This document describes the process to configure and verify the Umbrella integration with SecureX with the 3 available APIs.
Cisco recommends that you have knowledge of these topics:
Cisco Secure X
Cisco Threat Response
The information in this document is based on these software and hardware versions:
Umbrella account with DNS Advantage License
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
In order to fully configure this integration with all of its functionalities, you need access to the 3 following APIs
Reporting API (included in all licenses)
In order to configure the Umbrella integration, you must first gather some information from your Umbrella instances and then complete the Add New Umbrella Module form.
Log in to your Secure X account. If you don't have an account yet, you can create one with Cisco Secure Sign-On.
Navigate to Integrations > Add New Module. In the Available Integrations page scroll down to the Umbrella option and click Add New Module.
Follow the below steps to collect the necessary information from your Umbrella Account to submit in the Add New Umbrella Module form.
In Umbrella, navigate to Investigate > Investigate API Access, click Create New Token and enter a title for the token, and then click Create New Token again.
Copy the Access Token value into the API Token field on the Add New Umbrella Module form.
In Umbrella, navigate toPolicies > Policy Components > Integrations, clickAddand enter a name, and clickCreate.
Click the newly createdintegration namelink, check theEnablecheckbox, andSave.
Click theintegration nameto display the integration URL. Copy the integration URL into theCustom Umbrella IntegrationURL field on theAdd New Umbrella Moduleform.
Note: In order to integrate the Umbrella Enforcement API, you must be an admin in an Umbrella standalone org or child org instead of an admin of an Umbrella console.
In Umbrella, navigate toAdmin > API Keysand clickCreate.
UnderWhat should this API do?, click theUmbrella Reportingradio button and then clickCreate.
Copy the next values into theReportingfields on theAdd New Umbrella Moduleform:
API Key(Your Key)
API Secret(Your Secret)
Organization ID- from browser URL, the set of numbers between/o/and/#/
Request Timeframe(days)- Enter the timeframe (in days) for enriching sightings from the most recent DNS requests
1. Fill out the API information in your Umbrella Module, click Save.
Create SecureX Dashboard
1. Once you added your module, you can navigate to Secure X and create a New Dashboard.
2. Under the available Dashboards, select your Umbrella module and add the Categories you are interested in seeing.
3. Click Save, and see your information populated via the API.
Use this section in order to confirm that your configuration works properly.
The Investigate API, allows you to add a feed to a CTR investigation, to see the disposition of a domain and enrich the investigation with other modules.
1. In order to verify this integration, make a new investigation in Cisco Threat Response. Search for a known domain such as cisco.com and you should see a Disposition provided by Umbrella.
2. If you click under the domain in the Relations Graph, you also can pivot from there to the Investigate Dashboard in Umbrella.
With the Enforcement API, you can block or unblock a domain directly from an investigation.
1. In order to verify that the API works, you can block a domain seen in an investigation and that adds the domain to the policy block list in Umbrella.
2. In order to verify that the URL has been added to the block list, navigate to Policies > Policy Components > Integrations. Select your SecureX integration, and click See Domains. A window displays the added domains from CTR.
3. If the domains are not blocked, on your Umbrella dashboard navigate to Policies > Policy Components > Security Settings. Under Integrations make sure that you have applied your desired list.
The Reporting API allows you to see the information of your Umbrella deployments within SecureX.
You can verify the integration with an investigation of a domain you know has been seen in your environment in CTR.
In the CTR Investigation, the list of computers that have accessed a particular domain is displayed under Sightings.
You can find the configuration information contained in this article in the following video.