Re: Automated Active search from list/file using API (Cisco Umbrella)

jelenb · ‎03-17-2022

Hi, I would like to find out if there is a way to use API investigate to query Cisco Umbrella for list of domains.

Here is what I want to do. I have a csv document with list of domains and ip addresses that I would like to investigate. I want to find out if any of users in my organization visited this malicious domanins/IP addresses.

I do not want to go into the web interface and put them 1 by 1. I want to automate this process.

Perhaps maybe there is a way where I could
1. use Python to pull IP addresses and domains from document and put them into an array.

2. Connect to Cisco Umbrella using python - API keys

3. Search for all items from the array created in step 1

Is this or something similar doable? If yes can you please advise where to start with it and look?

osanniko · ‎03-31-2022

The easiest solutions would be to integrate Umbrella with SecureX and use SecureX APIs and Orchestration to automate this scenario.

Create SecureX Orchestration workflow to do the following:

1. Pull CSV file from web resource (S3 bucket for example).

2. Inspect CSV file content with SecureX Inspect API to convert free form text into formatted list of observables

3. Use this list as input into SecureX Deliberate API call to find out status of all observables (Malicious, Clean, etc)

4. For Malicious/Unknown observables - use SecureX Enrich API to find any sightings (have these observables been seen in your environment).

There are examples of similar workflows here.