Skip to main content

Cyware Threat Intelligence eXchange

Cisco Umbrella

Connector Category: Enrichment Tool

About Integration

Cisco Umbrella is a cloud-hosted solution that protects users by blocking connections to sites that have been reported as malicious. Intel Exchange integrates with Cisco Umbrella to retrieve details about IP addresses, URLs, and domains.

Configure Cisco Umbrella as an Enrichment Tool

You can configure Cisco Umbrella to enrich domains, IP addresses, and URLs.

Before you Start 

  • Ensure that you have view, create, and update permissions for Enrichment Management in Intel Exchange.

  • Ensure that you have the base URL and API key of your Cisco Umbrella account.

    Note

    Ensure that the API key includes the permissions to retrieve the details of domains, IP addresses, and URLs.

Steps 

To configure Cisco Umbrella as an enrichment tool in Intel Exchange, follow these steps:

  1. Sign in to Intel Exchange, and go to Administration > Enrichment Management > Enrichment Tools.

  2. Search and select the Cisco Umbrella enrichment tool.

  3. Click Add Account and enter the following details:

    • Account Name: Enter a unique account name to identify the instance. For example, Cisco Umbrella.

    • Base URL: Enter the base URL of your Cisco Umbrella instance. The default base URL is https://investigate.api.umbrella.com.

    • API Key: Enter the API key of your Cisco Umbrella account to authenticate communication between Intel Exchange and Cisco Umbrella servers.

    • Verify SSL: Select to verify the SSL certificate and secure the connection between Intel Exchange and Cisco Umbrella servers. By default, Verify SSL is selected.

      Note

      We recommend you enable Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  4. Click Save.

After successfully adding an account, you can view and enable the domain, IP address, and URL feed enrichment types. You can also configure quota to define a limit to the number of API requests Intel Exchange makes to Cisco Umbrella. After the quota expires, you cannot make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.

Note

Enriching an IP address, URL, or domain object using the Cisco Umbrella enrichment tool does not ingest the related objects into Intel Exchange automatically. To enable ingestion of the related objects, contact Cyware support.

To understand the number of API calls and quota units consumed by the Cisco Umbrella enrichment tool per polling, refer to the following table.

Enrichment Tool

Feed Enrichment Type

Number of API calls

Quota Consumed

Cisco Umbrella

Retrieve Domain Detail

6

6

Retrieve IP Detail

4

4

Retrieve URL Detail

1

1

You can configure an enrichment policy to automatically enrich threat data objects using the Cisco Umbrella enrichment tool. For more information, see Configure Enrichment Policy.Configure Enrichment Policy