topic Re: Umbrella - Reporting, Activity Search in Cloud Edge

Umbrella - Reporting, Activity Search

michael.morley — Sat, 12 Mar 2022 03:22:01 GMT

Hi everyone,

I am trying to find a way of passing a list of domains to the Reporting Activity Search within Umbrella to see if any of the domains have had a hit in the last 30 days.

I can't seem to find a way to do it within the web based GUI other than copying and pasting each domain name individually from a file. As you can imagine this gets rather tedious when there are several hundred domains and IP address to check.

My question is: Is there a way to import a CSV or text file and have it go through the list and output a report?

I have only been using Umbrella for a little while now and am still finding my feet. Any assistance would be appreciated.

Thanks in advance.

Kind regards

Mike

Re: Umbrella - Reporting, Activity Search

Brian Sak — Sat, 12 Mar 2022 14:01:13 GMT

You can absolutely do this with the API, but it's going to take a little bit of massaging of the output to put it into the format you're looking for. The '/activity' endpoint on the Reporting API is what you'll be using. If you're newer to this, you can do it in Postman using the the provided collection. There's essentially two calls, one to get your bearer token using your key and secret generated Admin -> API Keys :

Then you take the generated key and secret and auth to the service using something like the below:

import requests
url = "https://management.api.umbrella.com/auth/v2/oauth2/token"
payload={}
headers = {
  'Authorization': 'Basic {{key}}:{{secret}}'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)

This will return your bearer token you can then put into something like:

import requests
url = "https://reports.api.umbrella.com/v2/organizations/{{your org}}/activity?from=-30days&to=now&offset=0&domains=cisco.com"
headers = {
  'Authorization': 'Bearer {{bearer}}'
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.text)

The 'from' parameter can be set to how often you are running the script and domains can either be one domain or a .csv file containing a list of domains. Additional parameters can be found here. If you're only interested if a particular domain has been accessed, not all of the individual accesses, you can just do a ?limit=1 parameter and see if the script returns anything. If the domain wasn't accessed in that time period it you will get a null data set back.

Re: Umbrella - Reporting, Activity Search

michael.morley — Sun, 13 Mar 2022 05:47:33 GMT

That's fantastic, thanks..

Didn't realise the solution would be quite so trivial.
I guess I am pulling out my Python books again. Using Python I can spit it all out to a JSON file or a spreadsheet. I did an online course in data analysis using Python a couple of years ago, so I am actually pretty excited to get to do some "coding in anger" so to speak.

I think I can make quite a comprehensive analysis tool with this approach..

Thanks also for the tip on Postman. I can use that to do the initial tests to ensure I am pulling the correct data, it will help massively with the testing phase of the development.

You're a legend Brian. Thanks again.