On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Excessive Requests to Incidents

Workflow #0023

This workflow fetches request per category statistics from Cisco Umbrella for a 1 hour window. If any of the categories had a request count higher than the threshold configured in the workflow, an incident is created in Cisco SecureX.

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.

GitHub


Change Log

Date Notes
Apr 13, 2021 - Initial release
Jun 14, 2021 - Additional error handling
Sep 10, 2021 - Updated to use the new system atomics
Jul 25, 2022 - Updated to enable sensitive header redirection for Umbrella APIs (Issue #176)
Sep 1, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Incident
    • Umbrella - Reporting v2 - Get Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Umbrella

Workflow Steps

  1. Get a token for the Umbrella API
  2. Request statistics for DNS categories
  3. Check if the request was successful:
    • If it wasn’t, output an error and end the workflow
    • If it was:
      • Convert the statistics to a table
      • Loop through the table checking if any of the categories are in scope. If it is, add it to the ticket text
  4. Check if any categories exceeded the threshold (overall)
    • If none of them did, end the workflow
  5. Generate an access token for SecureX and create an incident

Configuration

  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • Set the Categories to Alert On local variable to the list of categories you want to alert on (ex: Cryptomining,Illegal Downloads,Illegal Activity,Phishing)
  • Set the Request Threshold local variable to the threshold of requests per hour you want to alert on. This is 1,000 by default
  • By default, the workflow is configured to run once an hour using the 0023 - Umbrella - Excessive Requests to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Umbrella Report Polling
    • Uncheck the Disable Trigger box and click Save
  • If you change the schedule for this workflow, you will need to adjust the relative URL in the Request category statistics activity to match the new schedule. As in, if you change the schedule to every 2 hours, you would need from=-2hours instead of from=-1hours in the URL

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default
Umbrella OAuth HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Reporting  
Umbrella Reporting v2 HTTP Endpoint Protocol: HTTPS
Host: reports.api.umbrella.com
Path: None
None  

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page
Umbrella Reporting HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the reporting API