Cisco

With the Cisco Duo Playbook app, you can automate processes during an internal security investigation when it’s critical to quickly get user information or suspend users involved with a security incident. The following actions are available:

• Activate User - Activate a user account that was previously in an “disabled” or “locked out” state. Requires 'Grant write resource' API permission.
• Disable User - Disable a user account that was previously in any other state. Requires 'Grant write resource' API permission.
• Get User - Return the single user with user_id. Requires 'Grant read resource' API permission.
• Get User Groups - Returns a list of groups associated with the user with ID user_id. Requires 'Grant read resource' API permission.
• Get User Phones -Returns a list of phones associated with the user with ID user_id. Requires -Grant read resource- API permission.

The app allows you to do things like:

• Get user account information, including Groups and Applications the user has access to. This information can be used for making automated decisions about the next steps to take in the investigation as well as helping analysts have the information they need without having to collect it manually.
• Suspend a user’s account for a time period while an investigation takes place and analysts can confirm that the account is not compromised. This action can be automated as part of a Workflow or Playbook. Later in the process, the account can be unsuspended and the password can be reset automatically.

This listing can be found in the ThreatConnect App Catalog under the name Cisco Duo.

Cisco Secure Malware Analytics (formerly known as Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledgebase, users can understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it. This integration allows for files to automatically be sent from ThreatConnect to Threat Grid for analysis. Once done, the integration automatically returns the analysis to ThreatConnect, and associates it to the indicators or groups (incidents, emails, documents, etc.)

The following actions are available:

• Get Report - Retrieve analysis based on an artifact's hash ID.
• Submit File for Analysis - Upload a sample to Cisco Secure Malware Analytics. for analysis.

This app can be found in the ThreatConnect App Catalog under the name: Cisco Secure Malware Analytics

The Cisco Umbrella integration with ThreatConnect allows Host and URL indicators to be added and removed from the Cisco Umbrella Platform over the Cisco Umbrella Enforcement API.

• The integration enables ThreatConnect to add or remove domains or full IOCs with Umbrella.
• Users can block internet activity attributed to domains or IOCs over any port, protocol, or app without adding latency or complexity.
• Users can gain instant global visibility of any devices requesting suspicious domains.
• Cisco Umbrella’s predictive intelligence uses an up-to-the-minute view and analysis of 70+ billion daily DNS requests to stay ahead of attacks.

The following actions are available:

• Cisco Umbrella Allow Indicators
  • When managing an incident, it’s often useful to take common action on all related indicators. This Playbook Template looks up all indicators tied to an incident that has the Cisco Umbrella Block” tag removed, unblocks them on Cisco Umbrella, and logs the event to the incident.
• Cisco Umbrella Block Indicators:
  • When managing an incident, it’s often useful to take common action on all related indicators. This Playbook template looks up all indicators tied to an incident that’s been tagged “Cisco Umbrella Blocked,” deploys them on Cisco Umbrella, and logs the event to the incident.

This listing can be found in the ThreatConnect App Catalog under the name Cisco Umbrella Enforcement.

ThreatConnect customers can use Cisco Umbrella Investigate to enrich their IOCs with Investigate’s rich context. This allows their team to quickly triage suspicious network activity and pivot through attackers’ infrastructures to discover what they’ve been missing.

This app requests Cicso Umbrella Investigate to enrich a given Indicator.

• Get Co-Occurrences - retrieves any co-occurrences for a specified domain.
• Get Domain Security Information - retrieves any security information for a specified Domain.
• Get Domain Status - retrieve status information for a specified Domain.
• Get Domain Tagging - retrieves tagging information for a specified Domain.
• Get DNS RR History - retrieves DNS Resource Record history for a specified IP Address or Host.
• Get Latest Malicious Domains for IP - retrieve any related malicious domain names for a specified IP Address.
• Get Related Domains - retrieves any related domains for a specified Domain.
• Get Related Malware Sample Reports action - retrieves any related malware samples for a specified IP Address, Host, or URL.
• Parse Malware Sample Report action - is to be used in conjunction with a Playbook Iterator Operator being fed the output cisco.related_sample.samples from the action Get Related Malware Sample Reports.

This listing can be found in the ThreatConnect App Catalog under the name Cisco Umbrella Investigate.

With this integration you are able to retrieve reports from Cisco Umbrella Reporting. This may be a part of investigating new IOCs or to gain better understanding of activity occurring on your network.

The following actions are available:

• Get DNS Activity - Get DNS activity within the provided time range.
• Get Firewall Activity - Get Firewall activity within the provided time range.
• Get Proxy Activity - Get Proxy activity within the provided time range.

This app can be found in the ThreatConnect App Catalog under the name: Cisco Umbrella Reporting

The Polarity - Cisco Umbrella integration enables analysts to get an understanding of how a domain is viewed in their network. It also allows analysts to block a domain form their network if it is potentially related to malicious information or it should not be on the network because of other policies.

Examples

Cisco Umbrella Data Overview

1. Summary Tags: When an analyst searches for a domain, they will quickly be able to know the status of that domain compared to their network and what category if any that domain belongs to.
2. Status: When clicking into the details of the Cisco Umbrella integration the analyst will be able to learn any additional information about the status and category.
3. Submit Domain to Block: If the domain is something that is related to malicious information or should be blocked for another reason. The Analyst can quickly add that domain to the blocklist.

The Polarity - Cisco Threat Response integration allows Polarity to search the Threat Response Enrich API to return information about various indicator types. Allowing analysts to have real-time insights into threat information on indicators, enabling for quick decisions.