Link Search Menu Expand Document

Excessive Requests to Incidents

Workflow #0023

This workflow fetches request per category statistics from Cisco Umbrella for a 1 hour window. If any of the categories had a request count higher than the threshold configured in the workflow, an incident is created in SecureX.

GitHub


Requirements


Workflow Steps

  1. Get a token for the Umbrella API
  2. Request statistics for DNS categories
  3. Check if the request was successful:
    • If it wasn’t, output an error and end the workflow
    • If it was:
      • Convert the statistics to a table
      • Loop through the table checking if any of the categories are in scope. If it is, add it to the ticket text
  4. Check if any categories exceeded the threshold (overall)
    • If none of them did, end the workflow
  5. Generate an access token for SecureX and create an incident

Configuration

  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • Set the Categories to Alert On local variable to the list of categories you want to alert on (ex: Cryptomining,Illegal Downloads,Illegal Activity,Phishing)
  • Set the Request Threshold local variable to the threshold of requests per hour you want to alert on. This is 1,000 by default
  • By default, the workflow is configured to run once an hour using the 0023 - Umbrella - Excessive Requests to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Umbrella Report Polling
    • Uncheck the Disable Trigger box and click Save
  • If you change the schedule for this workflow, you will need to adjust the relative URL in the Request category statistics activity to match the new schedule. As in, if you change the schedule to every 2 hours, you would need from=-2hours instead of from=-1hours in the URL

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Umbrella OAuth HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Reporting  
Umbrella Reporting v2 HTTP Endpoint Protocol: HTTPS
Host: reports.api.umbrella.com
Path: None
None  

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
Umbrella Reporting HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the reporting API