Configure Secure Malware Analytics Appliance with Umbrella

Available Languages

Download Options

  • PDF     (107.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (172.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (145.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 25, 2023
Document ID:215471

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure and troubleshoot supported third-party integrations with the Secure Malware Analytics Appliance (formerly Threat grid).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Malware Analytics
    • Cisco Umbrella

    Components Used

    This document is not restricted to specific software and hardware versions.

    • Umbrella
    •  Secure Malware Analytics Appliance

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    In order to provide additional analytic information of a submitted sample, such as Umbrella risk score the Malware Analytics Appliance integrates with Umbrella via API key.

    Configuration

    Tip: In TGA Cluster Operations each TGA node is configured individually. Failure to configure each TGA node can lead to inconsistent results.

    Note: Integrations source from the dirty interface of the appliance; the dirty interface must be connected and allowed outbound access for proper operations. 

    Step 1.  Log in to your Umbrella dashboard and click on Admin > Licensing in your left-hand side navigation menu. You’ll see your current package type.

    Step 2. Make sure you have SIG degree license
    https://umbrella.cisco.com/products/umbrella-enterprise-security-packages

    Step 3. In your Umbrella dashboard click on Investigate > API keys > copy API Access Tokens

    Step 4. Log in to the Opadmin (Admin) interface of the Malware Analytics Appliance.


    Step 5. Navigate to Configuration > Integrations.


    Step 6. Configure the TGA with the API Access Tokens.

    Once configured click Save and then click reconfigure.

    Step 7. Use RASH to the customer appliance to perform

    systemctl --no-block restart tg-supervisor

    Step 8. Test that your licence has appropriate API tier level:

    curl --include --request POST --header "Authorization: Bearer 12345678910" --data-binary "["cnn.com"]" https://investigate.api.umbrella.com/domains/categorization

    Note: You need to contact customer's account manager to get licence upgrade.
    The desired action could not be completed because Tier 1 license does not have access to bulk endpoints. This requires a license upgrade to Tier 2 or Tier 3 access.

    Step 1. Submit an URL sample for analysis.

    Step 2. After completion of the sample; View the Samples>DNS traffic .

    Step 3. Navigate to Umbrella Risk score.

    Troubleshoot

    1. Umbrella risk score is not presented in the Malware analytics appliance sample under DNS traffic

    Make sure you do not get HTTP error 403 in the step 8. Test that your licence has appropriate API tier level.

    umbrella problem

    To resolve the above, customers should contact the security specialist and account team to upgrade their Umbrella licenses. It's not GATE duty or responsibility to help with Umbrella licence.

    2. Umbrella token is not saved in the Malware analytics appliance

    In order to verify that the API Umbrella token is correctly hardcoded in the Appliance, you can use the graphiql to query the config file. The response should be the correct API Umbrella token obtained from the Umbrella Dashboard.

    Tip: Replace <IP> with the corresponding hostname of the TGA, Clear the default values and type exactly what is on the screen on the left, than hit the play button.

    graphiqlgraphiql

    Revision History

    Revision Publish Date Comments
    1.0
    05-May-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • TJ Busch
      TAC
    • David Janulik
      GATE

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco