniques to smooth potential biases that may occur due to sampling of DNS usage data.
#
Base Commandumbrella-get-top-most-seen-domain
#
InputArgument Name | Description | Required |
---|---|---|
all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.MostSeenDomain.domain | str | A domain name. |
#
Command example!umbrella-get-top-most-seen-domain limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-domain-queryvolumeList the query volume for a domain over the last 30 days. If there is no information about the domain, Umbrella Investigate returns an empty array. As the query takes time to generate, the last two hours may be blank.
#
Base Commandumbrella-get-domain-queryvolume
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain name. | Required |
start | Filter for data that appears after this time (within the last 30 days). You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. Default is 1 week ago. | Optional |
stop | Filter for data that appears before this time (within the last 30 days). You can specify a verbal time or time in ISO 8061 format. For example, 2024-03-26T11:03:18Z or 1 day ago. Default is now. | Optional |
match | The type of the query volume for the domain. Possible values are: exact, component, all. Default is all. | Optional |
all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.QueryVolume.name | Umbrella.QueryVolume.Domain | String |
Umbrella.QueryVolume.Domain | String | String |
Umbrella.QueryVolume.Data.StartDate | String | String |
Umbrella.QueryVolume.Data.StopDate | String | String |
Umbrella.QueryVolume.QueriesInfo.QueryHour | Umbrella.QueryVolume.Data.QueriesInfo.QueryHour | String |
Umbrella.QueryVolume.QueriesInfo.Queries | Umbrella.QueryVolume.Data.QueriesInfo.Queries | String |
#
Command example!umbrella-get-domain-queryvolume domain=cisco.com
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-domain-timelineList the historical tagging timeline for a given domain. Each timeline item includes lists of security category, attack, or threat type associated with the destination. Use the Tagging Timeline endpoint to verify when Umbrella assigned or removed a security category, attack, or threat type. If the current timeline item contains the security category, type of attack, or threat type not found in the previous timeline item, Umbrella updated the current timeline item. If the current timeline item does not contain the security category, attack, or threat type found in the previous timeline item, Umbrella removed the security category, type of attack, or threat type.
#
Base Commandumbrella-get-domain-timeline
#
InputArgument Name | Description | Required |
---|---|---|
domain | A domain. For example, cisco.com. | Required |
all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.Timeline.Domain | String | An IP, a domain, or a URL. |
Umbrella.Timeline.Data.MalwareCategories | Unknown | The list of security categories assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.Attacks | Unknown | The list of threats assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.ThreatTypes | Unknown | The list of threat types assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.Timestamp | Number | The date and time of the tagging of the domain, IP, or URL. |
#
Command example!umbrella-get-domain-timeline name=maliciouswebsitetest.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-url-timelineList the historical tagging timeline for RL. Each timeline item includes lists of security category, attack, or threat type associated with the destination. Use the Tagging Timeline endpoint to verify when Umbrella assigned or removed a security category, attack, or threat type. If the current timeline item contains the security category, type of attack, or threat type not found in the previous timeline item, Umbrella updated the current timeline item. If the current timeline item does not contain the security category, attack, or threat type found in the previous timeline item, Umbrella removed the security category, type of attack, or threat type.
#
Base Commandumbrella-get-url-timeline
#
InputArgument Name | Description | Required |
---|---|---|
url | An URL. For example www.cisco.com. | Required |
all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.Timeline.URL | String | An URL. |
Umbrella.Timeline.Data.MalwareCategories | Unknown | The list of security categories assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.Attacks | Unknown | The list of threats assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.ThreatTypes | Unknown | The list of threat types assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.Timestamp | Number | The date and time of the tagging of the domain, IP, or URL. |
#
Command example!umbrella-get-domain-timeline name=www.maliciouswebsitetest.com limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.
#
umbrella-get-ip-timelineList the historical tagging timeline for a given IP address. Each timeline item includes lists of security category, attack, or threat type associated with the destination. Use the Tagging Timeline endpoint to verify when Umbrella assigned or removed a security category, attack, or threat type. If the current timeline item contains the security category, type of attack, or threat type not found in the previous timeline item, Umbrella updated the current timeline item. If the current timeline item does not contain the security category, attack, or threat type found in the previous timeline item, Umbrella removed the security category, type of attack, or threat type.
#
Base Commandumbrella-get-domain-timeline
#
InputArgument Name | Description | Required |
---|---|---|
ip | An IP address. For example, 8.8.8.8. | Required |
all_results | Whether to retrieve all results by overriding the default limit. Possible values are: true, false. | Optional |
limit | The maximum number of records to retrieve. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Umbrella.Timeline.IP | String | An IP address. For example, 8.8.8.8. |
Umbrella.Timeline.Data.MalwareCategories | Unknown | The list of security categories assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.Attacks | Unknown | The list of threats assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.ThreatTypes | Unknown | The list of threat types assigned at this date and time on the domain, IP, or URL. |
Umbrella.Timeline.Data.Timestamp | Number | The date and time of the tagging of the domain, IP, or URL. |
#
Command example!umbrella-get-ip-timeline name=8.8.8.8 limit=1
#
Context Example#
Human Readable OutputMetrics reported successfully.