Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

Cisco

Cisco (Nasdaq: CSCO) is the worldwide technology leader that has been making the Internet work since 1984. Our people, products and partners help society securely connect and seize tomorrow’s digital opportunity today.

Integration(s)

Cisco Duo

With the Cisco Duo Playbook app, you can automate processes during an internal security investigation when it’s critical to quickly get user information or suspend users involved with a security incident. The following actions are available:

  • Activate User - Activate a user account that was previously in an “disabled” or “locked out” state. Requires 'Grant write resource' API permission.
  • Disable User - Disable a user account that was previously in any other state. Requires 'Grant write resource' API permission.
  • Get User - Return the single user with user_id. Requires 'Grant read resource' API permission.
  • Get User Groups - Returns a list of groups associated with the user with ID user_id. Requires 'Grant read resource' API permission.
  • Get User Phones -Returns a list of phones associated with the user with ID user_id. Requires -Grant read resource- API permission.

The app allows you to do things like:

  • Get user account information, including Groups and Applications the user has access to. This information can be used for making automated decisions about the next steps to take in the investigation as well as helping analysts have the information they need without having to collect it manually.
  • Suspend a user’s account for a time period while an investigation takes place and analysts can confirm that the account is not compromised. This action can be automated as part of a Workflow or Playbook. Later in the process, the account can be unsuspended and the password can be reset automatically.

This listing can be found in the ThreatConnect App Catalog under the name Cisco Duo.

Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

Cisco Secure Malware Analytics

Cisco Secure Malware Analytics (formerly known as Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledgebase, users can understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it. This integration allows for files to automatically be sent from ThreatConnect to Threat Grid for analysis. Once done, the integration automatically returns the analysis to ThreatConnect, and associates it to the indicators or groups (incidents, emails, documents, etc.) The following actions are available:
  • Get Report - Retrieve analysis based on an artifact's hash ID.
  • Submit File for Analysis - Upload a sample to Cisco Secure Malware Analytics. for analysis.
This app can be found in the ThreatConnect App Catalog under the name: Cisco Secure Malware Analytics
Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

Cisco Umbrella Enforcement

The Cisco Umbrella integration with ThreatConnect allows Host and URL indicators to be added and removed from the Cisco Umbrella Platform over the Cisco Umbrella Enforcement API.

  • The integration enables ThreatConnect to add or remove domains or full IOCs with Umbrella.
  • Users can block internet activity attributed to domains or IOCs over any port, protocol, or app without adding latency or complexity.
  • Users can gain instant global visibility of any devices requesting suspicious domains.
  • Cisco Umbrella’s predictive intelligence uses an up-to-the-minute view and analysis of 70+ billion daily DNS requests to stay ahead of attacks.

The following actions are available:

  • Cisco Umbrella Allow Indicators
    • When managing an incident, it’s often useful to take common action on all related indicators. This Playbook Template looks up all indicators tied to an incident that has the Cisco Umbrella Block” tag removed, unblocks them on Cisco Umbrella, and logs the event to the incident.
  • Cisco Umbrella Block Indicators:
    • When managing an incident, it’s often useful to take common action on all related indicators. This Playbook template looks up all indicators tied to an incident that’s been tagged “Cisco Umbrella Blocked,” deploys them on Cisco Umbrella, and logs the event to the incident.

This listing can be found in the ThreatConnect App Catalog under the name Cisco Umbrella Enforcement.

Keep Reading

Related Resources

dark orange ThreatConnect TC logo

Built By ThreatConnect

Cisco Umbrella Investigate

ThreatConnect customers can use Cisco Umbrella Investigate to enrich their IOCs with Investigate’s rich context. This allows their team to quickly triage suspicious network activity and pivot through attackers’ infrastructures to discover what they’ve been missing. This app requests Cicso Umbrella Investigate to enrich a given Indicator.
  • Get Co-Occurrences - retrieves any co-occurrences for a specified domain.
  • Get Domain Security Information - retrieves any security information for a specified Domain.
  • Get Domain Status - retrieve status information for a specified Domain.
  • Get Domain Tagging - retrieves tagging information for a specified Domain.
  • Get DNS RR History - retrieves DNS Resource Record history for a specified IP Address or Host.
  • Get Latest Malicious Domains for IP - retrieve any related malicious domain names for a specified IP Address.
  • Get Related Domains - retrieves any related domains for a specified Domain.
  • Get Related Malware Sample Reports action - retrieves any related malware samples for a specified IP Address, Host, or URL.
  • Parse Malware Sample Report action - is to be used in conjunction with a Playbook Iterator Operator being fed the output cisco.related_sample.samples from the action Get Related Malware Sample Reports.
This listing can be found in the ThreatConnect App Catalog under the name Cisco Umbrella Investigate.
Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

Cisco Umbrella Reporting

With this integration you are able to retrieve reports from Cisco Umbrella Reporting. This may be a part of investigating new IOCs or to gain better understanding of activity occurring on your network.

The following actions are available:

  • Get DNS Activity - Get DNS activity within the provided time range.
  • Get Firewall Activity - Get Firewall activity within the provided time range.
  • Get Proxy Activity - Get Proxy activity within the provided time range.

This app can be found in the ThreatConnect App Catalog under the name: Cisco Umbrella Reporting

Keep Reading
dark orange ThreatConnect TC logo

Built By ThreatConnect

Looking for an
integration not shown?