Cisco Umbrella Investigate

the umbrella investigate api provides a complete view of domains in relation to ip and autonomous system number (asn) information authentication the umbrella investigate api uses https and bearer token authentication to get started, log in to umbrella and create an investigate api access token configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api token provided by investigate string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions domain risk score the umbrella investigate risk score is based on an analysis of the lexical characteristics of the domain name and patterns in queries and requests to the domain endpoint url domains/risk score/{{domain}} method get input argument name type required description path parameters domain string required parameters for the domain risk score action input example {"path parameters" {"domain" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase indicators array output field indicators indicators indicator string output field indicators indicator indicators indicator id string unique identifier indicators normalized score number score value indicators score boolean score value risk score number score value output example {"indicators" \[{"indicator" "geo popularity score","indicator id" "geo popularity score","normalized score" 2,"score" 3 610878170000001},{"indicator" "keyword score","indicator id" "keyword score","normalized score" 7,"score" 0 0792360895747578},{"indicator" "lexical","indicator id" "lexical","normalized score" 74,"score" 0 749}],"risk score" 5} get passive dns history for domain filter for records with security categories endpoint url /pdns/name/{{domain}} method get input argument name type required description path parameters domain string required parameters for the get passive dns history for domain action input example {"path parameters" {"domain" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase records array output field records records minttl number output field records minttl records maxttl number output field records maxttl records firstseen number output field records firstseen records lastseen number output field records lastseen records name string name of the resource records type string type of the resource records rr string output field records rr records securitycategories array output field records securitycategories records securitycategories file name string name of the resource records securitycategories file string output field records securitycategories file records contentcategories array response content records contentcategories file name string name of the resource records contentcategories file string response content records lastseeniso string output field records lastseeniso records firstseeniso string output field records firstseeniso pageinfo object output field pageinfo pageinfo hasmorerecords boolean output field pageinfo hasmorerecords pageinfo offset number output field pageinfo offset pageinfo limit number output field pageinfo limit pageinfo totalnumrecords number output field pageinfo totalnumrecords recordinfo object output field recordinfo recordinfo minttl number output field recordinfo minttl output example {"records" \[{"minttl" 60,"maxttl" 60,"firstseen" 1668547618,"lastseen" 1674765541,"name" "3 219 99 232","type" "a","rr" "www employed income statement com ","securitycategories" \[],"contentcategories" \[],"lastseeniso" "2023 01 26t20 39z","firstseeniso" "2022 11 15t21 26z"},{"minttl" 60,"maxttl" 60,"firstseen" 1668623248,"lastseen" 1674765396,"name" "3 219 99 232","type" "a","rr" "www divorce waiver form com ","securitycategories" \[],"contentcategories" \[],"lastseeniso" "2023 01 26t20 36z","first get passive dns results by ip filter for records with security categories endpoint url /pdns/ip/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get passive dns results by ip action input example {"path parameters" {"ip" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase records array output field records records minttl number output field records minttl records maxttl number output field records maxttl records firstseen number output field records firstseen records lastseen number output field records lastseen records name string name of the resource records type string type of the resource records rr string output field records rr records securitycategories array output field records securitycategories records securitycategories file name string name of the resource records securitycategories file string output field records securitycategories file records contentcategories array response content records contentcategories file name string name of the resource records contentcategories file string response content records lastseeniso string output field records lastseeniso records firstseeniso string output field records firstseeniso pageinfo object output field pageinfo pageinfo hasmorerecords boolean output field pageinfo hasmorerecords pageinfo offset number output field pageinfo offset pageinfo limit number output field pageinfo limit pageinfo totalnumrecords number output field pageinfo totalnumrecords recordinfo object output field recordinfo recordinfo minttl number output field recordinfo minttl output example {"records" \[{"minttl" 60,"maxttl" 60,"firstseen" 1668528687,"lastseen" 1675971006,"name" "3 219 99 232","type" "a","rr" "vendor application form for craft fair com ","securitycategories" \[],"contentcategories" \[],"lastseeniso" "2023 02 09t19 30z","firstseeniso" "2022 11 15t16 11z"},{"minttl" 60,"maxttl" 60,"firstseen" 1668676412,"lastseen" 1675968128,"name" "3 219 99 232","type" "a","rr" "p87 claim form com ","securitycategories" \[],"contentcategories" \["government","government and law"],"lastse query domain queries cisco umbrella information on the domain endpoint url domains/categorization/{{domain}} method get input argument name type required description path parameters domain string required parameters for the query domain action input example {"path parameters" {"domain" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase cisco com object output field cisco com cisco com status number status value cisco com security categories array output field cisco com security categories cisco com security categories file name string name of the resource cisco com security categories file string output field cisco com security categories file cisco com content categories array response content output example {"cisco com" {"status" 1,"security categories" \[],"content categories" \["25","32","167"]}} related domains for a domain this api method returns a list of domain names that have been frequently requested around the same time (up to 60 seconds before or after) as the given domain name, but that are not frequently associated with other domain names endpoint url /links/name/{{domain}} method get input argument name type required description path parameters domain string required parameters for the related domains for a domain action input example {"path parameters" {"domain" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase tb1 array output field tb1 tb1 0 string output field tb1 0 tb1 1 number output field tb1 1 found boolean output field found output example {"tb1" \[\["google com",259],\["site com",223],\["sfdcopens com",169]],"found"\ true} security information for a domain list multiple scores or security features for a domain endpoint url security/name/{{domain}} method get input argument name type required description path parameters domain string required parameters for the security information for a domain action input example {"path parameters" {"domain" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase dga score number score value perplexity number output field perplexity entropy number output field entropy securerank2 number output field securerank2 pagerank number output field pagerank asn score number score value prefix score number score value rip score number score value popularity number output field popularity fastflux boolean output field fastflux geodiversity array output field geodiversity geodiversity 0 string output field geodiversity 0 geodiversity 1 number output field geodiversity 1 geodiversity normalized array output field geodiversity normalized geodiversity normalized 0 string output field geodiversity normalized 0 geodiversity normalized 1 number output field geodiversity normalized 1 tld geodiversity array output field tld geodiversity tld geodiversity file name string name of the resource tld geodiversity file string output field tld geodiversity file geoscore number score value ks test number output field ks test attack string output field attack threat type string type of the resource output example {"dga score" 0,"perplexity" 0 11194989638754399,"entropy" 1 9219280948873625,"securerank2" 0,"pagerank" 0,"asn score" 0,"prefix score" 0,"rip score" 0,"popularity" 100,"fastflux"\ false,"geodiversity" \[\["us",0 5379],\["es",0 0821],\["gb",0 0507]],"geodiversity normalized" \[\["bm",0 1392267585244458],\["sc",0 09011065204498853],\["mp",0 05574610952722123]],"tld geodiversity" \[],"geoscore" 0,"ks test" 0} whois domain this endpoint returns whois information for the specified domain endpoint url /whois/{{domain}} method get input argument name type required description path parameters domain string required parameters for the whois domain action input example {"path parameters" {"domain" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase administrativecontactfax object output field administrativecontactfax whoisservers string output field whoisservers addresses array output field addresses administrativecontactname string name of the resource zonecontactemail object output field zonecontactemail billingcontactfax object output field billingcontactfax administrativecontacttelephoneext object output field administrativecontacttelephoneext administrativecontactemail string output field administrativecontactemail technicalcontactemail string output field technicalcontactemail technicalcontactfax string output field technicalcontactfax nameservers array name of the resource zonecontactname object name of the resource billingcontactpostalcode object output field billingcontactpostalcode zonecontactfax object output field zonecontactfax registranttelephoneext object output field registranttelephoneext zonecontactfaxext object output field zonecontactfaxext technicalcontacttelephoneext object output field technicalcontacttelephoneext billingcontactcity object output field billingcontactcity zonecontactstreet array output field zonecontactstreet zonecontactstreet file name string name of the resource zonecontactstreet file string output field zonecontactstreet file created string output field created administrativecontactcity string output field administrativecontactcity output example {"administrativecontactfax"\ null,"whoisservers" "whois markmonitor com","addresses" \["170 w tasman dr "],"administrativecontactname" "domain administrator","zonecontactemail"\ null,"billingcontactfax"\ null,"administrativecontacttelephoneext"\ null,"administrativecontactemail" "infosec\@cisco com","technicalcontactemail" "infosec\@cisco com","technicalcontactfax" "14085264575","nameservers" \["ns1 cisco com","ns2 cisco com","ns3 cisco com"],"zonecontactname"\ null,"billingcontactpostalcode"\ null,"zone response headers header description example access control allow credentials http response header access control allow credentials true access control allow headers http response header access control allow headers authorization, accept,dnt,user agent,x requested with,if modified since,cache control,content type,range,x sgraph is research access control allow methods http response header access control allow methods get, post, options access control allow origin http response header access control allow origin https //dashboard umbrella com https //dashboard umbrella com access control expose headers http response header access control expose headers content length,content range connection http response header connection keep alive content length the length of the response body in bytes 1001 content type the media type of the resource application/json date the date and time at which the message was originated thu, 09 feb 2023 20 26 42 gmt server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=15768000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin, sameorigin x xss protection http response header x xss protection 1; mode=block