Block External Threats With Umbrella
Workflow #0033
This workflow fetches top attacking external hosts from Cisco Secure Network Analytics (SNA) for the past 24 hours. Each IP address and domain name is added to a destination list in Umbrella (depending on workflow configuration). Finally, a Webex message is sent with a summary.
Note: This workflow will only fetch the first 10 external hosts. If you want to fetch more, update the limit in the workflow.
Change Log
Date | Notes |
---|---|
Jun 17, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 7, 2022 | - Minor updates to naming and descriptions |
Nov 4, 2022 | - Fixed appending to the blocked/not blocked lists (Issue #215) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Network Analytics - Get Tenants
- Secure Network Analytics - Get Tokens
- Umbrella - Management - Add Record to Destination List
- Umbrella - Management - Get Destination Lists
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
- Cisco Secure Network Analytics (SNA)
- Cisco Umbrella
- (Optional) Cisco Webex
Workflow Steps
- Fetch global variables
- Calculate dates and times
- Get Secure Network Analytics tokens and tenant information
- Fetch and parse the top hosts
- Get the Umbrella destination list IDs
- For each IP address:
- Perform a reverse DNS lookup:
- If successful, add the domain to the DNS destination list
- If unsuccessful, add the IP address to the web destination list
- Send a Webex message (if a room was provided)
Configuration
- Add your Secure Network Analytics API username and password to
SNA Username
andSNA Password
(or, if you have them stored in global variables, use theFetch Global Variables
group at the beginning of the workflow to update the local variables) - Set the
SNA Tenant Name
to the name of the tenant you want to work in - Set the
Top Host Count
local variable to the number of top hosts to fetch - Set the
Umbrella Domain Destination List
local variable to the name of the destination list you want domains added to - Set the
Umbrella IP Destination List
local variable to the name of the destination list you want IP addresses added to - Set the
Umbrella Organization ID
local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL) - See this page for information on configuring the workflow for Webex
Targets
Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Secure Network Analytics | HTTP Endpoint | Protocol: HTTPS Host: your-sna-management-center.yourdomain Path: None | None | |
Umbrella Management | HTTP Endpoint | Protocol: HTTPS Host: management.api.umbrella.com Path: None | Umbrella Management | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Umbrella Management | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Must be an API client for the management API |