Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Cisco Umbrella actions for ThreatQ enables analysts to use Cisco Umbrella's APIs for enrichment. Analysts will be able to enrich IOCs from their Threat Library with context from the Cisco Umbrella Investigate API, including but not limited to, the categorization, risk scores, hash samples, and WHOIS information.

The bundle provides the following actions:

• Cisco Umbrella Investigate - Get Security Context - fetches security context from Cisco Umbrella such as a domain's threat type and scores.
• Cisco Umbrella Investigate - Get Risk Scores - returns the risk score for a given domain.
• Cisco Umbrella Investigate - Get Categorization - fetches a domain's disposition as well as its security and content categories.
• Cisco Umbrella Investigate - Get Samples - retrieves related sample hashes for a given IOC, as well as some other contextual information.
• Cisco Umbrella Investigate - Get WHOIS - retrieves a domain's WHOIS records.
• Cisco Umbrella Enforcement - block or allow selected IOCs.

The action is compatible with the following system indicator types:

Individual actions may only be compatible with a subset of these types.

• IP Address
• FQDN
• MD5
• SHA-1
• SHA-256
• URL

The action returns the following enriched indicator types:

Individual actions may only return a subset of these types.

• IP Address
• FQDN
• MD5
• SHA-1
• SHA-256

This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

Prerequisites

• A Cisco Umbrella Investigate License & API Key.
• An active ThreatQ TDR Orchestrator (TQO) license.
• A data collection containing the following indicator object types:
  • IP Address
  • FQDN
  • MD5
  • SHA-1
  • SHA-256
  • URL (Enforcement Action)

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the action zip file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the action zip file using one of the following methods:
   • Drag and drop the zip file into the dialog box
   • Select Click to Browse to locate the zip file on your local machine

   ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.

You will still need to configure the action.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Actions option from the Category dropdown (optional).
3. Click on the action entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.

   All Actions

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Objects Per Run	The number of objects to process per run of the workflow.

   Get Categorization Parameters

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Disposition Filter	Only ingest categorization for domains with the selected depositions.  Options include: Unknown Benign (default) Malicious (default)
   Attribution Filter	Select the pieces of context to ingest into ThreatQ when a record is found.  Options include: Disposition (default) Content Category (default) Security Category (default)
   Objects Per Run	The number of objects to process per run of the workflow.

   Get Risk Scores Additional Parameters

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Risk Score Threshold	Only ingest risk scores for domains with a risk score greater than or equal to this value.
   Objects Per Run	The number of objects to process per run of the workflow.

   Get Samples Parameters

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Max Samples	Enter the maximum number of samples to return. The default value is 10.
   Sort Samples By	Select how you want to sort the samples.  Options include: Score (default) Last Seen First Seen
   Minimum Threat Score Threshold	Enter the minimum threat score threshold for samples to be ingested. The default value is 75.  You can set this to 0 to ingest all samples.
   Hash Type Filter	Select the hash types you want to bring into ThreatQ when samples are found.  Options include: MD5 (default) SHA-1 SHA-256
   Attribution Filter	Select the pieces of context you want ingested into ThreatQ when a record is found.  Options include: Threat Score (default) File Type (default) File Size (in bytes) Detection (per AV Engine)
   Objects Per Run	The number of objects to process per run of the workflow.

   Get Security Content Parameters

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Only Ingest Records Found in Cisco Umbrella	Only ingest records found in Cisco Umbrella's database (i.e. found = true). If a record is not found, some scores are still populated such as DGA Score & Entropy.  This option is enabled by default.
   Only Ingest Records Associated with an Attack	Only ingest records that are associated with an attack (i.e. Emotet).  This option is disabled by default.
   Attribution Filter	Select the pieces of general context you want ingested into ThreatQ when a record is found.  Options include: Attack (default) Threat Type (default) Is Found ASN Score DGA Score Entropy Geodiversity Score Page Rank Perplexity Popularity (default) Prefix Score RIP Score Securerank Flastflux (default)
   Objects Per Run	The number of objects to process per run of the workflow.

   Get WHOIS Parameters

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Ingest Redacted Values	Enabling this will ingest values that are labeled as redacted. The default value is False.
   Ingest Nameservers As...	Enabling this option will ingest nameservers as the selected type. Options include Do Not Ingest (default) Indicators (FQDN) Attributes (Nameserver) .
   General Attribution Filter	Select the pieces of general context you want ingested into ThreatQ when a record is found.  Options include: Registrar Name (default) Created At (default) Status Is Expired Expires At
   WHOIS Attribution Filter	Select the pieces of WHOIS context you want ingested into ThreatQ when a record is found.  Options include: Admin Contact Name Admin Contact Email Admin Contact Organization Admin Contact City Admin Contact Country Admin Contact State Admin Contact Street Admin Contact Postal Code Admin Contact Telephone Registrant Name Registrant Email Registrant Organization Registrant City Registrant Country Registrant State Registrant Street Registrant Postal Code Registrant Telephone Technical Contact Name Technical Contact Email Technical Contact Organization Technical Contact City Technical Contact Country Technical Contact State Technical Contact Street Technical Contact Postal Code Technical Contact Telephone Billing Contact Name Billing Contact Email Billing Contact Organization Billing Contact City Billing Contact Country Billing Contact State Billing Contact Street Billing Contact Postal Code Billing Contact Telephone
   Objects Per Run	The number of objects to process per run of the workflow.

   Enforcement Parameters

   Parameter	Description
   API Key	Enter your Umbrella Investigate API Key.
   Key Secret	Enter your Umbrella Key Secret.
   List Name	Enter the name of the list to add/remove IOCs to/from.
   Action to Perform	Select the action to perform.  Options include Allow and Block.
   Objects Per Run	The number of objects to process per run of the workflow.
   Verify SSL	When checked, validates the host-provided SSL certificate.  This option is enabled by default.
   Disable Proxies	Enable this option if the action should not honor proxies set in the ThreatQ UI.

5. Review any additional settings, make any changes if needed, and click on Save.

Action

The following actions are included with the bundle:

{
  "dga_score": 38.301771886101335,
  "perplexity": 0.4540313302593146,
  "entropy": 2.5216406363433186,
  "securerank2": -1.3135141095601992,
  "pagerank": 0.0262532,
  "asn_score": -29.75810625887133,
  "prefix_score": -64.9070502788884,
  "rip_score": -75.64720536038982,
  "popularity": 25.335450495507196,
  "fastflux": false,
  "geodiversity": [0.24074075, 0.018518519],
  "geodiversity_normalized": [0.3761535390278368, 0.0005015965168831449],
  "tld_geodiversity": [0],
  "geoscore": 0,
  "ks_test": 0,
  "attack": "WannaCry",
  "threat_type": "Ransomware",
  "found": true
}

{
  "indicators": [
    {
      "indicator": "Geo Popularity Score",
      "indicator_id": "Geo Popularity Score",
      "normalized_score": 50,
      "score": 0
    },
    {
      "indicator": "Keyword Score",
      "indicator_id": "Keyword Score",
      "normalized_score": 15,
      "score": 0.15823231832454354
    },
    {
      "indicator": "Lexical",
      "indicator_id": "Lexical",
      "normalized_score": 13,
      "score": 0.136
    },
    {
      "indicator": "Popularity 1 Day",
      "indicator_id": "Popularity 1 Day",
      "normalized_score": null,
      "score": null
    },
    {
      "indicator": "Popularity 30 Day",
      "indicator_id": "Popularity 30 Day",
      "normalized_score": null,
      "score": null
    },
    {
      "indicator": "Popularity 7 Day",
      "indicator_id": "Popularity 7 Day",
      "normalized_score": null,
      "score": null
    },
    {
      "indicator": "Popularity 90 Day",
      "indicator_id": "Popularity 90 Day",
      "normalized_score": null,
      "score": null
    },
    {
      "indicator": "TLD Rank Score",
      "indicator_id": "TLD Rank Score",
      "normalized_score": 1,
      "score": 0.01983927366419238
    },
    {
      "indicator": "Umbrella Block Status",
      "indicator_id": "Umbrella Block Status",
      "normalized_score": 100,
      "score": true
    }
  ],
  "risk_score": 100
}

{
  "esoskraadami.shop": {
    "status": -1,
    "security_categories": ["Malware"],
    "content_categories": ["Hacking"]
  }
}

{
  "query": "google.com",
  "totalResults": 10,
  "moreDataAvailable": true,
  "limit": 10,
  "offset": 0,
  "samples": [
    {
      "sha256": "e9d3470c37dada28d5a32fb53a243c5b20def35bb01abf8f5403182cc2b91fdd",
      "sha1": "de182fdcc3c0d473b90a0df0ad14c2074d1e7c50",
      "md5": "282f80e8a2cf9e0e0dd72093787d99c6",
      "magicType": "PE32 executable (GUI) Intel 80386, for MS Windows",
      "threatScore": 100,
      "size": 192512,
      "firstSeen": "1460108539000",
      "lastSeen": "1460108539000",
      "visible": true,
      "avresults": [
        {
          "signature": "Win.Trojan.Ramnit",
          "product": "ClamAV"
        },
        {
          "signature": "Win.Trojan.Parite",
          "product": "ClamAV"
        }
      ]
    }
  ]
}

{
  "administrativeContactFax": null,
  "whoisServers": "whois.corporatedomains.com",
  "addresses": ["1355 market street"],
  "administrativeContactName": "Domain Admin",
  "zoneContactEmail": null,
  "billingContactFax": null,
  "administrativeContactTelephoneExt": null,
  "administrativeContactEmail": "domains@twitter.com",
  "technicalContactEmail": "domains-tech@twitter.com",
  "technicalContactFax": "14152220922",
  "nameServers": [
    "a.r06.twtrdns.net",
    "b.r06.twtrdns.net",
    "c.r06.twtrdns.net",
    "d.r06.twtrdns.net",
    "d01-01.ns.twtrdns.net",
    "d01-02.ns.twtrdns.net",
    "ns3.p34.dynect.net",
    "ns4.p34.dynect.net"
  ],
  "zoneContactName": null,
  "billingContactPostalCode": null,
  "zoneContactFax": null,
  "registrantTelephoneExt": null,
  "zoneContactFaxExt": null,
  "technicalContactTelephoneExt": null,
  "billingContactCity": null,
  "zoneContactStreet": [],
  "created": "2000-01-21",
  "administrativeContactCity": "San Francisco",
  "registrantName": "Twitter, Inc.",
  "zoneContactCity": null,
  "domainName": "twitter.com",
  "zoneContactPostalCode": null,
  "administrativeContactFaxExt": null,
  "technicalContactCountry": "UNITED STATES",
  "registrarIANAID": "299",
  "updated": "2023-01-17",
  "administrativeContactStreet": ["1355 market street"],
  "billingContactEmail": null,
  "status": [
    "clientTransferProhibited serverDeleteProhibited serverTransferProhibited serverUpdateProhibited"
  ],
  "registrantCity": "San Francisco",
  "billingContactCountry": null,
  "expires": "2024-01-21",
  "technicalContactStreet": ["1355 market street"],
  "registrantOrganization": "Twitter, Inc.",
  "billingContactStreet": [],
  "registrarName": "CSC CORPORATE DOMAINS, INC.",
  "registrantPostalCode": "94103",
  "zoneContactTelephone": null,
  "registrantEmail": "domains@twitter.com",
  "technicalContactFaxExt": null,
  "technicalContactOrganization": "Twitter, Inc.",
  "emails": ["domains-tech@twitter.com", "domains@twitter.com"],
  "registrantStreet": ["1355 market street"],
  "technicalContactTelephone": "14152229670",
  "technicalContactState": "CA",
  "technicalContactCity": "San Francisco",
  "registrantFax": "14152220922",
  "registrantCountry": "UNITED STATES",
  "billingContactFaxExt": null,
  "timestamp": null,
  "zoneContactOrganization": null,
  "administrativeContactCountry": "UNITED STATES",
  "billingContactName": null,
  "registrantState": "CA",
  "registrantTelephone": "14152229670",
  "administrativeContactState": "CA",
  "registrantFaxExt": null,
  "technicalContactPostalCode": "94103",
  "zoneContactTelephoneExt": null,
  "administrativeContactOrganization": "Twitter, Inc.",
  "billingContactTelephone": null,
  "billingContactTelephoneExt": null,
  "zoneContactState": null,
  "administrativeContactTelephone": "14152229670",
  "billingContactOrganization": null,
  "technicalContactName": "Tech Admin",
  "administrativeContactPostalCode": "94103",
  "zoneContactCountry": null,
  "billingContactState": null,
  "auditUpdatedDate": "2023-01-20 12:03:17 UTC",
  "recordExpired": false,
  "timeOfLatestRealtimeCheck": 1674270179742,
  "hasRawText": true
}

[
    {
        "destination": "something-something.com"
    }
]

Enriched Data

Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.

Get Security Context

Get Risk Scores

Get Categorization

Get Samples

Get WHOIS

Known Issues / Limitations

• Rate Limits may effect the ability to enrich large sets of IOCs, depending on your Cisco Umbrella Investigate license tier.
  • More information can be found here: https://developer.cisco.com/docs/cloud-security/#!investigate-getting-started/rate-limits
  • Each action implements a 0.6 second delay between each request to partially mitigate this.

    It is highly advised that you check your license tier and adjust the Objects Per Run user configuration field for each action accordingly.

• Only domains and URLs are accepted for block lists.
• Only URLs, Domains, and IP Addresses are accepted for allow lists.

Change Log

• Version 1.1.1
  • The Cisco Umbrella Investigate - Block/Allow IOC action has been renamed to Cisco Umbrella  Enforcement.  
• Version 1.1.0
  • Added a new action: Cisco Umbrella Block/Allow IOC.  
• Version 1.0.0
  • Initial release