Integrate Cisco SecureX with Cisco Umbrella

Opciones de descarga

  • PDF     (911.9 KB)
    Visualice con Adobe Reader en una variedad de dispositivos
  • ePub     (839.1 KB)
    Visualice en diferentes aplicaciones en iPhone, iPad, Android, Sony Reader o Windows Phone
  • Mobi (Kindle)     (550.2 KB)
    Visualice en dispositivo Kindle o aplicación Kindle en múltiples dispositivos
Actualizado:31 de agosto de 2020
ID del documento:5000042

Lenguaje no discriminatorio

El conjunto de documentos para este producto aspira al uso de un lenguaje no discriminatorio. A los fines de esta documentación, "no discriminatorio" se refiere al lenguaje que no implica discriminación por motivos de edad, discapacidad, género, identidad de raza, identidad étnica, orientación sexual, nivel socioeconómico e interseccionalidad. Puede haber excepciones en la documentación debido al lenguaje que se encuentra ya en las interfaces de usuario del software del producto, el lenguaje utilizado en función de la documentación de la RFP o el lenguaje utilizado por un producto de terceros al que se hace referencia. Obtenga más información sobre cómo Cisco utiliza el lenguaje inclusivo.

Acerca de la traducción

Es posible que Cisco proporcione traducciones de este contenido al idioma local en algunas ubicaciones. Tenga en cuenta que las traducciones se ofrecen únicamente con fines informativos y, si hubiera alguna discrepancia, prevalecerá la versión en inglés del contenido.

    Introduction

    This document describes the process to configure and verify the Umbrella integration with SecureX with the 3 available APIs.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Umbrella
    • Cisco Secure X
    • Cisco Threat Response

    Components Used

    The information in this document is based on these software and hardware versions:

    • Umbrella account with DNS Advantage License
    • Secure X

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    Background Information

    In order to fully configure this integration with all of its functionalities, you need access to the 3 following APIs

    • Reporting API (included in all licenses)
    • Enforcement API
    • Investigate API

    In order to configure the Umbrella integration, you must first gather some information from your Umbrella instances and then complete the Add New Umbrella Module form.

    Configure

    Create Module

    1. Log in to your Secure X account. If you don't have an account yet, you can create one with Cisco Secure Sign-On.
    2. Navigate to Integrations > Add New Module. In the Available Integrations page scroll down to the Umbrella option and click Add New Module.   

    Follow the below steps to collect the necessary information from your Umbrella Account to submit in the Add New Umbrella Module form.

    Investigate API

    1. In Umbrella, navigate to Investigate > Investigate API Access, click Create New Token and enter a title for the token, and then click Create New Token again.
    2. Copy the Access Token value into the API Token field on the Add New Umbrella Module form.

    Enforcement API

    1. In Umbrella, navigate toPolicies > Policy Components > Integrations, clickAddand enter a name, and clickCreate.
    2. Click the newly createdintegration namelink, check theEnablecheckbox, andSave.
    3. Click theintegration nameto display the integration URL. Copy the integration URL into theCustom Umbrella IntegrationURL field on theAdd New Umbrella Moduleform.

    Note: In order to integrate the Umbrella Enforcement API, you must be an admin in an Umbrella standalone org or child org instead of an admin of an Umbrella console.

    Reporting API

    1. In Umbrella, navigate toAdmin > API Keysand clickCreate.

    2. UnderWhat should this API do?, click theUmbrella Reportingradio button and then clickCreate.

    3. Copy the next values into theReportingfields on theAdd New Umbrella Moduleform:

      • API Key(Your Key)

      • API Secret(Your Secret)

      • Organization ID- from browser URL, the set of numbers between/o/and/#/

      • Request Timeframe(days)- Enter the timeframe (in days) for enriching sightings from the most recent DNS requests

    Save Module

    1. Fill out the API information in your Umbrella Module, click Save.

    Create SecureX Dashboard

    1. Once you added your module, you can navigate to Secure X and create a New Dashboard.

    2. Under the available Dashboards, select your Umbrella module and add the Categories you are interested in seeing.

    3. Click Save, and see your information populated via the API. 

    Verify

    Use this section in order to confirm that your configuration works properly.

    Investigate

    The Investigate API, allows you to add a feed to a CTR investigation, to see the disposition of a domain and enrich the investigation with other modules.

    1. In order to verify this integration, make a new investigation in Cisco Threat Response. Search for a known domain such as cisco.com and you should see a Disposition provided by Umbrella.

    2. If you click under the domain in the Relations Graph, you also can pivot from there to the Investigate Dashboard in Umbrella.

    Enforcement

    With the Enforcement API, you can block or unblock a domain directly from an investigation.

    1. In order to verify that the API works, you can block a domain seen in an investigation and that adds the domain to the policy block list in Umbrella.

    2. In order to verify that the URL has been added to the block list, navigate to Policies > Policy Components > Integrations. Select your SecureX integration, and click See Domains. A window displays the added domains from CTR.

     3. If the domains are not blocked, on your Umbrella dashboard navigate to Policies > Policy Components > Security Settings. Under Integrations make sure that you have applied your desired list.

    Reporting

    The Reporting API allows you to see the information of your Umbrella deployments within SecureX.

    You can verify the integration with an investigation of a domain you know has been seen in your environment in CTR.

    In the CTR Investigation, the list of computers that have accessed a particular domain is displayed under Sightings.

    Video

    You can find the configuration information contained in this article in the following video.

    Related Information

    TAC Authored

    Con la colaboración de ingenieros de Cisco

    • Jorge Navarrete
      Cisco TAC Engineer
    • Edited by Yeraldin Sanchez
      Cisco TAC Engineer

    ¿Resultó útil este documento?

    FeedbackComentarios

    Contacte a Cisco

    Este documento se aplica a estos productos