Cisco Umbrella
Integration version: 13.0
Configure Cisco Umbrella to work with Google Security Operations
Get the Enforcement token
To retrieve your key:
- Navigate to Policies > Policy Components > Integrations.
- Expand the appropriate integration or click Add to generate a custom integration.
Reference: https://docs.umbrella.com/investigate-api/reference#reference-getting-started
Get the Investigate token
To create your first API Access token:
- Click Create new token.
- Give the token a name and click Create. The generated token includes the email address of the person who created it and the creation date. To revoke the token, click Delete.
Reference: https://docs.umbrella.com/investigate-api/reference#about-the-api-and-authentication
Configure Cisco Umbrella integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Actions
Add Domain
Description
Add a domain to the OpenDNS block list.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
N/A
Delete Domain
Description
Delete a domain from the OpenDNS block list.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
N/A
Get Associated Domains
Description
Get associated domains for a particular host name.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic-When to apply |
---|---|
cisco_umbrella_Domains | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult": ["google.com", "twilio.com", "gmail.com"],
"Entity": "example.com"
}]
Get Domain Security Info
Description
Provide security information about a domain (as an attachment).
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
found | Returns if it exists in JSON result |
popularity | Returns if it exists in JSON result |
geodiversity_normalized | Returns if it exists in JSON result |
dga_score | Returns if it exists in JSON result |
rip_score | Returns if it exists in JSON result |
asn_score | Returns if it exists in JSON result |
securerank2 | Returns if it exists in JSON result |
geoscore | Returns if it exists in JSON result |
attack | Returns if it exists in JSON result |
ks_test | Returns if it exists in JSON result |
pagerank | Returns if it exists in JSON result |
geodiversity | Returns if it exists in JSON result |
prefix_score | Returns if it exists in JSON result |
perplexity | Returns if it exists in JSON result |
entropy | Returns if it exists in JSON result |
fastflux | Returns if it exists in JSON result |
threat_type | Returns if it exists in JSON result |
tld_geodiversity | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult":
{
"found": false,
"popularity": 0.0,
"geodiversity_normalized": [],
"dga_score": -16.878373381058395,
"rip_score": 0.0,
"asn_score": 0.0,
"securerank2": 0.0,
"geoscore": 0.0,
"attack": "",
"ks_test": 0.0,
"pagerank": 0.0,
"geodiversity": [],
"prefix_score": 0.0,
"perplexity": 0.9961472993373601,
"entropy": 2.2516291673878226,
"fastflux": false,
"threat_type": "",
"tld_geodiversity": []
},
"Entity": "zahav1.ru"
}]
Get Domain Status
Description
Provide the status of a domain, its categories of content, and security.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
content_categories | Returns if it exists in JSON result |
status | Returns if it exists in JSON result |
security_categories | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult":
{ "content_categories": "Ecommerce/Shopping",
"status": "1",
"security_categories": ""
},
"Entity": "example.com"
}]
Get Malicious Domains
Description
Get malicious domains for an IP address.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
192.168.0.2 | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
{
"192.168.0.2":
[ "d.applovin.com.doesntexist.com",
"atdmt.com.doesntexist.com",
"Adservice.google.com.doesntexist.com"
]
}
Get Whois
Description
Retrieve the WHOIS information for the stated email address(es), nameserver(s), and domains.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
billingContactState | Returns if it exists in JSON result |
administrativeContactPostalCode | Returns if it exists in JSON result |
zoneContactCity | Returns if it exists in JSON result |
address | Returns if it exists in JSON result |
registrantFaxExt | Returns if it exists in JSON result |
auditUpdatedDate | Returns if it exists in JSON result |
administrativeContactCity | Returns if it exists in JSON result |
administrativeContactEmail | Returns if it exists in JSON result |
technicalContactFax | Returns if it exists in JSON result |
billingContactOrganization | Returns if it exists in JSON result |
billingContactEmail | Returns if it exists in JSON result |
technicalContactPostalCode | Returns if it exists in JSON result |
registrantOrganization | Returns if it exists in JSON result |
zoneContactPostalCode | Returns if it exists in JSON result |
registrantState | Returns if it exists in JSON result |
administrativeContactName | Returns if it exists in JSON result |
billingContactFaxExt | Returns if it exists in JSON result |
billingContactCity | Returns if it exists in JSON result |
technicalContactEmail | Returns if it exists in JSON result |
registrantCountry | Returns if it exists in JSON result |
technicalContactFaxExt | Returns if it exists in JSON result |
administrativeContactStreet | Returns if it exists in JSON result |
administrativeContactOrganization | Returns if it exists in JSON result |
billingContactCountry | Returns if it exists in JSON result |
billingContactName | Returns if it exists in JSON result |
registrarName | Returns if it exists in JSON result |
technicalContactTelephoneExt | Returns if it exists in JSON result |
administrativeContactFax | Returns if it exists in JSON result |
zoneContactFax | Returns if it exists in JSON result |
timestamp | Returns if it exists in JSON result |
registrantCity | Returns if it exists in JSON result |
administrativeContactTelephoneExt | Returns if it exists in JSON result |
status | Returns if it exists in JSON result |
updated | Returns if it exists in JSON result |
expires | Returns if it exists in JSON result |
whoisServers | Returns if it exists in JSON result |
technicalContactName | Returns if it exists in JSON result |
technicalContactState | Returns if it exists in JSON result |
nameServers | Returns if it exists in JSON result |
zoneContactFaxExt | Returns if it exists in JSON result |
recordExpired | Returns if it exists in JSON result |
registrantFax | Returns if it exists in JSON result |
registrantTelephoneExt | Returns if it exists in JSON result |
billingContactFax | Returns if it exists in JSON result |
technicalContactOrganization | Returns if it exists in JSON result |
administrativeContactState | Returns if it exists in JSON result |
zoneContactOrganization | Returns if it exists in JSON result |
billingContactPostalCode | Returns if it exists in JSON result |
zoneContactStreet | Returns if it exists in JSON result |
zoneContactName | Returns if it exists in JSON result |
registrantPostalCode | Returns if it exists in JSON result |
billingContactTelephone | Returns if it exists in JSON result |
emails | Returns if it exists in JSON result |
registrantTelephone | Returns if it exists in JSON result |
administrativeContactCountry | Returns if it exists in JSON result |
technicalContactCity | Returns if it exists in JSON result |
administrativeContactTelephone | Returns if it exists in JSON result |
created | Returns if it exists in JSON result |
registrarIANAID | Returns if it exists in JSON result |
registrantStreet | Returns if it exists in JSON result |
domainName | Returns if it exists in JSON result |
technicalContactCountry | Returns if it exists in JSON result |
billingContactStreet | Returns if it exists in JSON result |
timeOfLatestRealtimeCheck | Returns if it exists in JSON result |
zoneContactState | Returns if it exists in JSON result |
registrantEmail | Returns if it exists in JSON result |
administrativeContactFaxExt | Returns if it exists in JSON result |
billingContactTelephoneExt | Returns if it exists in JSON result |
zoneContactCountry | Returns if it exists in JSON result |
zoneContactEmail | Returns if it exists in JSON result |
zoneContactTelephoneExt | Returns if it exists in JSON result |
technicalContactTelephone | Returns if it exists in JSON result |
technicalContactStreet | Returns if it exists in JSON result |
zoneContactTelephone | Returns if it exists in JSON result |
hasRawText | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult":
{
"billingContactState": null,
"administrativeContactPostalCode": "89507",
"zoneContactCity": null,
"addresses": ["p.o. box 8102"],
"registrantFaxExt": null,
"registrantName": "Hostmaster, Amazon Legal Dept.",
"auditUpdatedDate": "2019-01-08 12:03:30.000 UTC",
"administrativeContactCity": "Reno",
"administrativeContactEmail": "john_doe@example.com",
"technicalContactFax": "12062667010",
"billingContactOrganization": null,
"billingContactEmail": null,
"technicalContactPostalCode": "89507",
"registrantOrganization": "Amazon Technologies, Inc.",
"zoneContactPostalCode": null,
"registrantState": "NV",
"administrativeContactName": "Hostmaster, Amazon Legal Dept.",
"billingContactFaxExt": null,
"billingContactCity": null,
"technicalContactEmail": "john_doe@example.com",
"registrantCountry": "UNITED STATES",
"technicalContactFaxExt": null,
"administrativeContactStreet": ["p.o. box 8102"],
"administrativeContactOrganization": "Amazon Technologies, Inc.",
"billingContactCountry": null,
"billingContactName": null,
"registrarName": "MarkMonitor, Inc.",
"technicalContactTelephoneExt": null,
"administrativeContactFax": null,
"zoneContactFax": null,
"timestamp": null,
"registrantCity": "Reno",
"administrativeContactTelephoneExt": null,
"status": [
"clientDeleteProhibited clientTransferProhibited clientUpdateProhibited serverDeleteProhibited serverTransferProhibited serverUpdateProhibited"],
"updated": "2014-04-30",
"expires": "2022-10-31",
"whoisServers": "whois.markmonitor.com",
"technicalContactName": "Hostmaster, Amazon Legal Dept.",
"technicalContactState": "NV",
"nameServers": [
"ns1.p31.dynect.net",
"Ns2.p31.dynect.net",
"Ns3.p31.dynect.net"
],
"zoneContactFaxExt": null,
"recordExpired": false,
"registrantFax": "12062667010",
"registrantTelephoneExt": null,
"billingContactFax": null,
"technicalContactOrganization": "Amazon Technologies, Inc.",
"administrativeContactState": "NV",
"zoneContactOrganization": null,
"billingContactPostalCode": null,
"zoneContactStreet": [],
"zoneContactName": null,
"registrantPostalCode": "89507",
"billingContactTelephone": null,
"emails": ["hostmaster@example.com"],
"registrantTelephone": "12062664064",
"administrativeContactCountry": "UNITED STATES",
"technicalContactCity": "Reno",
"administrativeContactTelephone": "12062664064",
"created": "1994-11-01",
"registrarIANAID": "292",
"registrantStreet": ["p.o. box 8102"],
"domainName": "example.com",
"technicalContactCountry": "UNITED STATES",
"billingContactStreet": [],
"timeOfLatestRealtimeCheck": 1547718689211,
"zoneContactState": null,
"registrantEmail": "john_doe@example.com",
"administrativeContactFaxExt": null,
"billingContactTelephoneExt": null,
"zoneContactCountry": null,
"zoneContactEmail": null,
"zoneContactTelephoneExt": null,
"technicalContactTelephone": "12062664064",
"technicalContactStreet": ["p.o. box 8102"],
"zoneContactTelephone": null,
"hasRawText": true
},
"Entity": "example.com"
}]
Ping
Description
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
N/A
Need more help? Get answers from Community members and Google SecOps professionals.