The steps are mentioned here: https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/cisco-umbrella#actions
Actions in Cisco Umbrella dashboard:
Get the Investigate token:
create Investigate API key from Admin > API keys section
Get the Enforcement token
To retrieve your key:
- Navigate to Policies > Policy Components > Integrations.
- Expand the appropriate integration or click Add to generate a custom integration and enable it.
- All action including add/delete domain, ping, should work in SOAR tests.
Reference: https://docs.umbrella.com/investigate-api/reference#reference-getting-started
Reporting > Activity search > security setting > select SOAR and all related user activities will show under there. Do not forget to select "include all traffic" at the bottom of the page.