Search DNS Activity by Category
Workflow #0037
This workflow searches and returns Cisco Umbrella DNS activity for the last 7 days based on the Umbrella category provided. The data is then parsed and posted in a ServiceNow incident.
Change Log
Date | Notes |
---|---|
Jul 26, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Jan 13, 2022 | - Updated to end gracefully if Umbrella doesn’t return any results |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Umbrella - Reporting v2 - Get Activity
- Umbrella - Reporting v2 - Get List of Categories
- Umbrella - Reporting v2 - Get Token
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Umbrella
- ServiceNow
Workflow Steps
- Get a token for the Umbrella reporting API
- Fetch a list of categories
- Extract the category ID for the category provided
- Check that the category ID was found (if not, end the workflow)
- Get activity for the category
- Extract and parse the results
- Create a Service Now incident ticket
Configuration
- Set the
Umbrella Organization ID
local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL) - Set the
Category to Filter On
local variable to the name of the category you want to report on - Set the
Maximum Records
local variable to the maximum number of activity records to request from Umbrella. This is 1,000 by default - Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Umbrella OAuth | HTTP Endpoint | Protocol: HTTPS Host: management.api.umbrella.com Path: None | Umbrella Reporting | |
Umbrella Reporting v2 | HTTP Endpoint | Protocol: HTTPS Host: reports.api.umbrella.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password | |
Umbrella Reporting | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Must be an API client for the reporting API |