Excessive Requests to Incidents
Workflow #0023
This workflow fetches request per category statistics from Cisco Umbrella for a 1 hour window. If any of the categories had a request count higher than the threshold configured in the workflow, an incident is created in Cisco SecureX.
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Apr 13, 2021 | - Initial release |
Jun 14, 2021 | - Additional error handling |
Sep 10, 2021 | - Updated to use the new system atomics |
Jul 25, 2022 | - Updated to enable sensitive header redirection for Umbrella APIs (Issue #176) |
Sep 1, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Incident
- Umbrella - Reporting v2 - Get Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Umbrella
Workflow Steps
- Get a token for the Umbrella API
- Request statistics for DNS categories
- Check if the request was successful:
- If it wasn’t, output an error and end the workflow
- If it was:
- Convert the statistics to a table
- Loop through the table checking if any of the categories are in scope. If it is, add it to the ticket text
- Check if any categories exceeded the threshold (overall)
- If none of them did, end the workflow
- Generate an access token for SecureX and create an incident
Configuration
- Set the
Umbrella Organization ID
local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL) - Set the
Categories to Alert On
local variable to the list of categories you want to alert on (ex: Cryptomining,Illegal Downloads,Illegal Activity,Phishing) - Set the
Request Threshold
local variable to the threshold of requests per hour you want to alert on. This is 1,000 by default - By default, the workflow is configured to run once an hour using the 0023 - Umbrella - Excessive Requests to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Umbrella Report Polling
- Uncheck the Disable Trigger box and click Save
- If you change the schedule for this workflow, you will need to adjust the relative URL in the
Request category statistics
activity to match the new schedule. As in, if you change the schedule to every 2 hours, you would needfrom=-2hours
instead offrom=-1hours
in the URL
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Umbrella OAuth | HTTP Endpoint | Protocol: HTTPS Host: management.api.umbrella.com Path: None | Umbrella Reporting | |
Umbrella Reporting v2 | HTTP Endpoint | Protocol: HTTPS Host: reports.api.umbrella.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page | |
Umbrella Reporting | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Must be an API client for the reporting API |