Cisco Umbrella

Enterprise network security

Products & Services

Now available: Umbrella reporting API & management API

By Negisa Taymourian

When we built Umbrella, we wanted everything — from deployment to interacting with the dashboard — to be a delightful experience for our users. But sometimes delivering a great user experience has nothing to do with Umbrella itself, but how we can build Umbrella to work with our customers own tools and workflows. That’s where APIs come in.

Today, we have APIs that do some pretty amazing things, such as add more value to existing products and make the deployment of Umbrella across a Meraki network even easier. In the future, we want to extend the capabilities of Umbrella even further — by allowing our customers to do anything they currently do in our product via API. We’re excited to announce two new APIs that bring us closer to that goal — the reporting API and management API.

Reporting API

When investigating suspicious domains, time is of the essence. Analysts need to be able to gather information fast— and accessing it needs to be easy. Analysts need to be able to effectively filter through massive amounts of data and identify the relevant security events. But this is often difficult to do since only a minute portion of all events are related to a security event.

The new reporting API enables security teams to quickly extract key events from Umbrella and easily access the events via their SIEM, TIP or any other security orchestration tool. The API significantly improves search for risky domains by allowing analysts to view Umbrella events and queries tied to known malicious and suspicious domains, as well as relevant data from other security tools all on a single pane of glass.

In addition, the API allows analysts to be able to easily evaluate the level of exposure to a malicious or suspicious domain by reviewing a snapshot of key details such as total volume of DNS resolutions for the domain and the specific users affected within their network.

Customers can also use the reporting API to integrate their Umbrella data with other threat intelligence in Cisco Threat Response. The reporting API is now available for customers with any Cisco Umbrella enterprise package.

Management API

We developed the management API to provide direct customers, multi-org users, SPs, MSPs, and MSSPs with the ability to manage Umbrella at scale. The new management API enables customers to automate processes and aggregate customer data and management. Administrators can easily complete tasks such as creating, reading, updating, or deleting identities using their own internal tools.
What does this look like in the real world?

Super Secure, Inc. is a (fictitious) MSSP with (real) challenges — they needed a streamlined way to manage Umbrella that fit into their unique workflows. With the management API, they can complete a number of tasks quickly and easily using a single pane of glass approach.

Let’s look at an example:

  1. New customer provisioned by the Super Secure, Inc. via API.
  2. Internal script is able to check that all customers are sending traffic.
  3. A new router is provisioned that doesn’t point DNS to Umbrella.
  4. MSSP is notified immediately within their internal tool and remediates.

This is just one example. We’re looking forward to the many ways customers will take advantage of the API. To learn more about configuring the management API, read the technical documentation.

Stay tuned for more updates around our API journey next month.

Resources:
Umbrella APIs overview
Management API – technical documentation