Skip to content

AutomateSecOps/Blocking-Domains-Automated

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
images
images
 
 
story
story
 
 
.gitattributes
.gitattributes
 
 
CNAME
CNAME
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 

Repository files navigation

Blocking Domains in Cisco Umbrella, automated by Tines.

For Security Operations, IOC management is a challenge.

How does one team with limited time and resources track Indicators of Compromise (IOCs) in all their security solutions and lifecycle them appropriately?

Tines makes this challenge much easier through their SOAR automation platform.

This past month, we launched a Tines webform, where a security analyst can add IOCs to all our backend security solutions. In addtion, a ServiceNow incident is logged, along with sharing the IOCs with our partner institutions via MISP, the open-source threat intel sharing platform.

With the IOC blocking webform project, I worked with the Cisco Umbrella API for the first time.

A Cisco Umbrella Destination

Cisco Umbrella defines a destination as a :

  1. domain,
  2. URL,
  3. or IP address.

In this Tines Story, I block domains.

API Scope

For adding or removing an IOC to/from the global blocklist, the API key pair needs to have read/write access to Policies/Destination Lists.

Cannot query the Cisco Umbrella ID

It is straightforward to add a destination to Umbrella using the Tines Cisco Umbrella template, but to remove the IOC is a challenge since there is no way to query the Umbrella destination lists endpoint for the destination's Umbrella ID.

In order to remove a destination, the workflow builds the entire list of Umbrella IDs that are in the block list. From that array, you can use the following WHERE function to obtain the Umbrella ID:

Under the tines folder, I include the pagination loop for building the array in order to obtain the destination's Umbrella ID.

I opened a ticket with Umbrella support to update their API schema to allow for a direct query to obtain a destiatnion's Umbrella ID.

In addition, I have two workflows which manage the entire lifecycle of the blocked destination. The first IOC management workflow adds or removes the blocked destination to a sunset list. The second one filters the sunset list for blocked destinations older than 90 days.

A Trigger action to check the sunset list prior to removing it from the Tines Resource.

While performing quality checks on the workflow, I selected the Remove action from the webform instead of the Add action. When the domain IOC was sent for removal to the IOC management workflow, it generated a null value when checking for the index of the IOC since it was not present in the sunset list. For some reason the null value caused the Tines action to remove a random domain from the sunset list.

I used this trigger to prevent this from happening:

I hope you found this useful.

Once you start automating, you cannot stop.

Happy Building!

Tom

Tines Technical Resources

Cisco Technical Resources

MISP

About

Blocking Domains in Cisco Umbrella, automated by Tines.

umbrella.automatesecops.com/

Topics

automation tines cisco-umbrella-api ioc-lifecycle

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published