Introduction
This document describes how to configure and troubleshoot supported third-party integrations with the Secure Malware Analytics Appliance (formerly Threat grid).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco Secure Malware Analytics
- Cisco Umbrella
Components Used
This document is not restricted to specific software and hardware versions.
- Umbrella
- Secure Malware Analytics Appliance
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
In order to provide additional analytic information of a submitted sample, such as Umbrella risk score the Malware Analytics Appliance integrates with Umbrella via API key.
Configuration
Tip: In TGA Cluster Operations each TGA node is configured individually. Failure to configure each TGA node can lead to inconsistent results.
Note: Integrations source from the dirty interface of the appliance; the dirty interface must be connected and allowed outbound access for proper operations.
Step 1. Log in to your Umbrella dashboard and click on Admin > Licensing in your left-hand side navigation menu. You’ll see your current package type.
Step 2. Make sure you have SIG degree license
https://umbrella.cisco.com/products/umbrella-enterprise-security-packages
Step 3. In your Umbrella dashboard click on Investigate > API keys > copy API Access Tokens
Step 4. Log in to the Opadmin (Admin) interface of the Malware Analytics Appliance.
Step 5. Navigate to Configuration > Integrations.
Step 6. Configure the TGA with the API Access Tokens.
Once configured click Save and then click reconfigure.
Step 7. Use RASH to the customer appliance to perform
systemctl --no-block restart tg-supervisor
Step 8. Test that your licence has appropriate API tier level:
curl --include --request POST --header "Authorization: Bearer 12345678910" --data-binary "["cnn.com"]" https://investigate.api.umbrella.com/domains/categorization
Note: You need to contact customer's account manager to get licence upgrade.
The desired action could not be completed because Tier 1 license does not have access to bulk endpoints. This requires a license upgrade to Tier 2 or Tier 3 access.
Step 1. Submit an URL sample for analysis.
Step 2. After completion of the sample; View the Samples>DNS traffic .
Step 3. Navigate to Umbrella Risk score.
Troubleshoot
1. Umbrella risk score is not presented in the Malware analytics appliance sample under DNS traffic
Make sure you do not get HTTP error 403 in the step 8. Test that your licence has appropriate API tier level.
To resolve the above, customers should contact the security specialist and account team to upgrade their Umbrella licenses. It's not GATE duty or responsibility to help with Umbrella licence.
2. Umbrella token is not saved in the Malware analytics appliance
In order to verify that the API Umbrella token is correctly hardcoded in the Appliance, you can use the graphiql to query the config file. The response should be the correct API Umbrella token obtained from the Umbrella Dashboard.
Tip: Replace <IP> with the corresponding hostname of the TGA, Clear the default values and type exactly what is on the screen on the left, than hit the play button.
graphiql