Link Search Menu Expand Document

Top 10 Blocked Identities to ServiceNow

Workflow #0041

This workflow searches and returns the top 10 identities in Cisco Umbrella with DNS activity blocks for the last 7 days. The data is then parsed and posted in a ServiceNow incident.

GitHub


Change Log

Date Notes
Aug 23, 2021 - Initial release

Requirements


Workflow Steps

  1. Get a token for the Umbrella API
  2. Fetch a list of identities with blocked DNS activity
  3. Check if the request was successful (if not, end the workflow)
  4. Extract the result count and check if there were any results (if not, end the workflow)
  5. Convert the top blocked identities to a table
  6. For each identity:
    • Fetch blocked domains for the identity provided
    • Format the results for ServiceNow
  7. Create a ServiceNow incident ticket

Configuration

  • Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Umbrella OAuth HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Reporting  
Umbrella Reporting v2 HTTP Endpoint Protocol: HTTPS
Host: reports.api.umbrella.com
Path: None
None  

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password
 
Umbrella Reporting HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the reporting API