About Cisco Umbrella Investigate
Cisco Umbrella Investigate provides detection, scoring, and prediction of emerging threats. You can predict the likelihood of whether a domain, an IP address, or an entire ASN may contribute to the origin of an attack or pose a security threat before an attack or threat occurs.
SIRP’s integration with Cisco Umbrella Investigate allows the enrichment of alerts using the results returned from the Cisco Umbrella Investigate REST API.
Supported Actions
S.no | Action | Description |
1 | Get DNS Timeline | Retrieve Domain's Passive DNS timeline from Investigate |
2 | Get RRDATA Domain | Retrieve Domain's RRdata records from Investigate |
3 | Get Security Information | Retrieve Domain's Security Information from Investigate |
4 | Get Status of Domain | Check Domain Status from Investigate |
5 | Get Malicious Domains of IP | Check for Known Malicious domains associated with IP on Investigate |
6 | WHOIS | Retrieve Domain's WHOIS records from Investigate |
Enable and Configure Cisco Umbrella Investigate
Generate Cisco Umbrella Investigate API Access Token
To generate API token, you need to first access Umbrella's dashboard
Log into Umbrella with the following URL:
Navigate to Investigate > API Keys
Under API Access Tokens and click Create New Token.
Enter a Title and click Create.
Copy the token and keep it in a secure location.
Enable the Cisco Umbrella Investigate app in SIRP
First, log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Umbrella Investigate.
Enable the Umbrella Investigate app by clicking on the toggle button under the Status Column.
Once you enable the App, click the configure option to integrate SIRP with Cisco Umbrella Investigate
Add the following details and click Save:
Token: <API Token copied from Cisco Umbrella Investigate interface>
