Fortinet Document Library

Version:


Table of Contents

Cisco Umbrella Enforcement

2.0.0
Copy Link

About the connector

Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet. The Cisco Umbrella Enforcement API allows partners and customers who have their own SIEM/Threat Intelligence Platform (TIP) environments to inject events and/or threat intelligence into their Umbrella environment. 

This document provides information about the Cisco Umbrella Enforcement connector, which facilitates automated interactions, with a Cisco Umbrella server using FortiSOAR™ playbooks. Add the Cisco Umbrella Enforcement connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking domains on the Cisco Umbrella security platform and retrieving a list of blocked domains from the Cisco Umbrella security platform.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 4.12.1-253 

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Cisco Umbrella Enforcement connector in version 2.0.0:

  • Certified the Cisco Umbrella Enforcement connector.
  • Renamed the connector from Cisco Umbrella to Cisco Umbrella Enforcement. 
  • Renamed the Delete Blocked Domain operation to Unblock Domain and the List Blocked Domains operation to Get Blocked Domains.
  • Added the Device ID and Device Version input parameters to the Block a Domain operation.
  • Added the Limit input parameters to the Get Blocked Domains operation.

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-cisco-umbrella-enforcement

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must set up an Integration, using the Cisco Umbrella's Integration tab, and get the customer key from Cisco Umbrella. You must specify this customer key when you are configuring the Cisco Umbrella Enforcement connector.
  • You must have the URL of the Cisco Umbrella API server to which you will connect and perform the automated operations and the customer key to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cisco Umbrella Enforcement connector row, and in the Configuration tab enter the required configuration details.

Parameter Description
Server URL Server URL of the Cisco Umbrella API to which you will connect and perform automated operations.
Note: By default, it is set to https://s-platform.api.opendns.com, and in most cases, you should not change this URL.
Customer Key Integration key that is provided by Cisco Umbrella.
To retrieve your Customer Key do the following:
  1. Log onto https://dashboard.umbrella.com using your credentials.
  2. Click Settings > Policies > Integrations > <Name_of_the_Integration> to get your customer key to be used with the Cisco Umbrella Enforcement connector.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Block a Domain Submits a malicious event to the Cisco Umbrella Security Platform to block the associated domain on the Cisco Umbrella Security Platform using the Enforcement API. block_domain
Containment
Get Blocked Domains Retrieves a list of all blocked domains from the Cisco Umbrella Security Platform using the Enforcement API. list_blocked_domains
Investigation
Unblock Domain Removes the domain that you have specified from the blocked list on the Cisco Umbrella Security Platform using the Enforcement API. delete_domain
Containment

operation: Block a Domain

Input parameters

Parameter Description
Domain Domain that you want to block on the Cisco Umbrella Security Platform using the Enforcement API.
Device ID ID of the device that is sending the malicious event that you want to block on the Cisco Umbrella Security Platform.
Device Version Version of the device that is sending the malicious event that you want to block on the Cisco Umbrella Security Platform.
Full URL Complete URL of the malicious event (including http protocol and any parameters) that you want to submit to the Cisco Umbrella Security Platform.
Timestamp (Optional) Timestamp of the malicious event, if available, that you want to submit to the Cisco Umbrella Security Platform.
Event Type (Optional) Type or category of the malicious event that you want to submit to the Cisco Umbrella Security Platform.
Severity (Optional) Severity of the malicious event that you want to submit to the Cisco Umbrella Security Platform.
You can select from the following options:
  • Critical
  • High
  • Medium
  • Low
  • Minimal

Output

The output contains the following populated JSON schema:

     "id": "" 
}

operation: List Blocked Domains

Input parameters

Parameter Description
Page (Optional) Use this parameter if you are fetching the next page of results from a previous use of this function. Output of a previous execution will determine the value of this parameter.
Limit (Optional) Maximum number of results that this operation should display on a single page .

Output

The output contains the following populated JSON schema:

     "data": [ 
         { 
             "lastSeenAt": "", 
             "name": "", 
             "id": "" 
         }, 
         { 
             "lastSeenAt": "", 
             "name": "", 
             "id": "" 
         } 
     ], 
     "meta": { 
         "page": "", 
         "limit": "", 
         "prev": "", 
         "next": "" 
     } 
}

operation: Unblock Domain

Input parameters

Parameter Description
Domain Domain that you want to unblock on the Cisco Umbrella Security Platform using the Enforcement API.

Output

The output contains the following populated JSON schema:

     "Status": "", 
     "Result": "" 
}

Included playbooks

The Sample - Cisco Umbrella Enforcement - 2.0.0 playbook collection comes bundled with the Cisco Umbrella Enforcement connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Umbrella Enforcement connector.

  • Block a Domain
  • Get Blocked Domains
  • Unblock Domain

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet. The Cisco Umbrella Enforcement API allows partners and customers who have their own SIEM/Threat Intelligence Platform (TIP) environments to inject events and/or threat intelligence into their Umbrella environment. 

This document provides information about the Cisco Umbrella Enforcement connector, which facilitates automated interactions, with a Cisco Umbrella server using FortiSOAR™ playbooks. Add the Cisco Umbrella Enforcement connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking and unblocking domains on the Cisco Umbrella security platform and retrieving a list of blocked domains from the Cisco Umbrella security platform.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 4.12.1-253 

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Cisco Umbrella Enforcement connector in version 2.0.0:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-cisco-umbrella-enforcement

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cisco Umbrella Enforcement connector row, and in the Configuration tab enter the required configuration details.

Parameter Description
Server URL Server URL of the Cisco Umbrella API to which you will connect and perform automated operations.
Note: By default, it is set to https://s-platform.api.opendns.com, and in most cases, you should not change this URL.
Customer Key Integration key that is provided by Cisco Umbrella.
To retrieve your Customer Key do the following:
  1. Log onto https://dashboard.umbrella.com using your credentials.
  2. Click Settings > Policies > Integrations > <Name_of_the_Integration> to get your customer key to be used with the Cisco Umbrella Enforcement connector.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Block a Domain Submits a malicious event to the Cisco Umbrella Security Platform to block the associated domain on the Cisco Umbrella Security Platform using the Enforcement API. block_domain
Containment
Get Blocked Domains Retrieves a list of all blocked domains from the Cisco Umbrella Security Platform using the Enforcement API. list_blocked_domains
Investigation
Unblock Domain Removes the domain that you have specified from the blocked list on the Cisco Umbrella Security Platform using the Enforcement API. delete_domain
Containment

operation: Block a Domain

Input parameters

Parameter Description
Domain Domain that you want to block on the Cisco Umbrella Security Platform using the Enforcement API.
Device ID ID of the device that is sending the malicious event that you want to block on the Cisco Umbrella Security Platform.
Device Version Version of the device that is sending the malicious event that you want to block on the Cisco Umbrella Security Platform.
Full URL Complete URL of the malicious event (including http protocol and any parameters) that you want to submit to the Cisco Umbrella Security Platform.
Timestamp (Optional) Timestamp of the malicious event, if available, that you want to submit to the Cisco Umbrella Security Platform.
Event Type (Optional) Type or category of the malicious event that you want to submit to the Cisco Umbrella Security Platform.
Severity (Optional) Severity of the malicious event that you want to submit to the Cisco Umbrella Security Platform.
You can select from the following options:
  • Critical
  • High
  • Medium
  • Low
  • Minimal

Output

The output contains the following populated JSON schema:

     "id": "" 
}

operation: List Blocked Domains

Input parameters

Parameter Description
Page (Optional) Use this parameter if you are fetching the next page of results from a previous use of this function. Output of a previous execution will determine the value of this parameter.
Limit (Optional) Maximum number of results that this operation should display on a single page .

Output

The output contains the following populated JSON schema:

     "data": [ 
         { 
             "lastSeenAt": "", 
             "name": "", 
             "id": "" 
         }, 
         { 
             "lastSeenAt": "", 
             "name": "", 
             "id": "" 
         } 
     ], 
     "meta": { 
         "page": "", 
         "limit": "", 
         "prev": "", 
         "next": "" 
     } 
}

operation: Unblock Domain

Input parameters

Parameter Description
Domain Domain that you want to unblock on the Cisco Umbrella Security Platform using the Enforcement API.

Output

The output contains the following populated JSON schema:

     "Status": "", 
     "Result": "" 
}

Included playbooks

The Sample - Cisco Umbrella Enforcement - 2.0.0 playbook collection comes bundled with the Cisco Umbrella Enforcement connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Umbrella Enforcement connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.