On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Top 10 Blocked Identities to ServiceNow

Workflow #0041

This workflow searches and returns the top 10 identities in Cisco Umbrella with DNS activity blocks for the last 7 days. The data is then parsed and posted in a ServiceNow incident.

GitHub

---

Change Log

Date	Notes
Aug 23, 2021	- Initial release
Mar 21, 2022	- Updated to use the new system atomics
Jul 25, 2022	- Updated to enable sensitive header redirection for Umbrella APIs (Issue #176)
Sep 7, 2022	- Minor updates to naming and descriptions

---

Requirements

• The following system atomics are used by this workflow:
  • Umbrella - Reporting v2 - Get Token
• The following atomic actions must be imported before you can import this workflow:
  • ServiceNow - Create Incident (CiscoSecurity_Atomics)
• The targets and account keys listed at the bottom of the page
• Cisco Umbrella
• ServiceNow

---

Workflow Steps

1. Get a token for the Umbrella API
2. Fetch a list of identities with blocked DNS activity
3. Check if the request was successful (if not, end the workflow)
4. Extract the result count and check if there were any results (if not, end the workflow)
5. Convert the top blocked identities to a table
6. For each identity:
   • Fetch blocked domains for the identity provided
   • Format the results for ServiceNow
7. Create a ServiceNow incident ticket

---

Configuration

• Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
• Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
• If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow

---

Targets

Target Group: Default TargetGroup

Target Name	Type	Details	Account Keys	Notes
ServiceNow	HTTP Endpoint	Protocol: HTTPS Host: <instance>.service-now.com Path: /api	ServiceNow_Credentials	Be sure to use your instance URL
Umbrella OAuth	HTTP Endpoint	Protocol: HTTPS Host: management.api.umbrella.com Path: None	Umbrella Reporting
Umbrella Reporting v2	HTTP Endpoint	Protocol: HTTPS Host: reports.api.umbrella.com Path: None	None

---

Account Keys

Account Key Name	Type	Details	Notes
ServiceNow_Credentials	HTTP Basic Authentication	Username: ServiceNow User ID Password: ServiceNow Password
Umbrella Reporting	HTTP Basic Authentication	Username: Client ID Password: Client Secret	Must be an API client for the reporting API