When it rains it pours…ThreatQ and Cisco Umbrella integration


There have been many published articles that have covered the values and outcomes of leveraging the ThreatQ threat intelligence platform’s Adaptive Workbench. This capability allows our customers to define and customize operations plugins that they find beneficial in their workflows during their threat operations and management efforts. Fellow Rhino Mike Clark demonstrated quite a few operations plugins including Dig, Recorded Future, Neutrino, and Splunk in his recent article, Enriching an Indicator with Operations and Julian DeFronzo featured a Recorded Future Operations Plugin researching NoSQL Ransomware Attacks.

Because an operations plugin theoretically could be produced to interact with any tool that has an exposed and functional API, ThreatQ is able to add context to threat data stored in the ThreatQ Library from several tools produced many best of breed vendors.

Today I want to shine a light on Cisco Umbrella.

As shown in the screenshot below (Figure 1), I have many operations plugins installed to query Cisco Umbrella Investigate and retrieve some interesting context related to the threat data I’m curating within the ThreatQ Threat Library. Cisco Umbrella Investigate contains numerous data points, each of which can be applied to build insight on the reputation or security risk posed by the indicator being researched.

Figure 1: Cisco Umbrella Operations Plugins within the ThreatQ User Interface


For example, when enriching an indicator via Cisco Umbrella, I’m able to immediately find out if the Cisco Security Research Teams have flagged a domain as malicious or not. Any Security Category association such as ‘Malware’ or ‘Botnet’ is also pulled into the ThreatQ threat intelligence platform. Content Categories are also returned (Figure 2).


Figure 2: Enriching a domain via one of the Cisco Umbrella Operations Plugins in ThreatQ


Cisco Umbrella typically provides some Security Scores too (Figure 3) so analysts are able to gain perspective around an indicator’s threat type, the likeliness of a domain name to be algorithmically generated (vs human generated), and even a value indicating how many unique client IPs have visited a domain compared to others. Cisco Umbrella publishes documentation describing their score types here.

Figure 3: Data returned from Cisco Umbrella displayed in the ThreatQ User Interface.

Once an analyst has determined that a domain is enough of a threat that it should be blocked, there’s another Operations Plugin that will immediately add the  indicator to Cisco Umbrella’s Block list so that it can be enforced (Figure 4) .

Figure 4: Adding a domain to be blocked by Cisco Umbrella from the ThreatQ User Interface


Logging into the Cisco Umbrella Dashboard users will easily be able to find the domains sent over for enforcement by ThreatQ (Figure 5).

Figure 5: The blocked domain displayed within the Cisco Umbrella Dashboard.


There are many ways to enrich the reputation or security risk associated with indicators by leveraging Operations Plugins within the ThreatQ threat intelligence platform.  What it rains it pours… so bring an Umbrella.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This