The Cisco Umbrella actions for ThreatQ enables analysts to use Cisco Umbrella’s APIs for enrichment. Analysts will be able to enrich IOCs from their Threat Library with context from the Cisco Umbrella Investigate API, including but not limited to, the categorization, risk scores, hash samples, and WHOIS information.

The bundle provides the following actions:

• Cisco Umbrella Investigate - Get Security Context - fetches security context from Cisco Umbrella such as a domain’s threat type and scores.
• Cisco Umbrella Investigate - Get Risk Scores - returns the risk score for a given domain.
• Cisco Umbrella Investigate - Get Categorization - fetches a domain’s disposition as well as its security and content categories.
• Cisco Umbrella Investigate - Get Samples - retrieves related sample hashes for a given IOC, as well as some other contextual information.
• Cisco Umbrella Investigate - Get WHOIS - retrieves a domain’s WHOIS records.
• Cisco Umbrella Enforcement - block or allow selected IOCs.

The action is compatible with the following system indicator types:

Individual actions may only be compatible with a subset of these types.

• IP Address
• FQDN
• MD5
• SHA-1
• SHA-256
• URL

The action returns the following enriched indicator types:

Note: Individual actions may only return a subset of these types.

• IP Address
• FQDN
• MD5
• SHA-1
• SHA-256

Note: This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.