Cisco Umbrella Investigate
App Vendor: Cisco Umbrella Investigate
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.0.0
API Version: 1.0.0
About App
The Cisco Umbrella Investigate app allows security teams to integrate with the Cisco Umbrella Investigate enterprise application to pinpoint attacker infrastructures and predict future threats using autonomous systems and domain security.
The Cisco Umbrella Investigate app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Get details of AS (Autonomous System) number | This action retrieves details of AS (Autonomous System) number. |
Get Umbrella Popularity list — Top Million domains | This action retrieves the list of the top million domains on the umbrella popularity list. |
Get the latest malicious domains for an IP | This action retrieves a list of the latest malicious domains for an IP using IPv4 address. |
Get WHOIS domain record and domain history | This action retrieves details of the WHOIS domain record and domain history. |
Get WHOIS searching by nameserver | This action retrieves details of WHOIS searching by nameserver. |
Get WHOIS Email address | This action retrieves details of WHOIS email address. |
Get prefix routing information for an AS (Autonomous System) number | This action retrieves details of prefix routing information for an AS (Autonomous System) number. |
Get AS (Autonomous System) number for an IP address | This action retrieves details of AS (Autonomous System) number for an IPv4 address. |
Get details of Passive DNS on domain | This action retrieves details of passive DNS on domain. |
Get details of Passive DNS on name | This action retrieves details of passive DNS on the name. |
Get details of passive DNS on IP address | This action retrieves details of passive DNS on IPv4 address. |
Get details of passive DNS on domain timeline | This action retrieves details of passive DNS on the domain timeline. |
Get details of DNS RR history for an IP address | This action retrieves details of DNS Resource Records history for an IPv4 address. |
Get details of DNS RR history for a domain name | This action retrieves details of DNS Resource Records history for a domain name. |
Get details of security information for a domain | This action retrieves details of security information for a domain. |
Pattern search | This action searches for a pattern. The search functionality uses regular expressions (regex) to search against the investigate database. |
Get details of risk score for a domain | This action retrieves details of the risk score for a domain. |
Configuration Parameters
The following configuration parameters are required for the Cisco Umbrella Investigate app to communicate with the Cisco Umbrella Investigate enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Access token | Enter the Cisco Umbrella Investigate access token. | Text | Required |
Action: Get details of AS (Autonomous System) number
This action retrieves details of AS (Autonomous System) number.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
AS number | Enter the AS (Autonomous System) number. Example: 15169 | Text | Required |
Action: Get Umbrella Popularity list — Top Million domains
This action retrieves the list of the top million domains on the umbrella popularity list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the limit. Example: 5 | Integer | Optional | Default value:
|
Action: Get latest malicious domains for an IP
This action retrieves a list of the latest malicious domains for an IP using IPv4 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv4 address | Enter the IPv4 address. Example: 54.69.97.36 | Text | Required |
Action: Get WHOIS domain record and domain history
This action retrieves details of the WHOIS domain record and domain history.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain value: Example: "security.com" | Text | Required | |
Domain history needed | Enter your preference to choose whether domain history is needed or not. | Boolean | Optional | Allowed values:
Default value:
|
Additional query parameters | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get WHOIS searching by nameserver
This action retrieves details of WHOIS searching by the nameserver.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Nameserver | Enter the nameserver. Example: "ns-290.awsdns-36.com" | Text | Required | |
Additional query parameters | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get WHOIS Email address
This action retrieves details of WHOIS email address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Email address | Enter the email address. Example: "example@abc.com" | Text | Required | |
Additional query parameters | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get prefix routing information for an AS (Autonomous System) number
This action retrieves details of prefix routing information for an AS (Autonomous System) number.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
AS number | Enter the AS (Autonomous System) number. Example: "15169" | Text | Required |
Action: Get AS (Autonomous System) number for an IP address
This action retrieves details of AS (Autonomous System) number for an IPv4 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv4 address | Enter the IPv4 address. Example "54.69.97.36" | Text | Required |
Action: Get details of Passive DNS on domain
This action retrieves details of passive DNS on domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain. Example: "security.com" | Text | Required | |
Additional query parameters | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get details of Passive DNS on name
This action retrieves details of passive DNS on the name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter query name (domain, ip_address). Example: "security.com" | Text | Required | |
Additional query parameters | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get details of passive DNS on IP address
This action retrieves details of passive DNS on IPv4 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPv4 address | Enter the IPv4 address. Example: "54.69.97.36" | Text | Required | |
Additional query params | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get details of passive DNS on domain timeline
This action retrieves details of passive DNS on the domain timeline.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain. Example: "security.com" | Text | Required | |
Additional query parameters | Enter the additional query parameters. | Key Value | Optional | Allowed values:
|
Action: Get details of DNS RR history for an IP address
This action retrieves details of DNS Resource Records history for an IPv4 address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
RR type | Enter RR type. Example: "ns" | Text | Required | Allowed values:
|
Ipv4 address | Enter the IPv4 address. Example: "54.69.97.36" | Text | Required |
Action: Get details of DNS RR history for a domain name
This action retrieves details of DNS RR history for a domain name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
RR type | Enter the RR type. Example: "ns" | Text | Required | Allowed values:
|
Domain | Enter the domain. Example: "security.com" | Text | Required |
Action: Get details of security information for a domain
This action retrieves details of security information for a domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain. Example: "security.com" | Text | Required |
Action: Pattern search
This action searches for a pattern. The search functionality uses regular expressions (regex) to search against the investigate database.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Regex | Enter the regex. Example: "ope\\[a-z\\]dns.com" | Text | Required | |
Start | Enter the timestamp of the start time in minutes. Example: "100" | Text | Optional | |
Additional query parameters | Enter the additional query parameters. Example: 'now', '-2days') for a query | Key Value | Optional | Allowed values:
Default value:
|
Action: Get details of risk score for a domain
This action retrieves details of the risk score for a domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain. Example: "security.com" | Text | Required |