SOLUTION BRIEF

Cisco Umbrella Investigate API use

cases & best practices.

What is the Investigate API?

Cisco Umbrella Investigate provides access to all of our threat intelligence about domains,
IPs, ASNs, and file hashes in two main ways:
• Investigate Console: Use our web-based console to query and interactively pivot on
different data points during incident investigations and threat research.
• Investigate API: Use our API to enrich data in your SIEM, threat intelligence platform, or
incident workflow, so you can quickly surface high impact security incidents and add more
context for security analysts and incident responders.
There are many ways to incorporate the Investigate API into your existing workflows,
processes, and systems. We spoke to many Investigate customers and outlined the most
common integrations and use cases for the API below. For more detailed API documentation,
please visit http://docs.umbrella.com/.

SIEM
Use cases:
• Better prioritize incident response: To properly triage incidents, you need to get
accurate information and the relevant context quickly. Our unique view of the internet
enriches your security event data with real-time context about malicious domains, IPs,
ASNs, and file hashes to help prioritize investigations & incident response.
• Speed up investigations: By automatically populating SIEM events with intelligence
from Investigate, security analysts have more context about a domain, IP, or file related to
the event and can make faster, more informed decisions during investigations — versus
manually going to and correlating data from multiple sources.

Types of data from Investigate:

Note: there are many different types of data you can leverage from the Investigate API.
These are some of the most commonly used by customers:
• Categorization (shows the status and categorization of the domain)
▫▫ Often used by security teams as an initial classifier to determine if a domain/IP is good,
unknown, or bad.
• Scores (there are several scores that help rate the potential risk of the domain/IP)
▫▫ For example:
▫▫ SecureRank2: this score is designed to identify domains that are requested by known
infected clients, but never requested by clean clients — assuming these domains are
more likely to be bad. Scores range from -100 (suspicious) to +100 (benign).
▫▫ RIP Score: the IP reputation score is designed to rate the IP address based on the
amount of malicious activity hosted on the IP. Scores range from -100 to 0; with -100
being very suspicious.
• WHOIS record data (includes the email address used to register the domain, associated
nameserver, historical information, etc.)
▫▫ Often used to find out more about the history of the domain and the registrant, including
whether the email address was used to register other malicious domains.

© 2016 Cisco and/or its affiliates. All rights reserved.

• Co-Occurrences (shows other domains that were queried right before or after a given
domain and are likely related)
▫▫ Often used to uncover other domains that may be related to the same attack but are
hosted on completely separate networks.
• Passive DNS (shows the history of domain-to-IP mappings)
▫▫ Often used to see if anything suspicious happened with the domain or IP. For example,
you might find the IP address is constantly changing (fast flux) or find the IP (which
normally hosts 3 domains) is now hosting 10 new domains — some of which are hosting
malware.
• Malware file data (pulls in malware file analysis and threat intelligence from Cisco AMP
Threat Grid)
▫▫ Often used to find out if there are any specific malware files associated with a domain,
and also used to query file hashes to see if they’re malicious.

Deployment best practices:

• Identify what logs/sources will include domains and IPs
• Determine which data from Investigate would be most useful for your security analysts
to see in the event details
• Query the API and aggregate Investigate data as close to when the event occurs for
more context
• Determine how the Investigate data should impact the SIEM event scoring
• Spend time on the user experience in your SIEM to make sure the data is presented in a
meaningful way for your analysts

Sample flow
Objective is to Answer:
• What is known about this domain/IP/file hash?
• How should this event be prioritized?
• What else is known about the IP address/network it’s connected with?

Query
File hashes & source/destination domain & IPs
Pull in
1 SIEM 2 API
logs from:
3
Security Controls
• Firewall, IDS/IPS, Enrich with context from Investigate
other network security • SecureRank2, RIP, and Threat Grid file scores
• Web security/proxy Enrich events 4 • Malicious domains hosted on same IP
• Endpoint security & prioritize • Malicious co-occurrences
(AV, EDR, VPN, etc.) based on results • Malware samples calling out to the domain/IP
Network Infrastructure from Investigate
• Routers/Switches (and other sources)
• Domain controllers
• Wireless
• Access Points Console
• Application servers Triage 5
• Databases incidents for
• Intranet applications analysts based Use Investigate console
on SIEM scores for interactive investigations & additional research

© 2016 Cisco and/or its affiliates. All rights reserved.

Threat Intelligence Platform (TIP)
Use cases:
• Enrich other threat intelligence with real-time, internet-wide context: Security teams
need intelligence based on a real-time view of what’s happening out on the internet, along
with historical context from past attacks.
• Speed up incident investigations: By enriching your TIP with intelligence from Investigate,
IR teams can see a correlated view from multiple sources during an investigation.

Types of data from Investigate:

Note: there are many different types of data you can leverage from the Investigate API.
These are some of the most commonly used by customers:
• Co-Occurrences (shows other domains that were queried right before or after a given
domain and are likely related)
▫▫ Often used to uncover other domains that may be related to the same attack but are
hosted on completely separate networks.
• All domains hosted on an IP (shows all domains that share a common IP)
▫▫ Often used to find other domains that may be related and should be further investigated.
• Passive DNS (shows the history of domain-to-IP mappings)
▫▫ Often used to see if anything suspicious happened with the domain or IP. For example,
you might find the IP address is constantly changing (fast flux) or find the IP (which
normally hosts 3 domains) is now hosting 10 new domains — some of which are hosting
malware.

Deployment best practices:

• Identify what intelligence sources will include domains, IPs, email addresses, or file hashes
• Figure out which data from Investigate would be most useful for your security analysts to
see in the TIP
• Determine how the Investigate data should impact the TIP scoring

Sample flow
Objective is to:
• Enrich threat intelligence with real-time, internet-wide context

TIP queries Investigate API

Threat feeds sent as domains, IPs, email addresses, and file hashes come in
to TIP from multiple Threat intel
1 2 API
sources platform
(commercial or homegrowm)
3
Enrich with context from Investigate
Analysts start • Co-occurrences
4
• Domains that share a common IP
with TIP
• Passive DNS data
when researching
• And More
threats and incidents

Console
5
Use Investigate console
for interactive investigations & additional research

© 2016 Cisco and/or its affiliates. All rights reserved.

Proactive alerting on phishing domains
Use cases:
• Proactively identify malicious domains impersonating your brand name for a phishing campaign:
Use regular expressions (regex) to search against the data in Investigate for domains that contain your
brand name (or other terms you want to look for). Identify any domains that contain the term and have been
newly queried in the past 30 days, 7 days, or 24 hours. Then you can proactively uncover domains that
might be impersonating your brand and may be used in a future attack on employees or customers.

Types of data from Investigate:

Note: there are many different types of data you can leverage from the Investigate API. These are some of
the most commonly used by customers:
• Domains (shows the domains that match the regex search)
▫▫ Used to identify the domains to further investigate.
• Categorization (shows the status and categorization of the domain)
▫▫ Often used by security teams as an initial classifier to determine if a domain/IP is good, unknown, or bad.
• Scores (there are several scores that help rate the potential risk of the domain/IP)
▫▫ For example:
▫▫ SecureRank2: this score is designed to identify domains that are requested by known infected clients,
but never requested by clean clients, assuming these domains are more likely to be bad. Scores range
from -100 (suspicious) to +100 (benign).
▫▫ RIP Score: the IP reputation score is designed to rate the IP address based on the amount of malicious
activity hosted on the IP. Scores range from -100 to 0; with -100 being very suspicious.
• WHOIS record data (includes the email address used to register the domain, associated nameserver,
historical information, etc.)
▫▫ Often used to find out more about the history of the domain and the registrant, including whether the
email address was used to register other malicious domains.

Deployment best practices:

• Identify what terms you want to search for and create regular expressions
• Determine where you want the results/alerts to go (i.e. SIEM, IT ticketing system, etc.)
• Choose a time interval to query the regex with the Investigate API (i.e. every 6 hours)

Sample flow
Objective is to:
• Identify newly seen domains that contain certain terms that may be used to target employees or customers in phishing campaigns

Run
Pattern Search (regex) query every 6 hours
SIEM or
1 API
IT ticketing
system 2
Enrich with context from Investigate
3 Triage • Enrich with context from Investigate
feeds into queue for • Newly seen domains that match the regex search
analysts to research • Reputation scores
and take action if • Categorization
needed • WHOIS record data

Console
4
Use Investigate console
for interactive investigations & additional research

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the
property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)