Cisco Umbrella: Cisco AMP Threat Grid – Cloud Integration Setup Guide

Cisco AMP Threat Grid – Cloud and Cisco Umbrella Integration Overview

With the integration between Cisco AMP Threat Grid – Cloud and Cisco Umbrella, security teams are now able to extend their visibility and enforce protection against today's advanced threats to roaming laptops, tablets or phones while also providing another layer of enforcement to a distributed corporate network. More info here.

This guide outlines how to configure Cisco AMP Threat Grid – Cloud to communicate with Umbrella so that threat intelligence generated by Cisco AMP Threat Grid – Cloud can be automatically integrated into policies that can be applied to clients protected by your Cisco Umbrella.

Prerequisites

• A functional AMP Threat Grid – Cloud dashboard with access to your account's API key.
  Note: AMP Threat Grid appliances and endpoint are not supported at this time.

• Umbrella dashboard administrative rights.

• The Umbrella dashboard must have the Cisco AMP Threat Grid integration enabled.
  Note: The Cisco AMP Threat Grid integration is only included in the Umbrella Platform package. If you do not have the Platform package and would like to have Cisco AMP Threat Grid integration, please contact your Cisco Umbrella representative. If you have the Platform package but do not see Cisco AMP Threat Grid as an integration for your dashboard, please contact Support.

Cisco Umbrella and Cisco AMP Threat Grid: How Does it Work?

Umbrella reaches out to the AMP Threat Grid's API and retrieves lists of domains that are generated from the analysis of malicious samples. Umbrella then imports this list via the Cisco Umbrella Enforcement API. This approach is different than how other similar integrations work in that Umbrella pulls the threat intelligence in by making API queries to the Cisco AMP Threat Grid API, rather than accepting incidents from other systems that push threat intelligence into the Umbrella service.

Umbrella then validates the threat to ensure it can be added to your policy. If the information from Cisco AMP Threat Grid is confirmed to be a threat or is not a known good domain, the domain address is added to the Cisco AMP Threat Grid Destination List as part of a security setting that can be applied to any Umbrella policy. That policy is immediately applied to any requests being made from devices using policies leveraging the Cisco AMP Threat Grid integration.

Umbrella pulls two separate feeds from Cisco AMP Threat Grid, a Public (global) feed, and a Customer Only (private, specific to a single customer) feed.

Important: While Umbrella tries its best to validate and allow domains that are known to be generally safe (for example, Google and Salesforce), to avoid any unwanted interruptions, we suggest adding any domains you never wish to have blocked to the Global Allow List or other destination lists as per your policy.

Examples include:

• The home page for your organization. For example, mydomain.com
• Domains representing services you provide that might have both internal and external records. For example, mail.myservicedomain.com and portal.myotherservicedomain.com
• Lesser-known cloud applications you depend on heavily that Umbrella may not be aware of or include in their automatic domain validation. For example, localcloudservice.com

These domains should be added to the Global Allow List, which is found at Policies > Policy Components > Destination Lists.

How to Configure Your Umbrella Dashboard to Obtain Information From Cisco AMP Threat Grid

The first step is to find or generate the API key in your Cisco AMP Threat Grid dashboard.

1. Log into your Cisco AMP Threat Grid dashboard, and select your account details.
2. Under your Account Details, an API key may already be visible if you've created one already. If you haven't, click Generate New API Key.
   
   
   

   Your API key should then be visible under User Details > API Key.

Next, you'll want to add the API key to the Umbrella dashboard in order for it to pull data from Cisco AMP Threat Grid.

1. Log into your Umbrella dashboard, navigate to Policies > Policy Components > Integrations and click Cisco AMP Threat Grid in the table to expand it.
2. Check Enable, paste your API Key into the API Key box and then click Save.
   
   

At this point, if you receive an error, there is likely a problem with your API key or communications between the services. Check your API key and try again, and if it still fails contact Support.

If you receive a success message, it indicates that the Umbrella service was able to use the API key to make an initial connection to the Cisco AMP Threat Grid API. The Umbrella service uses a polling interval of five minutes to retrieve data from AMP Threat Grid.

Even after the five-minute interval, if there is no valid data or valid threat events available to be pulled by the Umbrella dashboard, information may not appear. When the integration is first enabled, it will just start by going back five minutes for both the global and org-only feeds and the first time it gets data will be at the next five-minute interval, so data may not appear immediately.

If the API key on the Cisco AMP Thread Grid side were deactivated or removed, the integration will be disabled. To restore the integration, a new API key must be provided in the Umbrella dashboard. If there is a timeout or internal service error between Umbrella and AMP Threat Grid, a different sort of exception is raised and the integration will not be disabled, but rather connections will continue to be attempted every five minutes as in normal conditions.

Technical Details:

The exact API queries being used to pull information from the Cisco AMP Threat Grid are listed below. Note that only events with a severity greater than 90, a confidence greater than 90 and of the type Domains are being gathered. The time in this example is a five-minute range which is incremented for the next query. The api_key provided in Umbrella is used in place of the <key> variable:

• Public (global feed): hxxps://panacea.threatgrid.com/api/v2/iocs/feeds/domains?limit=100&offset=0&severity=90&confidence=90&api_key=<key>&before=2015-08-09T08:05:00.000Z&after=2015-08-09T08:00:00.000Z

• Customer Only (private feed): hxxps://panacea.threatgrid.com/api/v2/iocs/feeds/domains?limit=100&offset=0&severity=90&confidence=90&api_key=<key>&before=2015-08-09T08:05:00.000Z&after=2015-08-09T08:00:00.000Z&org_only=true

or:

• Public (global feed): hxxps://panacea.threatgrid.eu/api/v2/iocs/feeds/domains?limit=100&offset=0&severity=90&confidence=90&api_key=<key>&before=2015-08-09T08:05:00.000Z&after=2015-08-09T08:00:00.000Z

• Customer Only (private feed): hxxps://panacea.threatgrid.eu/api/v2/iocs/feeds/domains?limit=100&offset=0&severity=90&confidence=90&api_key=<key>&before=2015-08-09T08:05:00.000Z&after=2015-08-09T08:00:00.000Z&org_only=true

Observing Events Added to the Cisco AMP Threat Grid in 'Audit Mode'

Over time, the events from Cisco AMP Threat Grid will begin to populate a specific destinations list that can be applied to policies as the Cisco AMP Threat Grid Security Category. By default, the destination list and the security category are in 'audit mode' and are not applied to any policies, and thus will not result in any requests being blocked, though you will be able to see what requests are associated (and could have been blocked) by the Cisco AMP Threat Grid Security Category.

Note: ‘Audit’ mode can be enabled as long as necessary, or even indefinitely, depending on your deployment profile and network configuration.

Review Destination List

You can review the Cisco AMP Threat Grid Destination List at any time.

1. Navigate to Policies > Policy Components > Integrations.
2. Expand Cisco AMP Threat Grid in the table and click See Domains.

Review Security Settings for a Policy

You can review the security setting that can be enabled for a policy at any time.

1. Navigate toPolicies > Policy Components > Security Settings.
2. Click a security setting in the table to expand it and scroll to Integrations to locate the Cisco AMP Threat Grid setting.
   
   
   
   You can also review integration information through the Security Settings Summary page.
   
   

Applying the AMP Threat Grid Security Setting in Block Mode to a Policy for Managed Clients

Once you're ready to have these domains blocked for clients managed by Umbrella, simply change the security setting on an existing policy, or create a new policy that sits above your default policy to ensure it is enforced first.

1. Navigate toPolicies > Policy Components > Security Settings and under Integrations, check Cisco Amp Threat Grid and click Save.
   
   

Next, in the Policy wizard, add a security setting to the policy you're editing:

1. Navigate to Policies > Management > All Policies.
2. Expand a policy and under Security Setting Applied click Edit .
3. In the Security Settings pull-down, select a security setting that includes the Cisco Amp Threat Grid setting.
   
   
   

   The shield icon under Integrations updates to blue.
   
      4. Click Set & Return.

   AMP Threat Grid domains domains contained within the security setting forCisco AMP Threat Grid will be blocked for those identities using the policy.

Reporting Within Umbrella for AMP Threat Grid Events

Reporting on AMP Threat Grid Security Events

The AMP Threat Grid Destination List is one of the security categories lists you can report on. Most or all of the reports use the Security Categories as a filter. For instance, you can filter security categories to only show AMP Threat Grid related activity.

1. Navigate to Reporting > Core Reports > Activity Search and under Security Categories select Cisco AMP Threat Grid to filter the report to only show the security category for Amp Threat Grid.
   
   Note: If Cisco AMP Threat Grid integration is disabled, it will not appear in the Security Categories filter.
   
   
   
   
2. Click Apply.

Reporting on When Domains Were Added to the AMP Threat Grid Destination List

The Umbrella Admin Audit log includes events from the AMP Threat Grid dashboard as it adds domains to the destination list. A user named “Cisco AMP Threat Grid Domain List”, which is also branded with the Cisco logo, generates the events. These events include the domain that was added and the time when it was added.

Clicking the Admin Audit Log entry expands it to show details, including the specific domain that was added:

You can filter to only include AMP Threat Grid changes by applying a filter for the “Cisco AMP Threat Grid Domain List” user:

Handling Unwanted Detections or False Positives

Two Types of AMP Threat Grid Detections and Two Resolutions

Currently, there are two types of Cisco AMP Threat Grid blocks. One with one possible resolution and a second with one current resolution to an unwanted detection.

1. Global Threat Grid entry (Public).  At this time, the only method to allow the domain is to add it to your allow list.
2. Customer only feed (Private). May be addressed with an allow list entry or deleting from the AMP Threat Grid integration list.

Allow Lists

Although unlikely, it is possible that domains added automatically by your AMP Threat Grid could potentially trigger an unwanted detection that blocks your users from accessing particular websites. In a situation like this, we recommend adding the domain(s) to an allow list (Policies > Destination Lists), which takes precedence over all other types of block lists, including security settings.

There are two reasons why this approach is preferred. First, in case the AMP Threat Grid dashboard was to re-add the domain again after it was removed, the allow list safeguards against this causing further issues. Secondly, the allow list shows a historical record of problematic domains that can be used for forensic or audit reports.

By default, there is a Global Allow List that is applied to all policies. Adding a domain to the Global Allow List results in the domain being allowed in all policies.

If the AMP Threat Grid security setting in block mode is only applied to a subset of your managed Umbrella identities (for instance, it's only applied to roaming computers and mobile devices), you can create a specific allow list for these identities or policies.

To create an allow list:

1. Navigate to Policies > Policy Components > Destination Lists and click Add.
2. Select Allow and add your domain to the list.
3. Click Save.

Once the list has been saved, you can add it to an existing policy covering those clients that have been affected by the unwanted block.

Deleting Domains From AMP Threat Grid Destination List

Next to each domain name in the AMP Threat Grid Destination list is a (Delete) icon. Deleting domains lets you clean up the MP Threat Grid Destination list in the event of an unwanted detection.

The delete is not permanent if the AMP Threat Grid dashboard were to resend the domain to Umbrella.

1. Navigate toPolicies > Policy Components > Integrations and click Cisco AMP Threat Grid to expand it.
2. Click See Domains.
3. Search for the domain name you want to delete.
4. Click the (Delete) icon.
   
   
   
   
5. Click Close.
6. Click Save.

In the instance of an unwanted detection or false positive, we recommend creating an allow list in Umbrella immediately and then remediating the false positive within the AMP Threat Grid dashboard. Later, you can remove the domain from the AMP Threat Grid Destination List.