Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra

Hi Iqra,

Can you give an example of the input you are trying? 

Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

I can see if I can get a trial token to test it.

Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra

Hi again Iqra

I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table).  So it seems that that the function is working...does this app work for you out of the box?  Perhaps you can give more information on the playbook you are writing?  Perhaps there is an issue in there.

Hi Iqra,

Can you give an example of the input you are trying? 

Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

I can see if I can get a trial token to test it.

Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra

Hi AnnMarie,

Thank you again for helping me out and going out of your way to get that test token to check the function. I appreciate the efforts.

The playbook I am writing is with the aims to get any URL and DNS Name artifacts and run a search against them with Umbrella Investigate. If it comes back with certain categories (such as Phishing), I want to add a Hit to the artifact.

My thought process is to extract any domains from URLs before processing them (and directly processing DNS names as I assume they are in the correct format). However, I can't seem to get either to work, as I still get 'NoneType'.

I'm not too sure if I've used the addHit function properly either, I was hoping to get the previous steps working first against a simulation case before checking my use of the function.

Below is the function and the post-process script:

import jsonresult = playbook.functions.results.artifact_status_and_category.content##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]# Processingstatuses = result.statusesdomains = result.domainsif statuses is not None and domains is not None:    result_dict = json.loads(result)    for domain in result_dict['domains']:        if 'Phishing' in result_dict['statuses'][domain]['security_categories']:            artifact.addHit("Cisco Umbrella Investigate", {"URL Name", "string", "{}".format(artifact.value)})

Thanks again for looking into this.

Much appreciated,

Iqra

Hi again Iqra

I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table).  So it seems that that the function is working...does this app work for you out of the box?  Perhaps you can give more information on the playbook you are writing?  Perhaps there is an issue in there.

Hi Iqra,

Can you give an example of the input you are trying? 

Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

I can see if I can get a trial token to test it.

Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra

Hi Iqra

I see a few issues with the script you post.  You don't need to get the results from content and you do not need to do json.loads as "domains" is a list in the statuses json.  I put an incident.addNote after result so you can see the actual results that are passed to the script. I am able to create hits with this post script in a playbook.  Hope this helps!

##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""results = playbook.functions.results.get_status_and_category##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]incident.addNote("results = {}".format(results))# Processingstatuses = results.statusesdomains = results.domainsquery_execution_time = results.query_execution_timeif statuses is not None and domains is not None:    for domain in domains:        domain_statuses = statuses.get(domain, None)        if domain_statuses:            security_categories = domain_statuses.get("security_categories", [])            content_categories = domain_statuses.get("content_categories", [])            if 'Phishing' in security_categories:                hit_list = [                  {                  "name": "Artifact Value",                  "type": "string",                  "value": "{}".format(artifact.value)                  }                ]                artifact.addHit("Cisco Umbrella Investigate", hit_list)

Hi AnnMarie,

Thank you again for helping me out and going out of your way to get that test token to check the function. I appreciate the efforts.

The playbook I am writing is with the aims to get any URL and DNS Name artifacts and run a search against them with Umbrella Investigate. If it comes back with certain categories (such as Phishing), I want to add a Hit to the artifact.

My thought process is to extract any domains from URLs before processing them (and directly processing DNS names as I assume they are in the correct format). However, I can't seem to get either to work, as I still get 'NoneType'.

I'm not too sure if I've used the addHit function properly either, I was hoping to get the previous steps working first against a simulation case before checking my use of the function.

Below is the function and the post-process script:

import jsonresult = playbook.functions.results.artifact_status_and_category.content##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]# Processingstatuses = result.statusesdomains = result.domainsif statuses is not None and domains is not None:    result_dict = json.loads(result)    for domain in result_dict['domains']:        if 'Phishing' in result_dict['statuses'][domain]['security_categories']:            artifact.addHit("Cisco Umbrella Investigate", {"URL Name", "string", "{}".format(artifact.value)})

Thanks again for looking into this.

Much appreciated,

Iqra

Hi again Iqra

I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table).  So it seems that that the function is working...does this app work for you out of the box?  Perhaps you can give more information on the playbook you are writing?  Perhaps there is an issue in there.

Hi Iqra,

Can you give an example of the input you are trying? 

Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

I can see if I can get a trial token to test it.

Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra

Hi AnnMarie,

Thank you for the code and the explanation. Just by looking at it, I knew it would work. I've tested it with DNS Name artifacts and it does indeed work! Gahhh, how exciting!!

However, I seem to be having issues converting URLs into a format that the function will accept... (I seem to keep getting the error below)

from urllib.parse import urlparseif artifact.value == "URL":  inputs.umbinv_domains = urlparse(artifact.value).netlocelse:  inputs.umbinv_domains = artifact.valueinputs.umbinv_showlabels = Trueinputs.umbinv_status_endpoint = "categorization"

Any ideas?

Cheers,

Iqra

Hi Iqra

I see a few issues with the script you post.  You don't need to get the results from content and you do not need to do json.loads as "domains" is a list in the statuses json.  I put an incident.addNote after result so you can see the actual results that are passed to the script. I am able to create hits with this post script in a playbook.  Hope this helps!

##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""results = playbook.functions.results.get_status_and_category##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]incident.addNote("results = {}".format(results))# Processingstatuses = results.statusesdomains = results.domainsquery_execution_time = results.query_execution_timeif statuses is not None and domains is not None:    for domain in domains:        domain_statuses = statuses.get(domain, None)        if domain_statuses:            security_categories = domain_statuses.get("security_categories", [])            content_categories = domain_statuses.get("content_categories", [])            if 'Phishing' in security_categories:                hit_list = [                  {                  "name": "Artifact Value",                  "type": "string",                  "value": "{}".format(artifact.value)                  }                ]                artifact.addHit("Cisco Umbrella Investigate", hit_list)

Hi AnnMarie,

Thank you again for helping me out and going out of your way to get that test token to check the function. I appreciate the efforts.

The playbook I am writing is with the aims to get any URL and DNS Name artifacts and run a search against them with Umbrella Investigate. If it comes back with certain categories (such as Phishing), I want to add a Hit to the artifact.

My thought process is to extract any domains from URLs before processing them (and directly processing DNS names as I assume they are in the correct format). However, I can't seem to get either to work, as I still get 'NoneType'.

I'm not too sure if I've used the addHit function properly either, I was hoping to get the previous steps working first against a simulation case before checking my use of the function.

Below is the function and the post-process script:

import jsonresult = playbook.functions.results.artifact_status_and_category.content##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]# Processingstatuses = result.statusesdomains = result.domainsif statuses is not None and domains is not None:    result_dict = json.loads(result)    for domain in result_dict['domains']:        if 'Phishing' in result_dict['statuses'][domain]['security_categories']:            artifact.addHit("Cisco Umbrella Investigate", {"URL Name", "string", "{}".format(artifact.value)})

Thanks again for looking into this.

Much appreciated,

Iqra

Hi again Iqra

I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table).  So it seems that that the function is working...does this app work for you out of the box?  Perhaps you can give more information on the playbook you are writing?  Perhaps there is an issue in there.

Hi Iqra,

Can you give an example of the input you are trying? 

Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

I can see if I can get a trial token to test it.

Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra

I think you should be testing artifact.type == "URL", not artifact.value !

Hi AnnMarie,

Thank you for the code and the explanation. Just by looking at it, I knew it would work. I've tested it with DNS Name artifacts and it does indeed work! Gahhh, how exciting!!

However, I seem to be having issues converting URLs into a format that the function will accept... (I seem to keep getting the error below)

from urllib.parse import urlparseif artifact.value == "URL":  inputs.umbinv_domains = urlparse(artifact.value).netlocelse:  inputs.umbinv_domains = artifact.valueinputs.umbinv_showlabels = Trueinputs.umbinv_status_endpoint = "categorization"

Any ideas?

Cheers,

Iqra

Hi Iqra

I see a few issues with the script you post.  You don't need to get the results from content and you do not need to do json.loads as "domains" is a list in the statuses json.  I put an incident.addNote after result so you can see the actual results that are passed to the script. I am able to create hits with this post script in a playbook.  Hope this helps!

##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""results = playbook.functions.results.get_status_and_category##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]incident.addNote("results = {}".format(results))# Processingstatuses = results.statusesdomains = results.domainsquery_execution_time = results.query_execution_timeif statuses is not None and domains is not None:    for domain in domains:        domain_statuses = statuses.get(domain, None)        if domain_statuses:            security_categories = domain_statuses.get("security_categories", [])            content_categories = domain_statuses.get("content_categories", [])            if 'Phishing' in security_categories:                hit_list = [                  {                  "name": "Artifact Value",                  "type": "string",                  "value": "{}".format(artifact.value)                  }                ]                artifact.addHit("Cisco Umbrella Investigate", hit_list)

Hi AnnMarie,

Thank you again for helping me out and going out of your way to get that test token to check the function. I appreciate the efforts.

The playbook I am writing is with the aims to get any URL and DNS Name artifacts and run a search against them with Umbrella Investigate. If it comes back with certain categories (such as Phishing), I want to add a Hit to the artifact.

My thought process is to extract any domains from URLs before processing them (and directly processing DNS names as I assume they are in the correct format). However, I can't seem to get either to work, as I still get 'NoneType'.

I'm not too sure if I've used the addHit function properly either, I was hoping to get the previous steps working first against a simulation case before checking my use of the function.

Below is the function and the post-process script:

import jsonresult = playbook.functions.results.artifact_status_and_category.content##  Cisco Umbrella Investigate - fn_cisco_umbrella_invpost processing script ### https://investigate-api.readme.io/docs/domain-status-and-categorization-1# umbrella_domain_status_and_category - Domain# Example where inputs.umbinv_domains = artifact.value =  amazon.com"""Result: {'domains': [u'amazon.com'],         'query_execution_time'         'statuses': {u'amazon.com': {u'status': 1,                                      u'content_categories': [u'Ecommerce/Shopping'],                                      u'security_categories': []                                      }                      }        }"""##  Cisco Umbrella Investigate - fn_cisco_umbrella_inv post processing script ### umbrella_domain_status_and_category - domain#  Globals# List of fields in datatable umbinv_categories_for_a_domain for reference onlyDATA_TBL_FIELDS = ["domain_name", "query_execution_time", "status", "content_categories", "security_categories"]# Processingstatuses = result.statusesdomains = result.domainsif statuses is not None and domains is not None:    result_dict = json.loads(result)    for domain in result_dict['domains']:        if 'Phishing' in result_dict['statuses'][domain]['security_categories']:            artifact.addHit("Cisco Umbrella Investigate", {"URL Name", "string", "{}".format(artifact.value)})

Thanks again for looking into this.

Much appreciated,

Iqra

Hi again Iqra

I am able to run the Cisco Umbrella Investigate app that we have on the App Exchange and can run the "Example: Catagories for a Domain" rule off a DNS artifact and get the associated categories returned (they show up in the Umbrella Investigate - Categories for a domain" data table).  So it seems that that the function is working...does this app work for you out of the box?  Perhaps you can give more information on the playbook you are writing?  Perhaps there is an issue in there.

Hi Iqra,

Can you give an example of the input you are trying? 

Are you running in app host?  Can you set loglevel=DEBUG in the app.config, run the function, download the log file and post output from the function?

I can see if I can get a trial token to test it.

Hello,

I am currently attempting to use the Cisco Umbrella Investigate App with the function domain_status_and_category.

However, when I attempt to use it in a playbook, it doesn't return any data (specially returns NoneType), no matter the domain I use? 

I have checked with Cisco Umbrella GUI and API natively and see data returning. So I'm unsure on how to troubleshoot this.

Can I get some assistance on this please?

Regards,

Iqra