On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Top 10 Blocked Identities to ServiceNow

Workflow #0041

This workflow searches and returns the top 10 identities in Cisco Umbrella with DNS activity blocks for the last 7 days. The data is then parsed and posted in a ServiceNow incident.


Change Log

Date Notes
Aug 23, 2021 - Initial release
Mar 21, 2022 - Updated to use the new system atomics
Jul 25, 2022 - Updated to enable sensitive header redirection for Umbrella APIs (Issue #176)
Sep 7, 2022 - Minor updates to naming and descriptions


  • The following system atomics are used by this workflow:
    • Umbrella - Reporting v2 - Get Token
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Umbrella
  • ServiceNow

Workflow Steps

  1. Get a token for the Umbrella API
  2. Fetch a list of identities with blocked DNS activity
  3. Check if the request was successful (if not, end the workflow)
  4. Extract the result count and check if there were any results (if not, end the workflow)
  5. Convert the top blocked identities to a table
  6. For each identity:
    • Fetch blocked domains for the identity provided
    • Format the results for ServiceNow
  7. Create a ServiceNow incident ticket


  • Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • Set the Umbrella Organization ID local variable to your Umbrella organization’s ID (found in your Umbrella dashboard’s URL)
  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Umbrella OAuth HTTP Endpoint Protocol: HTTPS
Host: management.api.umbrella.com
Path: None
Umbrella Reporting  
Umbrella Reporting v2 HTTP Endpoint Protocol: HTTPS
Host: reports.api.umbrella.com
Path: None

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password
Umbrella Reporting HTTP Basic Authentication Username: Client ID
Password: Client Secret
Must be an API client for the reporting API