Solution Briefs

Cisco Umbrella Investigate API Use Cases and Best Practices

Issue link: https://learn-umbrella.cisco.com/i/749082

Contents of this Issue

Navigation

Page 0 of 3

© 2016 Cisco and/or its affiliates. All rights reserved. What is the Investigate API? Cisco Umbrella Investigate provides access to all of our threat intelligence about domains, IPs, ASNs, and file hashes in two main ways: • Investigate Console: Use our web-based console to query and interactively pivot on different data points during incident investigations and threat research. • Investigate API: Use our API to enrich data in your SIEM, threat intelligence platform, or incident workflow, so you can quickly surface high impact security incidents and add more context for security analysts and incident responders. There are many ways to incorporate the Investigate API into your existing workflows, processes, and systems. We spoke to many Investigate customers and outlined the most common integrations and use cases for the API below. For more detailed API documentation, please visit http://docs.umbrella.com/. SIEM Use cases: • Better prioritize incident response: To properly triage incidents, you need to get accurate information and the relevant context quickly. Our unique view of the internet enriches your security event data with real-time context about malicious domains, IPs, ASNs, and file hashes to help prioritize investigations & incident response. • Speed up investigations: By automatically populating SIEM events with intelligence from Investigate, security analysts have more context about a domain, IP, or file related to the event and can make faster, more informed decisions during investigations — versus manually going to and correlating data from multiple sources. Types of data from Investigate: Note: there are many different types of data you can leverage from the Investigate API. These are some of the most commonly used by customers: • Categorization (shows the status and categorization of the domain) ▫ Often used by security teams as an initial classifier to determine if a domain/IP is good, unknown, or bad. • Scores (there are several scores that help rate the potential risk of the domain/IP) ▫ For example: ▫ SecureRank2: this score is designed to identify domains that are requested by known infected clients, but never requested by clean clients — assuming these domains are more likely to be bad. Scores range from -100 (suspicious) to +100 (benign). ▫ RIP Score: the IP reputation score is designed to rate the IP address based on the amount of malicious activity hosted on the IP. Scores range from -100 to 0; with -100 being very suspicious. • WHOIS record data (includes the email address used to register the domain, associated nameserver, historical information, etc.) ▫ Often used to find out more about the history of the domain and the registrant, including whether the email address was used to register other malicious domains. Cisco Umbrella Investigate API use cases & best practices. S O LU T I O N B R I E F

Articles in this issue

Links on this page

view archives of Solution Briefs - Cisco Umbrella Investigate API Use Cases and Best Practices