Top 10 Blocked Identities to ServiceNow
Workflow #0041
This workflow searches and returns the top 10 identities in Cisco Umbrella with DNS activity blocks for the last 7 days. The data is then parsed and posted in a ServiceNow incident.
Change Log
Date | Notes |
---|---|
Aug 23, 2021 | - Initial release |
Mar 21, 2022 | - Updated to use the new system atomics |
Jul 25, 2022 | - Updated to enable sensitive header redirection for Umbrella APIs (Issue #176) |
Sep 7, 2022 | - Minor updates to naming and descriptions |
Requirements
- The following system atomics are used by this workflow:
- Umbrella - Reporting v2 - Get Token
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Umbrella
- ServiceNow
Workflow Steps
- Get a token for the Umbrella API
- Fetch a list of identities with blocked DNS activity
- Check if the request was successful (if not, end the workflow)
- Extract the result count and check if there were any results (if not, end the workflow)
- Convert the top blocked identities to a table
- For each identity:
- Fetch blocked domains for the identity provided
- Format the results for ServiceNow
- Create a ServiceNow incident ticket
Configuration
- Set the
ServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - Set the
Umbrella Organization ID
local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL) - If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Umbrella OAuth | HTTP Endpoint | Protocol: HTTPS Host: management.api.umbrella.com Path: None | Umbrella Reporting | |
Umbrella Reporting v2 | HTTP Endpoint | Protocol: HTTPS Host: reports.api.umbrella.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password | |
Umbrella Reporting | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Must be an API client for the reporting API |