Enricher - Cisco DNS RR History


This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.


Specifications

Enricher name

Cisco DNS RR History


Domain and ipv4.

Output

Geolocation, country code, IP addresses, ASN, and domain names.

API endpoints

  • https://investigate.api.umbrella.com/dnsdb/name/{}/{}.json

  • https://investigate.api.umbrella.com/dnsdb/ip/{}/{}.json

Description

Enriches supported observables with historical RR information from up to the previous 90 days.

  • For domain names, it returns the IP addresses of the name servers the domains may have used over time.

  • For IP addresses, it returns their associated domain names over time.

Along with geolocation information, it allows pinpointing the location of attackers' infrastructure, or tracking it over a span of time.

The default Source reliability value for this enricher is C – Fairly reliable.
You can change it to a different reliability value, as needed.

Requirements

Users need an API key. Log in to Cisco Umbrella, and then go to the Investigate API Access area to create a new API token.

Configure the enricher parameters

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the Cisco DNS RR History enricher.

  3. In the API key field, enter your Cisco API token.

  4. To store your changes, click Save; to discard them, click Cancel.

See also