CiscoUmbrella-GetDomainInfo
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook is used to get Security Information about a particular domain. It provides details such as security scores, reputation and other security-related metadata that can help assess if the domain is associated with malicious activity, phishing attempts, or other threats. This playbook also helps to assess the risk associated with a domain name and return a risk score that helps determine if the domain is considered suspicious or potentially malicious. This details are added to incident a
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoUmbrella |
| Source | View on GitHub |
Additional Documentation
📄 Source: CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions
- Get domains from URL entities in the incident.
- Enriches incident with security information about domains using Cisco Cloud Security Investigate API.
Prerequisites
- Login to Cisco Cloud Security dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate "Key Scope" with Read/Write permission. Store "Api Key" and "Key Secret" to a safe place. This "Api Key" is a "Client Id" and "Key Secret" is a "Secret" used for this Playbook.
- Store the "Api Key" and "Key Secret" from previous step to Key vault Secrets.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Keyvault name: Name of the key vault where secrets are stored.
- Cloud Security API Client Id Key Name: Name of the Secrets field from Keyvault where Cisco Cloud Security "API Key" value is stored.
- Cloud Security API Secret Key Name: Name of the Secrets field from Keyvault where Cisco Cloud Security "Key Secret" value is stored.
- Host End Point: Default is "api.umbrella.com" and is used for any API call to Cisco Cloud Security REST API's.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for Cisco Cloud Security Investigate connector API Connection. For authorizing, provide your API key in the following format: "Bearer YOUR_API_KEY".
b. Configurations in Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident. In the Entity mapping section of the analytics rule creation workflow, malicious URL should be mapped to Url identifier of the URL entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook.
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
d. Assign access policy on key vault for Playbook to fetch the secret key
- Select the Key vault resource where you have stored the secret
- Click on Access policies Blade
- Click on Create
- Under Secret permissions column , Select Get , List from "Secret Management Operations"
- Click next to go to Principal tab and choose your deployed playbook name
- Click Next leave application tab as it is .
- Click Review and create
- Click Create
References
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊