Fortinet Document Library

Version:


Table of Contents

Cisco Umbrella Investigate

2.0.0
Copy Link

About the connector

Cisco Umbrella Investigate provides the most complete view of the relationships and evolution of domains, IPs, autonomous systems (ASNs), and file hashes. Investigate is accessible using a web console and an API and its rich threat intelligence adds the security context needed to uncover and predict threats.

This document provides information about the Cisco Umbrella Investigate connector, which facilitates automated interactions, with a Cisco Umbrella Investigate server using FortiSOAR™ playbooks. Add the Cisco Umbrella Investigate connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a domain from Cisco Umbrella Investigate or retrieving a list of malicious domains associated with a specified IP address from Cisco Umbrella Investigate.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 4.12.1-253 

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Cisco Umbrella Investigate connector in version 2.0.0:

  • Certified the Cisco Umbrella Investigate connector.
  • Renamed the API Key configuration parameter to API Access Token and added information on how users can retrieve their access token.
  • Renamed the List Malicious Domains of an IP operation to Fetch Latest Malicious Domains of an IP.

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-cisco-umbrella-investigate

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of the Cisco Umbrella Investigate server to which you will connect and perform the automated operations and the API key to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™ , on the Connectors page, click the Cisco Umbrella Investigate connector row, and in the Configuration tab enter the required configuration details.

Parameter Description
Server URL Server URL of the Cisco Umbrella Investigate server to which you will connect and perform automated operations.
API Access Token API Access Token used to access the Cisco Umbrella Investigate server to which you will connect and perform automated operations.
To retrieve your Access Token do the following:
  1. Log onto https://dashboard.umbrella.com using your credentials.
  2. Click Settings > Investigate.
    This will display a new Cisco Investigate window.
  3. Click API Access Token to get your token and use the Cisco Umbrella Investigate connector.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Information About a Domain Retrieves information such as categorization, recommendation, security, relation, and tag information for a specified domain from Cisco Umbrella Investigate, based on the domain name you have specified. domain_information
Investigation
Fetch Latest Malicious Domains of an IP Retrieves malicious domains associated with a specified IP address from Cisco Umbrella Investigate, based on the IP address you have specified. This operation returns an array for each associated domain. If more than one domain is associated with the IP, then more than one array is returned by this operation. latest_malicious_domains
Investigation
Fetch WHOIS Information Retrieves WHOIS information (if available) for a specified domain from Cisco Umbrella Investigate, based on the domain name you have specified. whois
Investigation

operation: Get Information About a Domain

Input parameters

Parameter Description
Domain Name of the domain for which you want to retrieve information from Cisco Umbrella Investigate.

Output

The output contains the following populated JSON schema:

     "domain_security": {}, 
     "domain_relations": {}, 
     "domain_recommendation": {}, 
     "domain_category": {}, 
     "domain_timeline": {} 
}

operation: Fetch Latest Malicious Domains of an IP

Input parameters

Parameter Description
IP Address IP address whose associated list of malicious domains you want to retrieve from Cisco Umbrella Investigate.

Output

The output contains the following populated JSON schema for each malicious domain associated with the specified IP address:

     "id": "", 
     "name": "" 
}

operation: Fetch WHOIS Information

Input parameters

Parameter Description
Domain Name of the domain for which you want to retrieve WHOIS information from Cisco Umbrella Investigate.

Output

The output contains the following populated JSON schema:

     "billingContactState": "", 
     "timestamp": "", 
     "administrativeContactTelephoneExt": "", 
     "billingContactOrganization": "", 
     "administrativeContactName": "", 
     "created": "", 
     "technicalContactTelephone": "", 
     "billingContactTelephone": "", 
     "technicalContactCountry": "", 
     "billingContactStreet": [], 
     "technicalContactEmail": "", 
     "technicalContactTelephoneExt": "", 
     "zoneContactCountry": "", 
     "registrantCity": "", 
     "zoneContactEmail": "", 
     "whoisServers": "", 
     "registrantFax": "", 
     "administrativeContactFax": "", 
     "registrarIANAID": "", 
     "nameServers": [], 
     "administrativeContactFaxExt": "", 
     "administrativeContactState": "", 
     "billingContactFaxExt": "", 
     "billingContactFax": "", 
     "registrarName": "", 
     "registrantPostalCode": "", 
     "updated": "", 
     "technicalContactCity": "", 
     "administrativeContactPostalCode": "", 
     "zoneContactPostalCode": "", 
     "registrantCountry": "", 
     "addresses": [], 
     "billingContactCity": "", 
     "zoneContactOrganization": "", 
     "technicalContactState": "", 
     "administrativeContactCity": "", 
     "billingContactTelephoneExt": "", 
     "hasRawText": "", 
     "zoneContactState": "", 
     "auditUpdatedDate": "", 
     "registrantFaxExt": "", 
     "zoneContactTelephone": "", 
     "recordExpired": "", 
     "domainName": "", 
     "registrantStreet": [], 
     "technicalContactOrganization": "", 
     "billingContactName": null, 
     "status": [], 
     "billingContactCountry": "", 
     "registrantEmail": "", 
     "administrativeContactOrganization": "", 
     "zoneContactStreet": [], 
     "technicalContactFax": "", 
     "administrativeContactCountry": "", 
     "registrantName": "", 
     "administrativeContactStreet": [], 
     "registrantTelephone": "", 
     "emails": [], 
     "billingContactPostalCode": "", 
     "billingContactEmail": "", 
     "zoneContactName": "", 
     "registrantTelephoneExt": "", 
     "technicalContactFaxExt": "", 
     "technicalContactPostalCode": "", 
     "technicalContactStreet": [], 
     "expires": "", 
     "registrantState": "", 
     "zoneContactCity": "", 
     "technicalContactName": "", 
     "zoneContactFaxExt": "", 
     "zoneContactTelephoneExt": "", 
     "administrativeContactEmail": "", 
     "timeOfLatestRealtimeCheck": "", 
     "zoneContactFax": "", 
     "administrativeContactTelephone": "", 
     "registrantOrganization": "" 
}

Included playbooks

The Sample - Cisco Umbrella Investigate - 2.0.0 playbook collection comes bundled with the Cisco Umbrella Investigate connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Umbrella Investigate connector.

  • Fetch Latest Malicious Domains of an IP
  • Fetch WHOIS Information
  • Get Information About a Domain

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Cisco Umbrella Investigate provides the most complete view of the relationships and evolution of domains, IPs, autonomous systems (ASNs), and file hashes. Investigate is accessible using a web console and an API and its rich threat intelligence adds the security context needed to uncover and predict threats.

This document provides information about the Cisco Umbrella Investigate connector, which facilitates automated interactions, with a Cisco Umbrella Investigate server using FortiSOAR™ playbooks. Add the Cisco Umbrella Investigate connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about a domain from Cisco Umbrella Investigate or retrieving a list of malicious domains associated with a specified IP address from Cisco Umbrella Investigate.

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 4.12.1-253 

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the Cisco Umbrella Investigate connector in version 2.0.0:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-cisco-umbrella-investigate

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™ , on the Connectors page, click the Cisco Umbrella Investigate connector row, and in the Configuration tab enter the required configuration details.

Parameter Description
Server URL Server URL of the Cisco Umbrella Investigate server to which you will connect and perform automated operations.
API Access Token API Access Token used to access the Cisco Umbrella Investigate server to which you will connect and perform automated operations.
To retrieve your Access Token do the following:
  1. Log onto https://dashboard.umbrella.com using your credentials.
  2. Click Settings > Investigate.
    This will display a new Cisco Investigate window.
  3. Click API Access Token to get your token and use the Cisco Umbrella Investigate connector.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Information About a Domain Retrieves information such as categorization, recommendation, security, relation, and tag information for a specified domain from Cisco Umbrella Investigate, based on the domain name you have specified. domain_information
Investigation
Fetch Latest Malicious Domains of an IP Retrieves malicious domains associated with a specified IP address from Cisco Umbrella Investigate, based on the IP address you have specified. This operation returns an array for each associated domain. If more than one domain is associated with the IP, then more than one array is returned by this operation. latest_malicious_domains
Investigation
Fetch WHOIS Information Retrieves WHOIS information (if available) for a specified domain from Cisco Umbrella Investigate, based on the domain name you have specified. whois
Investigation

operation: Get Information About a Domain

Input parameters

Parameter Description
Domain Name of the domain for which you want to retrieve information from Cisco Umbrella Investigate.

Output

The output contains the following populated JSON schema:

     "domain_security": {}, 
     "domain_relations": {}, 
     "domain_recommendation": {}, 
     "domain_category": {}, 
     "domain_timeline": {} 
}

operation: Fetch Latest Malicious Domains of an IP

Input parameters

Parameter Description
IP Address IP address whose associated list of malicious domains you want to retrieve from Cisco Umbrella Investigate.

Output

The output contains the following populated JSON schema for each malicious domain associated with the specified IP address:

     "id": "", 
     "name": "" 
}

operation: Fetch WHOIS Information

Input parameters

Parameter Description
Domain Name of the domain for which you want to retrieve WHOIS information from Cisco Umbrella Investigate.

Output

The output contains the following populated JSON schema:

     "billingContactState": "", 
     "timestamp": "", 
     "administrativeContactTelephoneExt": "", 
     "billingContactOrganization": "", 
     "administrativeContactName": "", 
     "created": "", 
     "technicalContactTelephone": "", 
     "billingContactTelephone": "", 
     "technicalContactCountry": "", 
     "billingContactStreet": [], 
     "technicalContactEmail": "", 
     "technicalContactTelephoneExt": "", 
     "zoneContactCountry": "", 
     "registrantCity": "", 
     "zoneContactEmail": "", 
     "whoisServers": "", 
     "registrantFax": "", 
     "administrativeContactFax": "", 
     "registrarIANAID": "", 
     "nameServers": [], 
     "administrativeContactFaxExt": "", 
     "administrativeContactState": "", 
     "billingContactFaxExt": "", 
     "billingContactFax": "", 
     "registrarName": "", 
     "registrantPostalCode": "", 
     "updated": "", 
     "technicalContactCity": "", 
     "administrativeContactPostalCode": "", 
     "zoneContactPostalCode": "", 
     "registrantCountry": "", 
     "addresses": [], 
     "billingContactCity": "", 
     "zoneContactOrganization": "", 
     "technicalContactState": "", 
     "administrativeContactCity": "", 
     "billingContactTelephoneExt": "", 
     "hasRawText": "", 
     "zoneContactState": "", 
     "auditUpdatedDate": "", 
     "registrantFaxExt": "", 
     "zoneContactTelephone": "", 
     "recordExpired": "", 
     "domainName": "", 
     "registrantStreet": [], 
     "technicalContactOrganization": "", 
     "billingContactName": null, 
     "status": [], 
     "billingContactCountry": "", 
     "registrantEmail": "", 
     "administrativeContactOrganization": "", 
     "zoneContactStreet": [], 
     "technicalContactFax": "", 
     "administrativeContactCountry": "", 
     "registrantName": "", 
     "administrativeContactStreet": [], 
     "registrantTelephone": "", 
     "emails": [], 
     "billingContactPostalCode": "", 
     "billingContactEmail": "", 
     "zoneContactName": "", 
     "registrantTelephoneExt": "", 
     "technicalContactFaxExt": "", 
     "technicalContactPostalCode": "", 
     "technicalContactStreet": [], 
     "expires": "", 
     "registrantState": "", 
     "zoneContactCity": "", 
     "technicalContactName": "", 
     "zoneContactFaxExt": "", 
     "zoneContactTelephoneExt": "", 
     "administrativeContactEmail": "", 
     "timeOfLatestRealtimeCheck": "", 
     "zoneContactFax": "", 
     "administrativeContactTelephone": "", 
     "registrantOrganization": "" 
}

Included playbooks

The Sample - Cisco Umbrella Investigate - 2.0.0 playbook collection comes bundled with the Cisco Umbrella Investigate connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco Umbrella Investigate connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.