Enricher - Cisco Umbrella Threat Grid integration


This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.


Specifications

Enricher name

Cisco Umbrella Threat Grid integration

Input

Domain, hashes (hash-md5, hash-sha1, and hash-sha256), ipv4, and uri.

Output

Enriches IP addresses, URIs and domain names with related TTPs and indicators representing malware samples and the corresponding hash values, respectively.

Enriches hashes with related malware information on malware sample artifacts.

API endpoints

  • https://investigate.api.umbrella.com/sample/{Input}

  • https://investigate.api.umbrella.com/samples/{Input}

Description

Enrichment observables produce indicators, and when malware details – for example, a malware file name – are available, they are ingested and processed as structured malware family and malware variant TTPs.
The TTPs are related to the indicators.
When available, the malware threat score is retrieved, and it is appended to the malware variant description as ThreatGrid Threat Score : ${threat score value}

The default Source reliability value for this enricher is C – Fairly reliable.
You can change it to a different reliability value, as needed.

Requirements

Users need an API key. Log in to Cisco Umbrella, and then go to the Investigate API Access area to create a new API token.

Configure the enricher parameters

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the Cisco Related Domains enricher.

  3. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://investigate.api.umbrella.com.

  4. In the API key field, enter your Cisco API token.

  5. To store your changes, click Save; to discard them, click Cancel.

Additional information

Based on the input observables, the enricher searches the source Cisco Umbrella DNS database for matches.
By default, queries are capped to return max. 100 results.

Retrieved matches are stored in the platform as enrichment observables and entities related to the corresponding input observable types.

Input observable

Enrichment results

Notes

domain

Hash values

Enrichment observables produce indicators related to the observables.

Malware details – for example, a malware file name – are processed as structured malware family and malware variant TTPs.
The TTPs are related to the indicators.

This information helps identify the relationships malware samples can have with domains and IP addresses.

hash-md5

hash-sha1

hash-sha256

Malware artefact details

Enrichment observables produce indicators related to the observables.

Malware details – for example, a malware file name – are processed as structured malware family and malware variant TTPs.
The TTPs are related to the indicators.
Any relevant tags are automatically added to the generated TTPs.
If the data includes a threat score value, it is included in the resulting indicators and TTPs.

This information helps discover relationships between indicators and TTPs that may use or leverage them.

ipv4

Hash values

Enrichment observables produce indicators related to the observables.

Malware details – for example, a malware file name – are processed as structured malware family and malware variant TTPs.
The TTPs are related to the indicators.

This information helps identify the relationships malware samples can have with domains and IP addresses.

uri

Hash values

Enrichment observables produce indicators related to the observables.

Malware details – for example, a malware file name – are processed as structured malware family and malware variant TTPs.
The TTPs are related to the indicators.

This information helps identify the relationships malware samples can have with domains and IP addresses.

See also