ZeroFOX Enterprise and Cisco Umbrella Integration Overview
With integration between ZeroFOX Enterprise and Cisco Umbrella, security officers and administrators are now able to extend protection against today's social media-based threats to roaming laptops, tablets or phones while also providing another layer of enforcement to a distributed corporate network.
This guide outlines how to configure ZeroFOX Enterprise to communicate with Umbrella so security events from ZeroFOX are integrated into policies that can be applied to clients protected by your Cisco Umbrella.
Cisco Umbrella and ZeroFox Integration: How does it work?
ZeroFOX Enterprise will push threats that it has found, such as social media-based cyber threats including targeted malware, phishing, social engineering, impersonations and other fraudulent or malicious activity, to Cisco Umbrella for global enforcement.
Umbrella then validates the threat to ensure it can be added to a policy. If the information from ZeroFOX is confirmed to be a threat, the domain address is added to the ZeroFOX Destination List as part of a security setting that can be applied to any Umbrella policy. That policy is immediately applied to any requests being made from devices assigned to that policy.
Going forward, Cisco Umbrella automatically parses ZeroFOX alerts and adds malicious sites to the ZeroFOX Destination List—extending ZeroFOX intelligence to all remote users and devices and providing another layer of enforcement to your corporate network.
This is achieved through these simple setup steps:
Enable the integration in Umbrella to generate an API token.
Paste this token into your ZeroFOX account.
Set ZeroFOX to block under security settings for your desired policy(s).
ZeroFOX Enterprise administrative rights.
Umbrella dashboard administrative rights.
The Umbrella dashboard must have the ZeroFOX integration enabled.
Note: The ZeroFOX integration is only included in the Umbrella Platform package. If you do not have the Platform package and would like to have ZeroFOX integration, please contact your Cisco Umbrella representative. If you have the Platform package but do not see ZeroFOX as an integration for your dashboard, please contact Technical Support.
Important: While Umbrella tries its best to validate and allow domains which are known to be generally safe (for example, Google and Salesforce), to avoid any unwanted interruptions, we suggest adding any domains you never wish to have blocked to the Global Allow List or other destination lists as per your policy.
- The home page for your organization. For example, mydomain.com
- Domains representing services you provide that might have both internal and external records. For example, mail.myservicedomain.com and portal.myotherservicedomain.com
- Lesser-known cloud applications you depend on heavily that Umbrella may not be aware of or include in their automatic domain validation. For example, localcloudservice.com
These domains should be added to the Global Allow List, which is found at Policies > Destination Lists in Umbrella https://dashboard.umbrella.com/o/ORGID/#/policies/components/destinationlists
Step 1: Umbrella Script and API Token Generation
- Log into your Umbrella dashboard as an Admin, navigate to Settings > Integrations and click ZeroFOX in the table to expand it.
- Check Enable and then click Save. This generates a unique URL with your customer key.
You'll need the URL later when you're configuring ZeroFOX, so copy the URL and go to your ThreatQ dashboard.
Step 2: Setup your ZeroFOX Enterprise dashboard to send information to Umbrella
The next step is to add the URL you copied in step one to the ZeroFOX dashboard.
- Click the gear icon in the Zerofox dashboard, then select Account Settings.
- Scroll down the integration list until you see the OpenDNS Account information and paste the URL from Umbrella into the OpenDNS Server URL field.
- It is recommended that upon first enablement of the integration that you check Targeted Data Only.
Step 3: Setting up ZeroFOX events to be blocked within Umbrella
- Log back into your Umbrella dashboard as an Administrator.
- Navigate to Settings > Integrations and click on ZeroFOX in the table to expand it.
- Click See Domains.
This expands a list of domains that should include the last few hours of events from your ZeroFOX account. From that point on, a searchable list begins to be populated and grow.
The next step is to observe and audit the events added to your new ZeroFOX Security Category.
Observing Events Added to the ZeroFOX Security Category in ‘Audit Mode’
The events from ZeroFOX Enterprise will begin to populate a specific destination list that can be applied to policies as a ZeroFOX security category. By default, the destination list and the security category are in 'audit mode' and are not applied to any policies and will not result in any change to your existing Umbrella policies.
Note: ‘Audit’ mode can be enabled for however long is necessary based on your deployment profile and network configuration.
Review Destination List
You can review the ZeroFox Destination List at any time.
- Navigate to Settings > Integrations.
- Expand ZeroFOX in the table and click See Domains.
Review Security Settings for a Policy
You can review the security setting that can be enabled for a policy at any time.
- Navigate to Policies > Security Settings.
- Click a security setting in the table to expand it and scroll to Integrations to locate the ZeroFOX setting.
You can also review integration information through the Security Settings Summary page.
Applying the ZeroFOX Security Settings in Block Mode to a Policy for Managed Clients
Once you're ready to have these additional security threats enforced against by clients managed by Umbrella, simply change the security setting on an existing policy, or create a new policy that sits above your default policy to ensure it is enforced first.
- Navigate to Policies > Security Settings and under Integrations, check ZeroFOX and click Save.
Next, in the Policy wizard, add a security setting to the policy you're editing:
- Navigate to Policies > Policy List.
- Expand a policy and click Edit under Security Setting Applied.
- In the Security Settings pull-down, select a security setting that includes the ThreatConnect setting.
The shield icon under Integrations updates to blue.
- Click Set & Return.
ZeroFOX domains contained within the security setting for ZeroFOX will be blocked for those identities using that policy.
Reporting Within Umbrella for ZeroFOX Events
Reporting on ZeroFOX Security Events
The ZeroFOX Destination List is one of the security categories lists you can report on. Most or all of the reports use the Security Categories as a filter. For instance, you can filter security categories to only show ZeroFOX related activity.
- Navigate to Reporting > Activity Search and under Security Categories select ZeroFOX to filter the report to only show the security category for ZeroFOX.
Note: If ZeroFOX integration is disabled, it will not appear in the Security Categories filter.
- Click Apply.
Reporting on When Domains Were Added to the ZeroFOX Destination List
The Umbrella Admin Audit log includes events from your ZeroFOX account as it adds domains to the destination list.
The Umbrella Admin Audit log can be found at Reporting > Admin Audit Log. In order to report on when a domain was added, filter to only include ZeroFOX changes by applying a filter to Identities & Settings for the ZeroFox Destination List.
Once you run the report, you should see a list of the changes made when the ZeroFOX Destination List was added to from the integration.
Handling Unwanted Detections or False Positives
Managing an Allow List for Unwanted Detection
Although unlikely, it is possible that domains added automatically by ZeroFOX could potentially trigger an unwanted block that would cause your users to be blocked from accessing particular websites. In a situation like this, we recommend adding the domain(s) to an allow list, which takes precedence over all other types of block lists, including security settings. An allow list takes precedence over a block list when a domain is present in both.
There are two reasons that this approach is preferable. First, in case the ZeroFOX appliance was to re-add the domain again after it was removed, the allow list safeguards against this causing further issues. Secondly, the allow list shows a historical record of problematic domains that can be used for forensics or audit reports.
By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.
If the ZeroFOX security setting in block mode is only applied to a subset of your managed Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for those identities or policies.
To create an allow list:
- Navigate to Policies > Destination Lists, click the (Add) icon.
- Select Allow, and add your domain to the list.
- Click Save.
Once the destination list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.
Deleting Domains from the ZeroFOX Destination List
Next to each domain name in the ZeroFOX Destination List is a (Delete) icon. Deleting domains lets you clean up the ZeroFOX Destination List in the event of an unwanted detection.
However, the delete is not permanent if ZeroFOX resends the domain to Umbrella.
To delete a domain:
- Navigate to Settings > Integrations, then click ZeroFOX to expand it.
- Click See Domains.
- Search for the domain name you want to delete.
- Click the Delete icon.
- Click Close.
- Click Save.
In the instance of an unwanted detection or false positive, we recommend creating an allow list in Umbrella immediately and then remediating the false positive within ZeroFOX. Later, you can remove the domain from the ZeroFOX Destination List.