Cisco Umbrella is cloud-delivered enterprise network security which provides users with a first line of defense against cybersecurity threats. Integration with Cisco Umbrella can help users to collect, research, and visualize security event data and also enables users to programmatically check the state of domains. For each domain evaluated, Umbrella either blocks or allows the domain.
D3 SOAR is providing REST operations to function with Cisco Umbrella Enforcement.
Cisco Umbrella Enforcement is available for use in:
To connect to Cisco Umbrella Enforcement from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Investigate Token
The authentication token for the Investigate API.
***-***-***-***-***
Enforcement Token
The authentication token for the Enforcement API.
***-***-***-***-***
Management Key
The authentication token for the Management API.
***
Management Secret
The authentication secret for the Investigate API.
***
Organization ID
The organization ID for the Management API.
***
Permission Requirements
Each endpoint in the Cisco Umbrella Enforcement API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command
Required Permission
Add Destinations To Destination List
Full Admin
Add Domains To Domain List
Full Admin
Delete Enforced Domains
Full Admin
Get ASN For IPs
Investigate Only
Get Destinations By Destination List
Full Admin
Get Domain Status
Investigate Only
Get Geo Info For ASNs
Investigate Only
Get Latest Malicious Domain
Investigate Only
Get Related Domains
Investigate Only
Get Risk Score Of Domains
Investigate Only
Get Security Info Of Domains
Investigate Only
List Enforced Domains
Full Admin
Register Enforced Domains
Full Admin
Remove Destinations From Destination List
Full Admin
Who Is Domains
Investigate Only
Who Is Emails
Investigate Only
Test Connection
Full Admin
Reader Note
Please note that only Full Admin can be used to create Enforcement tokens, Management Keys and Secrets. For those commands that need an Investigate Only role, an Investigate Token is enough to run. If you just provide the Investigate token (leave other parameters empty), you will see errors when test connection, just save the connection and use that connection to test commands, those commands can still run without passed connections, no matter the connection passed or not.
Configuring Cisco Umbrella Enforcement to Work with D3 SOAR
From the left sidebar menu, select Accounts under Admin. Click on + New located at the top right of the screen to create a new user.
Enter the user's email address and select the appropriate user role from the dropdown menu.
Click on SEND INVITATION to invite the user. An email will be sent to the provided email address. Check the user's email account and follow the instructions to activate the account. The account status will be shown as pending until activation is complete.
Provide the required information to complete the account creation process.
Log out of your current account and log in using the newly created account.
Refer to the sections below to generate tokens. Tokens will inherit permissions from the corresponding account they were generated from.
Creating Investigate API Tokens
From the left sidebar menu, select API Keys under Investigate.
Click on + CREATE NEW TOKEN located on the top right corner. Enter a title for the token and click CREATE.
Copy and save the access token. This token will be used as the Investigate Token when setting up the integration connection in D3 SOAR.
Creating Enforcement Tokens
From the left sidebar menu, navigate to Policies > Policy Components > Integration Settings. Click + Add at the top right corner to create a new integration.
Enter the Integration Name and click CREATE.
Open the newly created integration and toggle the Integration Enabled switch to enable it. Copy and save the customerKey. The customerKey is the string value following "customerKey=" in the Integration URL. This will be used as the Enforcement Token when setting up the integration connection in D3 SOAR. Click SAVE.
Creating Management Keys and Secrets
From the left sidebar menu, select API Keys under Admin. Click on Legacy Keys at the top right corner and select Umbrella Management.
Click on REFRESH, then copy and save the key and secret values provided. These will be used when setting up the integration connection in D3 SOAR.
Obtaining the Organization ID
Once logged into the Cisco Umbrella Enforcement portal, you can find the Organization ID in the URL. The Organization ID is located at https://dashboard.umbrella.com/o/<OrgID>/#/<page>, where <OrgID> represents your Organization ID.
Configuring D3 SOAR to Work with Cisco Umbrella Enforcement
Log in to D3 SOAR.
Find the Cisco Umbrella Enforcement integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Cisco Umbrella Enforcement in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Cisco Umbrella Enforcement.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. 1. Copy the Investigate Token from the Cisco Umbrella Enforcement platform. Refer to Creating Investigate API Tokens for more details. 2. Copy the Enforcement Token from the Cisco Umbrella Enforcement platform. Refer to Creating Enforcement Tokens for more details. 3. Copy the Management Key from the Cisco Umbrella Enforcement platform. Refer to Creating Management Keys and Secrets for more details. 4. Copy the Management Secret Token from the Cisco Umbrella Enforcement platform. Refer to Creating Management Keys and Secrets for more details. 5. Copy the Organization ID from the Cisco Umbrella Enforcement platform. Refer to Obtaining the Organization ID for more details.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
Cisco Umbrella Enforcement includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
id
***
organizationId
***
access
allow
isGlobal
True
name
Global Allow List
thirdpartyCategoryId
createdAt
7/26/2021 10:02:13 AM
modifiedAt
8/5/2021 3:39:04 PM
isMspDefault
False
markedForDeletion
False
bundleTypeId
1
meta
{
"destinationCount": 11
}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Destinations To Destination List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Destination.
Error Sample Data
Add Destinations To Destination List failed.
Status Code: 401.
Message: Invalid Destination.
Add Domains To Domain List
Posts malware events in the Umbrella Generic Event Format for further processing with the option to add these events to a customer's domain lists. The command will then return the current domain list.
Input
Input Parameter
Required/Optional
Description
Example
customerKey
Optional
The customerKey, which is the same as the enforcement token used to configure the integration connection. Please note that the customerKey or enforcement token entered here will not affect the configuration of the underlying integration connection.
***-***-***-***-***
events
Optional
The JSON object containing the list of malware events and domains to add to the domain list.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Domains To Domain List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
DOMAIN
ACTIONRESULT
domain1
Deleted domain successfully
xdomain2
Deleted domain successfully
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Error Sample Data
Delete Enforced Domains failed.
Status Code: 401.
Message: Invalid Domain.
Get ASN For IPs
Retrieves Autonomous System Numbers (ASN) and relevant information on the specified IP addresses.
Input
Input Parameter
Required/Optional
Description
Example
ips
Required
The list of IP addresses to query
["8.8.8.8"]
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
{
"ip": "8.8.8.8",
"asn": [
{
"cidr": "8.0.0.0/12",
"asn": ***,
"ir": 3,
"description": "LEVEL3, US ***",
"creation_date": "2000-03-10",
"RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica."
},
{
"cidr": "8.0.0.0/9",
"asn": ***,
"ir": 3,
"description": "LEVEL3, US ***",
"creation_date": "2000-03-10",
"RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica."
},
{
"cidr": "8.8.8.0/24",
"asn": ***,
"ir": 3,
"description": "GOOGLE, US ***",
"creation_date": "2000-03-30",
"RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica."
}
]
}
]
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
[
{
"ip": "8.8.8.8",
"asn": [
{
"cidr": "8.0.0.0/12",
"asn": ***,
"ir": 3,
"description": "LEVEL3, US ***",
"creation_date": "2000-03-10",
"RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica."
},
{
"cidr": "8.0.0.0/9",
"asn": ***,
"ir": 3,
"description": "LEVEL3, US ***",
"creation_date": "2000-03-10",
"RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica."
},
{
"cidr": "8.8.8.0/24",
"asn": ***,
"ir": 3,
"description": "GOOGLE, US ***",
"creation_date": "2000-03-30",
"RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica."
}
]
}
]
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
IP
ASN
8.8.8.8
[ { "cidr": "8.0.0.0/12", "asn": ***, "ir": 3, "description": "LEVEL3, US ***", "creation_date": "2000-03-10", "RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica." }, { "cidr": "8.0.0.0/9", "asn": ***, "ir": 3, "description": "LEVEL3, US ***", "creation_date": "2000-03-10", "RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica." }, { "cidr": "8.8.8.0/24", "asn": ***, "ir": 3, "description": "GOOGLE, US ***", "creation_date": "2000-03-30", "RegistryRegion": "ARIN: United States, Canada, several parts of the Caribbean region, and Antarctica." } ]
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get ASN For IPs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: invalid ip.
Error Sample Data
Get ASN For IPs failed.
Status Code: 401.
Message: invalid ip.
Get Destinations By Destination List
Retrieves destinations from the specified destination list.
Input
Input Parameter
Required/Optional
Description
Example
Destination List Name
Required
The name of the destination list to retrieve destinations.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID
DESTINATION
TYPE
COMMENT
CREATEDAT
***
9.9.9.9
ipv4
2021-08-03 18:36:11
***
9.9.9.10
ipv4
2021-08-05 22:05:13
***
***999.com
domain
test domain, video games
2021-07-31 01:12:57
***
***999.com
domain
test domain, twitter.com
2021-07-31 01:12:57
***
***888.com
domain
test domain, video games
2021-07-31 01:05:27
***
***777.com
domain
test domain, video games
2021-07-31 01:16:26
***
9.9.9.11
ipv4
2021-08-05 20:56:22
***
9.9.9.18
ipv4
test domain, ***19.com
2021-08-05 22:00:32
***
9.9.9.19
ipv4
test domain, ***19.com
2021-08-05 22:00:32
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Destinations By Destination List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Destination List Name Not Found.
Error Sample Data
Get Destinations By Destination List failed.
Status Code: 404.
Message: Destination List Name Not Found.
Get Domain Status
Returns the status of the specified domains.
Input
Input Parameter
Required/Optional
Description
Example
domains
Optional
The list of domains to query.
["google.com"]
tierLevel
Optional
The level of access granted to the API. Tier 0 and Tier 1 do not support bulk requests, while Tier 2 and Tier 3 allow the use of bulk requests.
0
showLable
Optional
The option to return content categories by their names, when set to True. Setting this parameter to False will return category IDs instead.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Domain Status failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid domain name.
Error Sample Data
Get Domain Status failed.
Status Code: 401.
Message: Invalid domain name.
Get Geo Info For ASNs
Retrieves prefix routing information on the specified Autonomous System Numbers (ASNs).
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Geo Info For ASNs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: asns not found.
Error Sample Data
Get Geo Info For ASNs failed.
Status Code: 404.
Message: asns not found.
Get Latest Malicious Domain
Retrieves any known malicious domains associated with the specified IP addresses. If no malicious domains are known, the result will be empty.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Latest Malicious Domain failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid ip.
Error Sample Data
Get Latest Malicious Domain failed.
Status Code: 401.
Message: Invalid ip.
Get Related Domains
Retrieves a list of domain names that have been commonly requested around the same time as the specified domain names.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Related Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Domain.
Error Sample Data
Get Related Domains failed.
Status Code: 401.
Message: Invalid Domain.
Get Risk Score Of Domains
Retrieves Umbrella Investigate Risk Scores for the specified domains. The risk score is measured on a scale from 0 to 100, where a higher score indicates a greater level of risk, while a score of 0 represents no risk at all.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Risk Score Of Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Domain.
Error Sample Data
Get Risk Score Of Domains failed.
Status Code: 401.
Message: Invalid Domain.
Get Security Info Of Domains
Retrieves multiple scores and security features related to the specified domains, which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Security Info Of Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID
NAME
LASTSEENAT
***
***.com
1627688341
***
***.com
1627520863
***
***.com
1627530853
***
***.com
1627577025
***
***.com
1627673752
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Enforced Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Forbidden
Testing enforcement token fail. Message Invalid credentials supplied (Event failed to be recorded)
Registers a list of domains under umbrella enforcement with the option to include the specified domains in the domain list.
Input
Input Parameter
Required/Optional
Description
Example
Domains
Required
The list of domains to register.
["***","***"]
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"id": "***,***,***,***"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
{
"id": "***,***,***,***"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ID": "***,***,***,***"
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Register Enforced Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Domain.
Error Sample Data
Register Enforced Domains failed.
Status Code: 401.
Message: Invalid Domain.
Remove Destinations From Destination List
Removes specified destinations from the destination list.
Input
Input Parameter
Required/Optional
Description
Example
Destination List Name
Required
The name of the destination list to remove destinations.
Global Allow List
Destinations
Required
The destinations to remove from the destination list.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
id
***
organizationId
***
access
allow
isGlobal
True
name
Global Allow List
thirdpartyCategoryId
createdAt
7/26/2021 10:02:13 AM
modifiedAt
8/5/2021 3:39:54 PM
isMspDefault
False
markedForDeletion
False
bundleTypeId
1
meta
{
"destinationCount": 9
}
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Remove Destinations From Destination List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Destination List Name Not Found.
Error Sample Data
Remove Destinations From Destination List failed.
Status Code: 404.
Message: Destination List Name Not Found.
Who Is Domains
Retrieves standard WHOIS response records for the specified domains, including all the available WHOIS data.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Who Is Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Domain.
Error Sample Data
Who Is Domains failed.
Status Code: 401.
Message: Invalid Domain.
Who Is Emails
Retrieves domain addresses in the registrar associated with the specified email addresses.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
test@example.com
{
"totalResults": 135,
"offset": 0,
"moreDataAvailable": false,
"limit": 500,
"sortField": "domain name [default]",
"domains": [
{
"domain": "http://test.com ",
"current": false
},
{
"domain": "example.com",
"current": false
},
],
"email": "test@example.com"
}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Who Is Emails failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Email.
Error Sample Data
Who Is Emails failed.
Status Code: 401.
Message: Invalid Email.
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Test Connection failed. Failed to check the connector.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cisco Umbrella Enforcement portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Forbidden
Testing enforcement token fail. Message Invalid credentials supplied (Event failed to be recorded)