Link Search Menu Expand Document

Search DNS Activity by Category

Workflow #0037

This workflow searches and returns Umbrella DNS activity for the last 7 days based on the Umbrella category provided. The data is then parsed and posted in a ServiceNow incident.

GitHub


Requirements


Workflow Steps

  1. Get a token for the Umbrella reporting API
  2. Fetch a list of categories
  3. Extract the category ID for the category provided
  4. Check that the category ID was found (if not, end the workflow)
  5. Get activity for the category
  6. Extract and parse the results
  7. Create a Service Now incident ticket

Configuration

  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • Set the Category to Filter On local variable to the name of the category you want to report on
  • Set the Maximum Records local variable to the maximum number of activity records to request from Umbrella. This is 1,000 by default
  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Umbrella OAuth HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Reporting  
Umbrella Reporting v2 HTTP Endpoint Protocol: HTTPS
Host: reports.api.umbrella.com
Path: None
None  

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password
 
Umbrella Reporting HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the reporting API