Block IPs and Domains from Alerts in Umbrella
Workflow #0016
This workflow fetches alerts from Cisco Secure Cloud Analytics (SCA) for the past 24 hours based on the alert name and status provided. Observations are extracted from the alerts and their associated IPs, domain names, and URLs are logged. Each IP address, domain name, and URL is then added to a destination list in Cisco Umbrella (depending on workflow configuration). Finally, a Webex message is sent with a summary.
Change Log
| Date | Notes |
|---|---|
| Apr 1, 2021 | - Initial release |
| Sep 10, 2021 | - Updated to use the new system atomics |
| Aug 31, 2022 | - Minor updates to naming and descriptions |
| Feb 23, 2023 | - Update to Secure Cloud Analytics API Key variable description (Issue #235) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Cloud Analytics - Get Alerts
- Secure Cloud Analytics - Get Observation Details by ID
- Umbrella - Management - Add Record to Destination List
- Umbrella - Management - Get Destination Lists
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Analytics (SCA)
- Cisco Umbrella
- (Optional) Cisco Webex
Workflow Steps
- (Optional) Fetch global variables
- Make sure at least one destination list was provided
- Calculate dates
- Fetch alerts from Secure Cloud Analytics
- Extract observations from the alerts
- Set up a table for IPs and a table for domains
- For each observation:
- Fetch the observation’s details
- Parallel block:
- IP branches (Parse IP address, Parse external IP address, Parse connected IP address)
- Attempt to extract an IP from the observation:
- If an IP is found:
- Attempt to perform a reverse DNS lookup:
- If the lookup is successful, add the domain to the domain table (if it isn’t already in the table)
- If the lookup fails, add the IP to the IP table (if it isn’t already in the table)
- Attempt to perform a reverse DNS lookup:
- If an IP is found:
- Attempt to extract an IP from the observation:
- Domain/URL branches (Parse domain, Parse hostname, Parse URL)
- Attempt to extract a domain from the observation:
- If a domain is found, add it to the domain table (if it isn’t already in the table)
- Attempt to extract a domain from the observation:
- IP branches (Parse IP address, Parse external IP address, Parse connected IP address)
- Fetch a list of destination lists from Umbrella
- Attempt to fetch the ID of the destination list for IPs
- If the destination list was found:
- Loop through each IP adding them to the list and recording whether or not adding was successful
- If the destination list was not found, make a note in the workflow output
- If the destination list was found:
- Attempt to fetch the ID of the destination list for domains
- If the destination list was found:
- Loop through each domain adding them to the list and recording whether or not adding was successful
- If the destination list was not found, make a note in the workflow output
- If the destination list was found:
- Send a Webex message with a summary
Configuration
- Set the
Secure Cloud Analytics Alert Namelocal variable to the name of the alert type you want to respond to - Set the
Secure Cloud Analytics Alert Statuslocal variable to the alert status you want to response to - Add your Secure Cloud Analytics API key to the
Secure Cloud Analytics API Keylocal variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using theFetch Global Variablesgroup at the beginning of the workflow) - Set the
Umbrella Domain Destination Listlocal variable to the name of the destination list you want domains added to - Set the
Umbrella IP Destination Listlocal variable to the name of the destination list you want IP addresses added to - Set the
Umbrella Organization IDlocal variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL) - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| Secure Cloud Analytics | HTTP Endpoint | Protocol: HTTPSHost: your-tenant.obsrvbl.comPath: api | None | |
| Umbrella Management | HTTP Endpoint | Protocol: HTTPSHost: management.api.umbrella.comPath: None | Umbrella Management | |
| Webex Teams | HTTP Endpoint | Protocol: HTTPSHost: webexapis.comPath: None | None | Not necessary if Webex activities are removed |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| Umbrella Management | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Must be an API client for the management API |