On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block External Threats With Umbrella

Workflow #0033

This workflow fetches top attacking external hosts from Cisco Secure Network Analytics (SNA) for the past 24 hours. Each IP address and domain name is added to a destination list in Umbrella (depending on workflow configuration). Finally, a Webex message is sent with a summary.

Note: This workflow will only fetch the first 10 external hosts. If you want to fetch more, update the limit in the workflow.


Change Log

Date Notes
Jun 17, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Sep 7, 2022 - Minor updates to naming and descriptions
Nov 4, 2022 - Fixed appending to the blocked/not blocked lists (Issue #215)

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Secure Network Analytics - Get Tenants
    • Secure Network Analytics - Get Tokens
    • Umbrella - Management - Add Record to Destination List
    • Umbrella - Management - Get Destination Lists
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
  • Cisco Secure Network Analytics (SNA)
  • Cisco Umbrella
  • (Optional) Cisco Webex

Workflow Steps

  1. Fetch global variables
  2. Calculate dates and times
  3. Get Secure Network Analytics tokens and tenant information
  4. Fetch and parse the top hosts
  5. Get the Umbrella destination list IDs
  6. For each IP address:
    • Perform a reverse DNS lookup:
    • If successful, add the domain to the DNS destination list
    • If unsuccessful, add the IP address to the web destination list
  7. Send a Webex message (if a room was provided)


  • Add your Secure Network Analytics API username and password to SNA Username and SNA Password (or, if you have them stored in global variables, use the Fetch Global Variables group at the beginning of the workflow to update the local variables)
  • Set the SNA Tenant Name to the name of the tenant you want to work in
  • Set the Top Host Count local variable to the number of top hosts to fetch
  • Set the Umbrella Domain Destination List local variable to the name of the destination list you want domains added to
  • Set the Umbrella IP Destination List local variable to the name of the destination list you want IP addresses added to
  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • See this page for information on configuring the workflow for Webex


Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Secure Network Analytics HTTP Endpoint Protocol: HTTPS
Host: your-sna-management-center.yourdomain
Path: None
Umbrella Management HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Management  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
Umbrella Management HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the management API