On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Search DNS Activity by Category

Workflow #0037

This workflow searches and returns Cisco Umbrella DNS activity for the last 7 days based on the Umbrella category provided. The data is then parsed and posted in a ServiceNow incident.


Change Log

Date Notes
Jul 26, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Jan 13, 2022 - Updated to end gracefully if Umbrella doesn’t return any results
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Umbrella - Reporting v2 - Get Activity
    • Umbrella - Reporting v2 - Get List of Categories
    • Umbrella - Reporting v2 - Get Token
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Umbrella
  • ServiceNow

Workflow Steps

  1. Get a token for the Umbrella reporting API
  2. Fetch a list of categories
  3. Extract the category ID for the category provided
  4. Check that the category ID was found (if not, end the workflow)
  5. Get activity for the category
  6. Extract and parse the results
  7. Create a Service Now incident ticket


  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • Set the Category to Filter On local variable to the name of the category you want to report on
  • Set the Maximum Records local variable to the maximum number of activity records to request from Umbrella. This is 1,000 by default
  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Umbrella OAuth HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Reporting  
Umbrella Reporting v2 HTTP Endpoint Protocol: HTTPS
Host: reports.api.umbrella.com
Path: None

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password
Umbrella Reporting HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the reporting API