Cisco Umbrella
Integration version: 13.0
Configure Cisco Umbrella to work with Google Security Operations
Get the Enforcement token
To retrieve your key:
- Navigate to Policies > Policy Components > Integrations.
- Expand the appropriate integration or click Addto generate a custom integration.
Reference: https://docs.umbrella.com/investigate-api/reference#reference-getting-started
Get the Investigate token
To create your first API Access token:
- Click Create new token.
- Give the token a name and click Create. The generated token includes the email address of the person who created it and the creation date. To revoke the token, click Delete.
Reference: https://docs.umbrella.com/investigate-api/reference#about-the-api-and-authentication
Configure Cisco Umbrella integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Actions
Add Domain
Description
Add a domain to the OpenDNS block list.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Delete Domain
Description
Delete a domain from the OpenDNS block list.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Get Associated Domains
Description
Get associated domains for a particular host name.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| cisco_umbrella_Domains | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"EntityResult"
:
[
"google.com"
,
"twilio.com"
,
"gmail.com"
],
"Entity"
:
"example.com"
}]
Get Domain Security Info
Description
Provide security information about a domain (as an attachment).
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| found | Returns if it exists in JSON result |
| popularity | Returns if it exists in JSON result |
| geodiversity_normalized | Returns if it exists in JSON result |
| dga_score | Returns if it exists in JSON result |
| rip_score | Returns if it exists in JSON result |
| asn_score | Returns if it exists in JSON result |
| securerank2 | Returns if it exists in JSON result |
| geoscore | Returns if it exists in JSON result |
| attack | Returns if it exists in JSON result |
| ks_test | Returns if it exists in JSON result |
| pagerank | Returns if it exists in JSON result |
| geodiversity | Returns if it exists in JSON result |
| prefix_score | Returns if it exists in JSON result |
| perplexity | Returns if it exists in JSON result |
| entropy | Returns if it exists in JSON result |
| fastflux | Returns if it exists in JSON result |
| threat_type | Returns if it exists in JSON result |
| tld_geodiversity | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"EntityResult"
:
{
"found"
:
false
,
"popularity"
:
0.0
,
"geodiversity_normalized"
:
[],
"dga_score"
:
-16.878373381058395
,
"rip_score"
:
0.0
,
"asn_score"
:
0.0
,
"securerank2"
:
0.0
,
"geoscore"
:
0.0
,
"attack"
:
""
,
"ks_test"
:
0.0
,
"pagerank"
:
0.0
,
"geodiversity"
:
[],
"prefix_score"
:
0.0
,
"perplexity"
:
0.9961472993373601
,
"entropy"
:
2.2516291673878226
,
"fastflux"
:
false
,
"threat_type"
:
""
,
"tld_geodiversity"
:
[]
},
"Entity"
:
"zahav1.ru"
}]
Get Domain Status
Description
Provide the status of a domain, its categories of content, and security.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| content_categories | Returns if it exists in JSON result |
| status | Returns if it exists in JSON result |
| security_categories | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"EntityResult"
:
{
"content_categories"
:
"Ecommerce/Shopping"
,
"status"
:
"1"
,
"security_categories"
:
""
},
"Entity"
:
"example.com"
}]
Get Malicious Domains
Description
Get malicious domains for an IP address.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| 192.168.0.2 | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"192.168.0.2"
:
[
"d.applovin.com.doesntexist.com"
,
"atdmt.com.doesntexist.com"
,
"Adservice.google.com.doesntexist.com"
]
}
Get Whois
Description
Retrieve the WHOIS information for the stated email address(es), nameserver(s), and domains.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| billingContactState | Returns if it exists in JSON result |
| administrativeContactPostalCode | Returns if it exists in JSON result |
| zoneContactCity | Returns if it exists in JSON result |
| address | Returns if it exists in JSON result |
| registrantFaxExt | Returns if it exists in JSON result |
| auditUpdatedDate | Returns if it exists in JSON result |
| administrativeContactCity | Returns if it exists in JSON result |
| administrativeContactEmail | Returns if it exists in JSON result |
| technicalContactFax | Returns if it exists in JSON result |
| billingContactOrganization | Returns if it exists in JSON result |
| billingContactEmail | Returns if it exists in JSON result |
| technicalContactPostalCode | Returns if it exists in JSON result |
| registrantOrganization | Returns if it exists in JSON result |
| zoneContactPostalCode | Returns if it exists in JSON result |
| registrantState | Returns if it exists in JSON result |
| administrativeContactName | Returns if it exists in JSON result |
| billingContactFaxExt | Returns if it exists in JSON result |
| billingContactCity | Returns if it exists in JSON result |
| technicalContactEmail | Returns if it exists in JSON result |
| registrantCountry | Returns if it exists in JSON result |
| technicalContactFaxExt | Returns if it exists in JSON result |
| administrativeContactStreet | Returns if it exists in JSON result |
| administrativeContactOrganization | Returns if it exists in JSON result |
| billingContactCountry | Returns if it exists in JSON result |
| billingContactName | Returns if it exists in JSON result |
| registrarName | Returns if it exists in JSON result |
| technicalContactTelephoneExt | Returns if it exists in JSON result |
| administrativeContactFax | Returns if it exists in JSON result |
| zoneContactFax | Returns if it exists in JSON result |
| timestamp | Returns if it exists in JSON result |
| registrantCity | Returns if it exists in JSON result |
| administrativeContactTelephoneExt | Returns if it exists in JSON result |
| status | Returns if it exists in JSON result |
| updated | Returns if it exists in JSON result |
| expires | Returns if it exists in JSON result |
| whoisServers | Returns if it exists in JSON result |
| technicalContactName | Returns if it exists in JSON result |
| technicalContactState | Returns if it exists in JSON result |
| nameServers | Returns if it exists in JSON result |
| zoneContactFaxExt | Returns if it exists in JSON result |
| recordExpired | Returns if it exists in JSON result |
| registrantFax | Returns if it exists in JSON result |
| registrantTelephoneExt | Returns if it exists in JSON result |
| billingContactFax | Returns if it exists in JSON result |
| technicalContactOrganization | Returns if it exists in JSON result |
| administrativeContactState | Returns if it exists in JSON result |
| zoneContactOrganization | Returns if it exists in JSON result |
| billingContactPostalCode | Returns if it exists in JSON result |
| zoneContactStreet | Returns if it exists in JSON result |
| zoneContactName | Returns if it exists in JSON result |
| registrantPostalCode | Returns if it exists in JSON result |
| billingContactTelephone | Returns if it exists in JSON result |
| emails | Returns if it exists in JSON result |
| registrantTelephone | Returns if it exists in JSON result |
| administrativeContactCountry | Returns if it exists in JSON result |
| technicalContactCity | Returns if it exists in JSON result |
| administrativeContactTelephone | Returns if it exists in JSON result |
| created | Returns if it exists in JSON result |
| registrarIANAID | Returns if it exists in JSON result |
| registrantStreet | Returns if it exists in JSON result |
| domainName | Returns if it exists in JSON result |
| technicalContactCountry | Returns if it exists in JSON result |
| billingContactStreet | Returns if it exists in JSON result |
| timeOfLatestRealtimeCheck | Returns if it exists in JSON result |
| zoneContactState | Returns if it exists in JSON result |
| registrantEmail | Returns if it exists in JSON result |
| administrativeContactFaxExt | Returns if it exists in JSON result |
| billingContactTelephoneExt | Returns if it exists in JSON result |
| zoneContactCountry | Returns if it exists in JSON result |
| zoneContactEmail | Returns if it exists in JSON result |
| zoneContactTelephoneExt | Returns if it exists in JSON result |
| technicalContactTelephone | Returns if it exists in JSON result |
| technicalContactStreet | Returns if it exists in JSON result |
| zoneContactTelephone | Returns if it exists in JSON result |
| hasRawText | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
[{
"EntityResult"
:
{
"billingContactState"
:
null
,
"administrativeContactPostalCode"
:
"89507"
,
"zoneContactCity"
:
null
,
"addresses"
:
[
"p.o. box 8102"
],
"registrantFaxExt"
:
null
,
"registrantName"
:
"Hostmaster, Amazon Legal Dept."
,
"auditUpdatedDate"
:
"2019-01-08 12:03:30.000 UTC"
,
"administrativeContactCity"
:
"Reno"
,
"administrativeContactEmail"
:
"john_doe@example.com"
,
"technicalContactFax"
:
"12062667010"
,
"billingContactOrganization"
:
null
,
"billingContactEmail"
:
null
,
"technicalContactPostalCode"
:
"89507"
,
"registrantOrganization"
:
"Amazon Technologies, Inc."
,
"zoneContactPostalCode"
:
null
,
"registrantState"
:
"NV"
,
"administrativeContactName"
:
"Hostmaster, Amazon Legal Dept."
,
"billingContactFaxExt"
:
null
,
"billingContactCity"
:
null
,
"technicalContactEmail"
:
"john_doe@example.com"
,
"registrantCountry"
:
"UNITED STATES"
,
"technicalContactFaxExt"
:
null
,
"administrativeContactStreet"
:
[
"p.o. box 8102"
],
"administrativeContactOrganization"
:
"Amazon Technologies, Inc."
,
"billingContactCountry"
:
null
,
"billingContactName"
:
null
,
"registrarName"
:
"MarkMonitor, Inc."
,
"technicalContactTelephoneExt"
:
null
,
"administrativeContactFax"
:
null
,
"zoneContactFax"
:
null
,
"timestamp"
:
null
,
"registrantCity"
:
"Reno"
,
"administrativeContactTelephoneExt"
:
null
,
"status"
:
[
"clientDeleteProhibited clientTransferProhibited clientUpdateProhibited serverDeleteProhibited serverTransferProhibited serverUpdateProhibited"
],
"updated"
:
"2014-04-30"
,
"expires"
:
"2022-10-31"
,
"whoisServers"
:
"whois.markmonitor.com"
,
"technicalContactName"
:
"Hostmaster, Amazon Legal Dept."
,
"technicalContactState"
:
"NV"
,
"nameServers"
:
[
"ns1.p31.dynect.net"
,
"Ns2.p31.dynect.net"
,
"Ns3.p31.dynect.net"
],
"zoneContactFaxExt"
:
null
,
"recordExpired"
:
false
,
"registrantFax"
:
"12062667010"
,
"registrantTelephoneExt"
:
null
,
"billingContactFax"
:
null
,
"technicalContactOrganization"
:
"Amazon Technologies, Inc."
,
"administrativeContactState"
:
"NV"
,
"zoneContactOrganization"
:
null
,
"billingContactPostalCode"
:
null
,
"zoneContactStreet"
:
[],
"zoneContactName"
:
null
,
"registrantPostalCode"
:
"89507"
,
"billingContactTelephone"
:
null
,
"emails"
:
[
"hostmaster@example.com"
],
"registrantTelephone"
:
"12062664064"
,
"administrativeContactCountry"
:
"UNITED STATES"
,
"technicalContactCity"
:
"Reno"
,
"administrativeContactTelephone"
:
"12062664064"
,
"created"
:
"1994-11-01"
,
"registrarIANAID"
:
"292"
,
"registrantStreet"
:
[
"p.o. box 8102"
],
"domainName"
:
"example.com"
,
"technicalContactCountry"
:
"UNITED STATES"
,
"billingContactStreet"
:
[],
"timeOfLatestRealtimeCheck"
:
1547718689211
,
"zoneContactState"
:
null
,
"registrantEmail"
:
"john_doe@example.com"
,
"administrativeContactFaxExt"
:
null
,
"billingContactTelephoneExt"
:
null
,
"zoneContactCountry"
:
null
,
"zoneContactEmail"
:
null
,
"zoneContactTelephoneExt"
:
null
,
"technicalContactTelephone"
:
"12062664064"
,
"technicalContactStreet"
:
[
"p.o. box 8102"
],
"zoneContactTelephone"
:
null
,
"hasRawText"
:
true
},
"Entity"
:
"example.com"
}]
Ping
Description
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Need more help? Get answers from Community members and Google SecOps professionals.
