Cisco Umbrella Enforcement

Add and remove domains in Cisco OpenDNS. This integration was integrated and tested with version 1.0 of Cisco Umbrella Enforcement. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure Cisco Umbrella Enforcement on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco Umbrella Enforcement.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlServer URL (e.g., https://example.net\)True
    api_keyAPI KeyTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

umbrella-domain-event-add


Posts a malware event to the API for processing and optionally adding to a customer's domain lists.

Base Command

umbrella-domain-event-add

Input

Argument NameDescriptionRequired
alert_timeAlert time of the new event in datetime format, e.g., 2013-02-08T09:30:26.0Z.Required
device_idDevice ID of the new event.Required
destination_domainDestination domain of the new event.Required
destination_urlDestination URL of the new event.Required
device_versionDevice version for the new event.Required
destination_ipThe destination IP address of the domain, specified in IPv4 dotted-decimal notation e.g., '8.8.8.8'.Optional
event_severityThe partner threat level or rating, e.g., severe, bad, high, and so on.Optional
event_typeCommon name or classification of the threat.Optional
event_descriptionVariant or other descriptor of the event type.Optional
file_namePath to the file exhibiting malicious behavior.Optional
file_hashSHA-1 of file reported by the appliance.Optional
sourceIP/Host of the infected computer/device that was patient 0 for the event.Optional

Context Output

There is no context output for this command.

Command Example

!umbrella-domain-event-add alert_time=2013-02-08T09:30:26.0Z device_id=ba6a58f4-e692-4724-ba36-c28132c761de destination_domain=test6.com device_version=13.7a destination_url=test6.com

Context Example

{}

Human Readable Output

New event was added successfully, The Event id is 31bb0adb,8f27,4423,a081-3b5773260f87.

umbrella-domains-list


List of domains.

Base Command

umbrella-domains-list

Input

Argument NameDescriptionRequired
pageNumber of page to return. Default is "1".Optional
limitThe maximum number of queries per page. Default is "50". Default is 50.Optional

Context Output

PathTypeDescription
UmbrellaEnforcement.Domains.nameStringName of the domains.
UmbrellaEnforcement.Domains.idNumberID of the domains.
UmbrellaEnforcement.Domains.IsDeletedBooleanTrue if the domain has been deleted from list.

Command Example

!umbrella-domains-list

Context Example

{
"UmbrellaEnforcement": {
"Domains": [
{
"IsDeleted": false,
"id": 3569571,
"name": "test6.com"
},
{
"IsDeleted": false,
"id": 3790609,
"name": "test7.com"
},
{
"IsDeleted": false,
"id": 3912159,
"name": "test8.com"
},
{
"IsDeleted": false,
"id": 3912161,
"name": "test9.com"
},
{
"IsDeleted": false,
"id": 54637170,
"name": "badinterner4.com"
}
]
}
}

Human Readable Output

List of Domains

idname
3569571test6.com
3790609test7.com
3912159test8.com
3912161test9.com
54637170badinterner4.com

umbrella-domain-delete


Delete domain.

Base Command

umbrella-domain-delete

Input

Argument NameDescriptionRequired
idID of the domain.Optional
nameName of the domain.Optional

Context Output

There is no context output for this command.

Command Example

!umbrella-domain-delete name=test6.com

Context Example

{}

Human Readable Output

test6.com domain was removed from blacklist