Cisco Umbrella Investigate
Cisco Umbrella Investigate enables you to research domains, IPs, and URLs observed by the Umbrella resolvers.
Data Enrichment & Threat Intelligence · Cisco Umbrella Investigate
Configuration parameters
apitoken_creds— API Key (required)integrationReliability— Source Reliabilityinsecure— Trust any certificate (not secure)proxy— Use system proxy settingsbaseURL— Base URL (required)suspicious_threshold— DBot Score Suspicious Threshold (-100 to 100)dboscore_threshold— Score Malicious Threshold (-100 to 100)
Commands (32)
-
domainGet the WHOIS information for the specified domains.
-
investigate-umbrella-domain-categorizationDeprecatedReturns the category of a domain. E.g. domain=amazon.com returns Ecommerce/Shopping.
-
investigate-umbrella-domain-co-occurrencesDeprecatedGet a list of related domains back and returns a list of co-occurences for the specified domain. A co-occurrence is when two or more domains are being accessed by the same users within a small window of time. Being a co-occurrence isn't necessarily a bad thing, legitimate sites co-occur with each other as a part of normal web activity. However, unusual or suspicious co-occurence can provide additional information regarding attacks.
-
investigate-umbrella-domain-dns-historyDeprecatedThe DNS database can be used to query the history that Umbrella has seen for a given domain. The most common use case is to obtain the RRs (Resource Record) history for a given domain, passing in the record query type as a parameter, to help build intelligence around an domain.
-
investigate-umbrella-domain-relatedDeprecatedReturns a list of domain names that have been frequently seen around the same time (up to 60 seconds before or after) as the given domain name, but that are not frequently associated with other domain names.
-
investigate-umbrella-domain-searchDeprecatedThis produces a list of matching domains based on a regular expression. You could use this for domain squatting. The pattern search functionality in Investigate uses regular expressions (RegEx) to search against the Investigate database. There are several excellent tools online such as http://regexr.com to help if you’re not familiar with building RegEx.
-
investigate-umbrella-domain-securityDeprecatedThis contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insights on the reputation or security risk posed by the site. See security information about this specific domain at https://investigate-api.readme.io/docs/security-information-for-a-domain-1.
-
investigate-umbrella-ip-dns-historyDeprecatedThe DNS database can be used to query the history that Umbrella has seen for a given IP address. The most common use case is to obtain the DNS Resource Record (RR) history for a given IP, passing in the record query type as a parameter, to help build intelligence around an IP or a range of IPs. The information provided is from within the last 90 days.
-
investigate-umbrella-ip-malicious-domainsDeprecatedThis command shows whether the IP address you’ve entered as input has any known malicious domains associated with it. The domains that appear when using this endpoint are those that currently exist in the Umbrella block list. This endpoint will return an array with a single domain name for each domain associated with the IP, along with an ID number that can be ignored.
-
umbrella-domain-categorizationGet the status, security, and content categories for the domain.
-
umbrella-domain-co-occurrencesList the co-occurences for the specified domain. A co-occurrence is when two or more domains are accessed by the same users within a small window of time. Co-occurring domains are not necessarily problematic; legitimate sites co-occur with each other as a part of normal web activity. However, unusual or suspicious co-occurences can provide additional information regarding attacks. To determine co-occurrences for a domain, a small time window of traffic across all of our datacenters is taken. Umbrella Investigate checks the sites that end users visited before and after the domain was requested in the API call.
-
umbrella-domain-dns-historyDeprecatedThe DNS database can be used to query the history that Umbrella has seen for a given domain. The most common use case is to obtain the RRs (Resource Record) history for a given domain, passing in the record query type as a parameter, to help build intelligence around an domain.
-
umbrella-domain-relatedList domain names that are frequently requested around the same time (up to 60 seconds before or after) as the given domain name, but that are not frequently associated with other domain names.
-
umbrella-domain-searchSearch for newly seen domains that match a regular expression pattern.
-
umbrella-domain-securityGet multiple scores or security features for a domain. You can use the scores or security features to determine relevant data points and build insights on the reputation or security risk posed by the site.
-
umbrella-get-asn-bgpGet BGP Route Information for ASN. Each hash reference contains two keys: `geo` and `cidr`. Geo is a hash reference with the country name and country code (the code corresponds to the country code list for ISO-3166-1 alpha-2). CIDR contains the IP prefix for this ASN.
-
umbrella-get-domain-classifiersDeprecatedList all the classifiers used for a particular domain to assign a particular security categorization or threat type (indicators of compromise).
-
umbrella-get-domain-queryvolumeList the query volume for a domain over the last 30 days. If there is no information about the domain, Umbrella Investigate returns an empty array. As the query takes time to generate, the last two hours may be blank.
-
umbrella-get-domain-risk-scoreGet the domain risk score. The Umbrella Investigate Risk Score is based on an analysis of the lexical characteristics of the domain name, patterns in queries and requests to the domain. The risk score is scaled from 0 to 100 where 100 is the highest risk and 0 represents no risk at all.
-
umbrella-get-domain-timelineList the historical tagging timeline for a given domain. Each timeline item includes lists of security category, attack, or threat type associated with the destination. Use the Tagging Timeline endpoint to verify when Umbrella assigned or removed a security category, attack, or threat type. If the current timeline item contains the security category, type of attack, or threat type not found in the previous timeline item, Umbrella updated the current timeline item. If the current timeline item does not contain the security category, attack, or threat type found in the previous timeline item, Umbrella removed the security category, type of attack, or threat type.
-
umbrella-get-domain-whois-historyGet a WHOIS response record for a single domain with available historical WHOIS data returned in an object. The information displayed varies by registrant.
-
umbrella-get-email-whoisGet WHOIS information for the email address. Returns the email address or addresses of the registrar for the domain or domains. The results include the total number of results for domains registered by this email address and a list of the first 500 domains associated with this email.
-
umbrella-get-ip-bgpGet data about ASN and IP relationships, showing how IP addresses are related to each other and to the regional registries. You can find out more about the IP space associated with an AS and correlate BGP routing information between AS.
-
umbrella-get-ip-timelineList the historical tagging timeline for a given IP address. Each timeline item includes lists of security category, attack, or threat type associated with the destination. Use the Tagging Timeline endpoint to verify when Umbrella assigned or removed a security category, attack, or threat type. If the current timeline item contains the security category, type of attack, or threat type not found in the previous timeline item, Umbrella updated the current timeline item. If the current timeline item does not contain the security category, attack, or threat type found in the previous timeline item, Umbrella removed the security category, type of attack, or threat type.
-
umbrella-get-nameserver-whoisGet WHOIS information for the nameserver. A nameserver can potentially register hundreds or thousands of domains.
-
umbrella-get-regex-whoisPerforms a regular expression (RegEx) search on the WHOIS data (domain, nameserver, and email fields) that was updated or created in the specified time range. Returns a list of ten WHOIS records that match the specified RegEx expression.
-
umbrella-get-top-most-seen-domainList the most seen domains in Umbrella. The popularity list contains Cisco Umbrella most queried domains based on passive DNS usage across Umbrella global network. The metric does not only consist of browser-based http requests from users but also takes into account the number of unique client IPs invoking this domain relative to the sum of all requests to all domains. The ranking reflects the domain's relative internet activity agnostic to the invocation protocols and applications where as site ranking models (such as Alexa) focus on the web activity over port 80 (primarily from browsers). In addition, the Umbrella popularity algorithm also applies data normalization techniques to smooth potential biases that may occur due to sampling of DNS usage data.
-
umbrella-get-url-timelineList the historical tagging timeline for a given URL. Each timeline item includes lists of security category, attack, or threat type associated with the destination. Use the Tagging Timeline endpoint to verify when Umbrella assigned or removed a security category, attack, or threat type. If the current timeline item contains the security category, type of attack, or threat type not found in the previous timeline item, Umbrella updated the current timeline item. If the current timeline item does not contain the security category, attack, or threat type found in the previous timeline item, Umbrella removed the security category, type of attack, or threat type.
-
umbrella-get-whois-for-domainGet the WHOIS information for the specified domains. You can search by multiple email addresses or multiple nameservers.
-
umbrella-ip-dns-historyDeprecatedThe DNS database can be used to query the history that Umbrella has seen for a given IP address. The most common use case is to obtain the DNS Resource Record (RR) history for a given IP, passing in the record query type as a parameter, to help build intelligence around an IP or a range of IPs. The information provided is from within the last 90 days.
-
umbrella-list-domain-subdomainList sub-domains of a given domain.
-
umbrella-list-resource-recordList the Resource Record (RR) data for DNS responses, and categorization data, where the answer (or rdata) is the inserted value or list historical data from the Umbrella resolvers for domains, IPs, and other resource records (by using the type name).