Cisco SecureX is a cloud-native incident and threat response platform that aggregates third-party security platform APIs and the Cisco Security portfolio including Umbrella. In SecureX, you can respond to integrated threat information, and view global threat intelligence and local insights.
To integrate Cisco Umbrella with Cisco SecureX, login to Umbrella GUI and to retrieve the following:
- Organization ID
- Investigate API Token
- Umbrella Enforcement API
- Rporting API Key and API Secret
- Management API Key and API Secret
- Network Devices / Policies API Key and API Secret
The Organization ID can be retrieved in the URL under the address bar.
Navigate to Investigate > API Keys to retrieve the API Key.
Navigate to Policy Components > Integration Settings, create a new integration for Cisco SecureX, give a name, click Save. In the Integration Settings of Cisco SecureX you can retrieve the URL needed for Umbrella API Enforcement.
Navigate to Admin > API Keys. Create API Keys for :
- Umbrella Network Devices
- Umbrella Reporting
- Umbrella Management
Login the Cisco SecureX GUI. Navigate to Integration Modules > My Integration Modules.
Scroll down to find Umbrella module, click Add.
Enter the following parameters retrieved previously on Cisco Umbrella GUI :
- Organization ID
- Investigate API Token
- Umbrella Enforcement API
- Rporting API Key and API Secret
- Management API Key and API Secret
- Network Devices / Policies API Key and API Secret
Login to Cisco Umbrella GUI, navigate to Policy Components > Integration Settings. You should see the status Active of Cisco SecureX integration.
Login to Cisco SecureX, click the Launch button under the Threat Response section.
Navigate to Investigate, enter the domain drinkfoodapp.com. Click the Investigate button
After few minutes, Cisco SecureX displays informations about the domain from different sources, Threat Intelligence and Cisco SecureX classify the domain as malicious.
In the same page, you can response to threat immediately using Umbrella Enforcement API.
To do this, right-click on the domain, you can find the option to instruct Umbrella to block this domain.
On Cisco Umbrella GUI, navigate to Policy Components > Destination Lists. Edit the destination list created for Cisco SecureX, the Destination Lists contains now the domain that was blocked as a response from Cisco SecureX.