Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go.
This document provides information about the Cisco Umbrella connector, which facilitates automated interactions, with a Cisco Umbrella server using FortiSOAR™ playbooks. Add the Cisco Umbrella connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking domains on the Cisco Umbrella security platform and retrieving a list of blocked domains from the Cisco Umbrella security platform.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-cisco-umbrella
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Umbrella connector row, and in the Configuration tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | Server URL of the Cisco Umbrella API to which you will connect and perform automated operations. Note: By default, it is set to https://s-platform.api.opendns.com, and in most cases, you should not change this URL. |
Customer Key | Integration key that is provided by Cisco Umbrella. You can find this key in the Integration tab in Cisco Umbrella. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Block a Domain | Submits a malicious event to the Cisco Umbrella Security Platform to block the associated domain on the Cisco Umbrella Security Platform. | block_domain Containment |
List Blocked Domains | Retrieves a list of incidents all blocked domains from the Cisco Umbrella Security Platform. | list_blocked_domains Investigation |
Delete Blocked Domain | Removes a domain that you have specified from the blocked list on the Cisco Umbrella Security Platform. | delete_domain Containment |
Parameter | Description |
---|---|
Domain | Domain that you want to block on the Cisco Umbrella Security Platform. |
Full URL | Complete URL of the malicious event (including http protocol and any parameters) that you want to submit to the Cisco Umbrella Security Platform. |
Timestamp | (Optional) Timestamp of the malicious event, if available, that you want to submit to the Cisco Umbrella Security Platform. |
Event Type | (Optional) Type or category of the malicious event that you want to submit to the Cisco Umbrella Security Platform. |
Severity | (Optional) Severity of the malicious event that you want to submit to the Cisco Umbrella Security Platform. You can select from the following options:
|
The output contains the following populated JSON schema:
Parameter | Description |
---|---|
Page | (Optional) Use this parameter if you are fetching the next page of results from a previous use of this function. Output of a previous execution will determine the value of this parameter. |
The output contains the following populated JSON schema:
Parameter | Description |
---|---|
Domain | Domain that you want to unblock on the Cisco Umbrella Security Platform. |
The output contains the following populated JSON schema:
The Sample - Cisco Umbrella - 1.0.0
playbook collection comes bundled with the Cisco Umbrella connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Umbrella connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go.
This document provides information about the Cisco Umbrella connector, which facilitates automated interactions, with a Cisco Umbrella server using FortiSOAR™ playbooks. Add the Cisco Umbrella connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking domains on the Cisco Umbrella security platform and retrieving a list of blocked domains from the Cisco Umbrella security platform.
Connector Version: 1.0.0
Authored By: Fortinet
Certified: No
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-cisco-umbrella
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cisco Umbrella connector row, and in the Configuration tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | Server URL of the Cisco Umbrella API to which you will connect and perform automated operations. Note: By default, it is set to https://s-platform.api.opendns.com, and in most cases, you should not change this URL. |
Customer Key | Integration key that is provided by Cisco Umbrella. You can find this key in the Integration tab in Cisco Umbrella. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Block a Domain | Submits a malicious event to the Cisco Umbrella Security Platform to block the associated domain on the Cisco Umbrella Security Platform. | block_domain Containment |
List Blocked Domains | Retrieves a list of incidents all blocked domains from the Cisco Umbrella Security Platform. | list_blocked_domains Investigation |
Delete Blocked Domain | Removes a domain that you have specified from the blocked list on the Cisco Umbrella Security Platform. | delete_domain Containment |
Parameter | Description |
---|---|
Domain | Domain that you want to block on the Cisco Umbrella Security Platform. |
Full URL | Complete URL of the malicious event (including http protocol and any parameters) that you want to submit to the Cisco Umbrella Security Platform. |
Timestamp | (Optional) Timestamp of the malicious event, if available, that you want to submit to the Cisco Umbrella Security Platform. |
Event Type | (Optional) Type or category of the malicious event that you want to submit to the Cisco Umbrella Security Platform. |
Severity | (Optional) Severity of the malicious event that you want to submit to the Cisco Umbrella Security Platform. You can select from the following options:
|
The output contains the following populated JSON schema:
Parameter | Description |
---|---|
Page | (Optional) Use this parameter if you are fetching the next page of results from a previous use of this function. Output of a previous execution will determine the value of this parameter. |
The output contains the following populated JSON schema:
Parameter | Description |
---|---|
Domain | Domain that you want to unblock on the Cisco Umbrella Security Platform. |
The output contains the following populated JSON schema:
The Sample - Cisco Umbrella - 1.0.0
playbook collection comes bundled with the Cisco Umbrella connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Umbrella connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.