Link Search Menu Expand Document

Block IPs and Domains from Alerts in Umbrella

Workflow #0016

This workflow fetches alerts from Cisco Secure Cloud Analytics (SCA) for the past 24 hours based on the alert name and status provided. Observations are extracted from the alerts and their associated IPs, domain names, and URLs are logged. Each IP address, domain name, and URL is then added to a destination list in Cisco Umbrella (depending on workflow configuration). Finally, a Webex Teams message is sent with a summary.

GitHub


Change Log

Date Notes
Apr 1, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • SCA - Get Alerts
    • SCA - Get Observation Details by ID
    • Umbrella - Management - Add Record to Destination List
    • Umbrella - Management - Get Destination Lists
    • Webex Teams - Post Message to Room
    • Webex Teams - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed below
  • (Optional) A Webex Teams access token and room name to post messages to
  • Cisco Secure Cloud Analytics (SCA)
  • Cisco Umbrella

Workflow Steps

  1. (Optional) Fetch global variables
  2. Make sure at least one destination list was provided
  3. Calculate dates
  4. Fetch alerts from Secure Cloud Analytics
  5. Extract observations from the alerts
  6. Set up a table for IPs and a table for domains
  7. For each observation:
    • Fetch the observation’s details
    • Parallel block:
      • IP branches (Parse IP address, Parse external IP address, Parse connected IP address)
        • Attempt to extract an IP from the observation:
          • If an IP is found:
            • Attempt to perform a reverse DNS lookup:
              • If the lookup is successful, add the domain to the domain table (if it isn’t already in the table)
              • If the lookup fails, add the IP to the IP table (if it isn’t already in the table)
      • Domain/URL branches (Parse domain, Parse hostname, Parse URL)
        • Attempt to extract a domain from the observation:
          • If a domain is found, add it to the domain table (if it isn’t already in the table)
  8. Fetch a list of destination lists from Umbrella
  9. Attempt to fetch the ID of the destination list for IPs
    • If the destination list was found:
      • Loop through each IP adding them to the list and recording whether or not adding was successful
    • If the destination list was not found, make a note in the workflow output
  10. Attempt to fetch the ID of the destination list for domains
    • If the destination list was found:
      • Loop through each domain adding them to the list and recording whether or not adding was successful
    • If the destination list was not found, make a note in the workflow output
  11. Send a Webex Teams message with a summary

Configuration

  • Set the Secure Cloud Analytics Alert Name local variable to the name of the alert type you want to respond to
  • Set the Secure Cloud Analytics Alert Status local variable to the alert status you want to response to
  • Add your Secure Cloud Analytics API key to the Secure Cloud Analytics API Key local variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using the Fetch Global Variables group at the beginning of the workflow)
  • Set the Umbrella Domain Destination List local variable to the name of the destination list you want domains added to
  • Set the Umbrella IP Destination List local variable to the name of the destination list you want IP addresses added to
  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • See this page for information on configuring the workflow for Webex Teams

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Secure Cloud Analytics HTTP Endpoint Protocol: HTTPS
Host: your-tenant.obsrvbl.com
Path: api
None  
Umbrella Management HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Management  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
Umbrella Management HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the management API