Constructing a Customized SecureX Orchestration Workflow for Umbrella


Enhancing effectivity for the Cisco staff within the Black Hat USA NOC

As a proud companion of the Black Hat USA NOC, Cisco deployed a number of applied sciences together with the opposite Black Hat NOC companions to construct a secure and safe community for the convention. We used Cisco Safe Malware Analytics to research information and monitor any potential PII leaks. We additionally used Meraki SM to handle over 300 iPads used across the venue for registration, in addition to gross sales lead technology. Final however not least, we used Umbrella so as to add DNS stage visibility, menace intelligence and safety to your entire community.

Lets go over an instance state of affairs which many shoppers could discover themselves in. Whereas we have been within the Black Hat USA NOC (take a look at this weblog about Cisco Safe within the NOC), we have been always retaining our eyes on the Umbrella safety exercise report, with the intention to acknowledge, examine and work with different groups to answer the threats.

Security Activity view in Cisco Umbrella Reporting tool from Black Hat USA NOC

Constantly monitoring the exercise report may be taxing, particularly in our case with two Umbrella organizations – one for the convention iPad deployment and one other for the convention attendee community. In comes SecureX to assist make our lives less complicated. Utilizing SecureX orchestration we have been capable of import a pre-built Umbrella workflow and simply customise it to suite our wants. This workflow pulls the exercise report for a configurable checklist of classes, creates an incident in SecureX, notifies the staff in Webex Groups and updates a SecureX dashboard tile. Let’s leap into SecureX orchestration and try the workflow.

A plethora of SecureX orchestration content material is out there on our GitHub repo that will help you discover worth in our automation engine very quickly. On the hyperlink above, you’ll discover absolutely constructed workflows, in addition to constructing blocks to craft your personal use instances. Here’s what the 0023 Umbrella: Extreme Requests To Incidents workflow appears to be like like upon importing it (shoutout to @mavander for authoring the workflow).

Excessive Requests to Incidents diagram from Black Hat USA NOC

You may see within the variable part there are 4 variables, three strings and one integer. “Classes to Alert On” is a comma separated checklist of classes we wish to be notified about, which makes it very simple so as to add or take away classes on the fly. In our case, we wish to be notified if there may be even one DNS request for any of the Safety Classes, which is why we have now set the “request threshold” to 1.

Excessive Requests to Incidents variables from Black Hat USA NOC

Now that our variables are set, let’s dig into the primary internet service name that’s made to the Umbrella API. Umbrella has three API’s:

  • The administration API
  • The Examine API
  • The reporting API (which is the one we have to use to drag the exercise report)

There are sometimes minute variations when authenticating to numerous API’s, however fortunately for us, authenticating to the Umbrella API is constructed into the workflow. It’s so simple as copying and pasting an API key from Umbrella into orchestration and that its. You’ll discover the Umbrella API key and secret are saved as ‘Account Keys’ in orchestration this manner you’ll be able to reuse the identical credentials in different workflows or different API calls to Umbrella.

API Keys

Modify Account Key

On this case, we’re dynamically crafting the URL of /v2/organizations/<umbrella_org_id>/categories-by-timerange/dns?from=-1hours&to=now through the use of the Umbrella org ID from the variables above. Discover the API name goes to GET an exercise report for the previous hour, however it might be modified to be kind of continuously.

Request Category Stats

Now that we have now a JSON formatted model of the exercise report, we will use JSON path question to parse the report and assemble a desk with the class names and the variety of requests. Utilizing this dictionary, we will simply decide if Umbrella has seen a number of requests for a class which we wish to alert on.


Convert Categories to Table

If the circumstances are met, and there was exercise in Umbrella, the workflow will mechanically create a SecureX incident. This incident may be assigned to a staff member and investigated in SecureX menace response, to realize extra context from numerous intelligence sources. Nevertheless, our staff determined that merely creating the SecureX incident was not sufficient and {that a} extra energetic type of notification was essential to make sure nothing obtained neglected. Utilizing the pre-built code blocks in SecureX orchestration, we personalized the workflow to print a message in Webex groups this manner the entire staff may be notified and nothing will go unseen.

Creating Incident Message Screen at Black Hat USA NOC

Posting Message to Room at Black Hat USA

Here’s what the message appears to be like like in Webex groups. It consists of consists of the identify of the class and what number of requests in stated class have been seen previously one hour. We scheduled the workflow to run as soon as an hour, so this manner even when we would have liked to step away to stroll the Black Hat flooring or meet with a NOC companion, we will nonetheless keep abreast to the newest Umbrella detections.

Teams message referencing incident detection from Black Hat USA

It additionally features a hyperlink to the SecureX incident to make the following step of conducting an investigation simpler. Utilizing SecureX menace response we will examine any domains detected by umbrella to get reputational knowledge from a number of intelligence sources. On this specific instance www.tqlkg[.]com confirmed up as ‘probably dangerous’ within the Umbrella exercise report. The outcomes of the menace response investigation present tendencies from 5 totally different sources together with a suspicious disposition from each Talos and Cyberprotect. We are able to additionally see that the area resolves to six different suspicious URLs. In a future model of this workflow this step might be automated utilizing the SecureX API’s.

SecureX Environment Diagram from Black Hat USA NOC

Along with the Webex groups alert, we created a tile for notification the SecureX dashboard, which is on show for your entire NOC flooring to view.

SecureX Dashboard from Black Hat USA NOC

You may see within the dashboard excessive stage statistics, that are supplied from Safe Malware Analytics (Risk Grid) together with “high behavioral indicators”, “submissions by menace rating” “submissions by file sort” in addition to the “request abstract” from Umbrella.

Additionally discover the “personal intelligence” tile – that is the place you’ll be able to see if there have been any new incidents created by the orchestration workflow. The SecureX dashboard retains your entire Black Hat NOC well-informed as to how Cisco Safe’s portfolio is working within the community. Including tiles to create a customized dashboard may be completed in only a few clicks. Within the customise menu you will notice all of the built-in applied sciences that present tiles to the dashboard.  Underneath the “personal intelligence” part you’ll be able to see the choice so as to add the ‘Incident statuses and assignees’ tile to the dashboard – it’s that simple to create a personalized dashboard!

Creating a Custom Dashboard for Black Hat USA NOC

I hope you loved this version of SecureX at Black Hat; and keep tuned for the following model of the workflow on GitHub, that may mechanically conduct an investigation of suspicious domains and supply intelligence context instantly within the Webex groups message.


We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels



Previous articleAir Fryer Baked Potato • Baked Potato Video • Two Purple Figs
Next articleOn the spot Pot Shredded Rooster (excellent for meal prep!)

Leave a Reply