Cisco AMP Threat Grid – Cloud and Cisco Umbrella Integration Overview
With the integration between Cisco AMP Threat Grid – Cloud and Cisco Umbrella, security teams are now able to extend their visibility and enforce protection against today's advanced threats to roaming laptops, tablets or phones while also providing another layer of enforcement to a distributed corporate network. More info here.
This guide outlines how to configure Cisco AMP Threat Grid – Cloud to communicate with Umbrella so that threat intelligence generated by Cisco AMP Threat Grid – Cloud can be automatically integrated into policies that can be applied to clients protected by your Cisco Umbrella.
A functional AMP Threat Grid – Cloud dashboard with access to your account's API key.Note: AMP Threat Grid appliances and endpoint are not supported at this time.
Umbrella dashboard administrative rights.
The Umbrella dashboard must have the Cisco AMP Threat Grid integration enabled.
Note: The Cisco AMP Threat Grid integration is only included in the Umbrella Platform package. If you do not have the Platform package and would like to have Cisco AMP Threat Grid integration, please contact your Cisco Umbrella representative. If you have the Platform package but do not see Cisco AMP Threat Grid as an integration for your dashboard, please contact Technical Support.
Cisco Umbrella and Cisco AMP Threat Grid: How Does it Work?
Umbrella reaches out to the AMP Threat Grid's API and retrieves lists of domains that are generated from the analysis of malicious samples. Umbrella then imports this list via the Cisco Umbrella Enforcement API. This approach is different than how other similar integrations work in that Umbrella pulls the threat intelligence in by making API queries to the Cisco AMP Threat Grid API, rather than accepting incidents from other systems that push threat intelligence into the Umbrella service.
Umbrella then validates the threat to ensure it can be added to your policy. If the information from Cisco AMP Threat Grid is confirmed to be a threat or is not a known good domain, the domain address is added to the Cisco AMP Threat Grid Destination List as part of a security setting that can be applied to any Umbrella policy. That policy is immediately applied to any requests being made from devices using policies leveraging the Cisco AMP Threat Grid integration.
Umbrella pulls two separate feeds from Cisco AMP Threat Grid, a Public (global) feed, and a Customer Only (private, specific to a single customer) feed.
Important: While Umbrella tries its best to validate and allow domains that are known to be generally safe (for example, Google and Salesforce), to avoid any unwanted interruptions, we suggest adding any domains you never wish to have blocked to the Global Allow List or other destination lists as per your policy.
- The home page for your organization. For example, mydomain.com
- Domains representing services you provide that might have both internal and external records. For example, mail.myservicedomain.com and portal.myotherservicedomain.com
- Lesser-known cloud applications you depend on heavily that Umbrella may not be aware of or include in their automatic domain validation. For example, localcloudservice.com
These domains should be added to the Global Allow List, which is found at Policies > Destination Lists in Umbrella https://dashboard2.opendns.com/#configuration/policysettings/domainlists
How to configure your Umbrella dashboard to obtain information from Cisco AMP Threat Grid
The first step is to find or generate the API key in your Cisco AMP Threat Grid dashboard.
- Log into your Cisco AMP Threat Grid dashboard, and select your account details.
- Under your Account Details, an API key may already be visible if you've created one already. If you haven't, click Generate New API Key.
Your API key should then be visible under User Details > API Key.
Next, you'll want to add the API key to the Umbrella dashboard in order for it to pull data from Cisco AMP Threat Grid.
- Log into your Umbrella dashboard, navigate to Settings > Integrations and click Cisco AMP Threat Grid in the table to expand it.
- Check Enable, paste your API Key into the API Key box and then click Save.
At this point, if you receive an error, there is likely a problem with your API key or communications between the services. Check your API key and try again, and if it still fails contact Technical Support.
If you receive a success message, it indicates that the Umbrella service was able to use the API key to make an initial connection to the Cisco AMP Threat Grid API. The Umbrella service uses a polling interval of five minutes to retrieve data from AMP Threat Grid.
Even after the five-minute interval, if there is no valid data or valid threat events available to be pulled by the Umbrella dashboard, information may not appear. When the integration is first enabled, it will just start by going back five minutes for both the global and org-only feeds and the first time it gets data will be at the next five-minute interval, so data may not appear immediately.
If the API key on the Cisco AMP Thread Grid side were deactivated or removed, the integration will be disabled. To restore the integration, a new API key must be provided in the Umbrella dashboard. If there is a timeout or internal service error between Umbrella and AMP Threat Grid, a different sort of exception is raised and the integration will not be disabled, but rather connections will continue to be attempted every five minutes as in normal conditions.
The exact API queries being used to pull information from the Cisco AMP Threat Grid are listed below. Note that only events with a severity greater than 90, a confidence greater than 90 and of the type Domains are being gathered. The time in this example is a five-minute range which is incremented for the next query. The api_key provided in Umbrella is used in place of the <key> variable:
- Public (global feed): hxxps://panacea.threatgrid.com/api/v2/iocs/feeds/domains?limit=100&offset=0&severity=90&confidence=90&api_key=<key>&before=2015-08-09T08:05:00.000Z&after=2015-08-09T08:00:00.000Z
- Customer Only (private feed): hxxps://panacea.threatgrid.com/api/v2/iocs/feeds/domains?limit=100&offset=0&severity=90&confidence=90&api_key=<key>&before=2015-08-09T08:05:00.000Z&after=2015-08-09T08:00:00.000Z&org_only=true
Observing events added to the Cisco AMP Threat Grid in 'audit mode'
Over time, the events from Cisco AMP Threat Grid will begin to populate a specific destinations list that can be applied to policies as the Cisco AMP Threat Grid Security Category. By default, the destination list and the security category are in 'audit mode' and are not applied to any policies, and thus will not result in any requests being blocked, though you will be able to see what requests are associated (and could have been blocked) by the Cisco AMP Threat Grid Security Category.
Note: ‘Audit’ mode can be enabled as long as necessary, or even indefinitely, depending on your deployment profile and network configuration.
Review destination list
You can review the Cisco AMP Threat Grid Destination List at any time.
- Navigate to Settings > Integrations.
- Expand Cisco AMP Threat Grid in the table and click See Domains.
Review security settings for a policy
You can review the security setting that can be enabled for a policy at any time.
- Navigate to Policies > Security Categories.
- Click a policy in the table to expand it and scroll to Integrations to locate the Cisco Amp Threat setting.
When getting started, it's best to leave this security setting set to Allow (default) in order to ensure domains are correctly populating in an 'audit' mode.Note: It may take up to five minutes to apply settings, and if new events aren't being injected into the Cisco AMP Threat Grid system, you may not see new domains being added to your integration.
Applying the AMP Threat Grid security setting in block mode to a policy for managed clients
Once you're ready to have these domains blocked for clients managed by Umbrella, simply change the security setting on an existing policy, or create a new policy that sits above your default policy to ensure it is enforced first.
First, create or update an existing Security Setting. Navigate to Policies > Security Categories. You can edit the default security settings to enable the AMP Threat Grid security Category in block mode or create a new security setting with the Cisco AMP Threat Grid enabled in block mode.
Simply click the icon to change the security setting for Cisco AMP Threat Grid from Allow to Block.
Next, in the Policy wizard, add a security setting to the policy you're editing:
- Navigate to Policies > Policy List.
- Expand a policy.
- Click the Select Policy Settings tab.
- In the Security Settings to enforce pull-down, select a security setting that includes the Block for AMP Threat Grid setting.
- Click Save.
Note: It’s possible to edit your Security Settings from the Policy wizard if you so choose.
Complete and save the policy, and the AMP Threat Grid domains contained within the Security Setting for Cisco AMP Threat Grid are blocked for those identities using the policy.
Reporting within Umbrella for AMP Threat Grid Events
Reporting on AMP Threat Grid Security Events
The AMP Threat Grid Destination List is one of the security categories available as a filter in reports about which domains were blocked. For instance, to see the activity for website addresses that were blocked by the Cisco AMP Threat Grid Destination List, navigate to Reporting > Activity Search. Apply a filter to only show the Security Category for Cisco AMP Threat Grid and then click Run Report to see the activity for the time period selected in the report.
Note: If Threat Grid integration is disabled, it will not appear in the Security Categories filter.
To run a report of the security activity associated with domains originating from the AMP Threat Grid dashboard, navigate to Reporting > Activity Seach and select the report to run only for that category as in the example above.
Reporting on when domains were added to the AMP Threat Grid Destination List
The Umbrella Admin Audit log includes events from the AMP Threat Grid dashboard as it adds domains to the destination list. A user named “Cisco AMP Threat Grid Domain List”, which is also branded with the Cisco logo, generates the events. These events include the domain that was added and the time when it was added.
Clicking the Admin Audit Log entry expands it to show details, including the specific domain that was added:
You can filter to only include AMP Threat Grid changes by applying a filter for the “Cisco AMP Threat Grid Domain List” user:
Handling unwanted detections or false positives
Two types of AMP Threat Grid Detections and two resolutions
Currently, there are two types of Cisco AMP Threat Grid blocks. One with one possible resolution and a second with one current resolution to an unwanted detection.
- Global Threat Grid entry (Public). At this time the only method to allow the domain is to add it to your allow list.
- Customer only feed (Private). May be addressed with an allow list entry or deleting from the AMP Threat Grid integration list.
Although unlikely, it is possible that domains added automatically by your AMP Threat Grid could potentially trigger an unwanted detection that blocks your users from accessing particular websites. In a situation like this, we recommend adding the domain(s) to an allow list (Policies > Destination Lists), which takes precedence over all other types of block lists, including security settings.
There are two reasons why this approach is preferred. First, in case the AMP Threat Grid dashboard was to re-add the domain again after it was removed, the allow list safeguards against this causing further issues. Secondly, the allow list shows a historical record of problematic domains that can be used for forensic or audit reports.
By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.
If the AMP Threat Grid security setting in block mode is only applied to a subset of your managed Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for these identities or policies.
To create an allow list:
- Navigate to Policies > Destination Lists, click the Add icon and select Add Allow List.
- Give the list a meaningful name and add your domain to the list.
- Click Save.
Once the list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.
Deleting domains from AMP Threat Grid Destination List
Next to each domain name in the AMP Threat Grid Destination list is a (Delete) icon. Deleting domains lets you clean up the MP Threat Grid Destination list in the event of an unwanted detection.
The delete is not permanent if the AMP Threat Grid dashboard were to resend the domain to Umbrella.
- Navigate to Settings > Integrations, then click Cisco AMP Threat Grid to expand it.
- Click See Domains.
- Search for the domain name you want to delete.
- Click the (Delete) icon.
- Click Close.
- Click Save.
In the instance of an unwanted detection or false positive, we recommend creating an allow list in Umbrella immediately and then remediating the false positive within the AMP Threat Grid dashboard. Later, you can remove the domain from the AMP Threat Grid Destination List.