All Collections
Integration Guide
Cisco Umbrella Investigate Integration
Cisco Umbrella Investigate Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About Cisco Umbrella Investigate

Cisco Umbrella Investigate provides detection, scoring, and prediction of emerging threats. You can predict the likelihood of whether a domain, an IP address, or an entire ASN may contribute to the origin of an attack or pose a security threat before an attack or threat occurs.

SIRP’s integration with Cisco Umbrella Investigate allows the enrichment of alerts using the results returned from the Cisco Umbrella Investigate REST API.

Supported Actions

S.no

Action

Description

1

Get DNS Timeline

Retrieve Domain's Passive DNS timeline from Investigate

2

Get RRDATA Domain

Retrieve Domain's RRdata records from Investigate

3

Get Security Information

Retrieve Domain's Security Information from Investigate

4

Get Status of Domain

Check Domain Status from Investigate

5

Get Malicious Domains of IP

Check for Known Malicious domains associated with IP on Investigate

6

WHOIS

Retrieve Domain's WHOIS records from Investigate

Enable and Configure Cisco Umbrella Investigate

Generate Cisco Umbrella Investigate API Access Token

To generate API token, you need to first access Umbrella's dashboard

  1. Log into Umbrella with the following URL:

  2. Navigate to Investigate > API Keys

  3. Under API Access Tokens and click Create New Token.

  4. Enter a Title and click Create.

  5. Copy the token and keep it in a secure location.

Enable the Cisco Umbrella Investigate app in SIRP

  • First, log in to SIRP, then go to Apps from the left navigation bar.

  • Locate the app named Umbrella Investigate.

  • Enable the Umbrella Investigate app by clicking on the toggle button under the Status Column.

  • Once you enable the App, click the configure option to integrate SIRP with Cisco Umbrella Investigate

  • Add the following details and click Save:

    • Token: <API Token copied from Cisco Umbrella Investigate interface>

Did this answer your question?