Cisco Umbrella API Key
Service Name: Cisco Umbrella
Service Description: Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet. It uses DNS to stop threats over all ports and protocols before they reach your network or endpoints.
Service Address: https://umbrella.cisco.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level through the Cisco Umbrella dashboard.
Secret Access Scope: Grants programmatic access to Cisco Umbrella APIs, allowing management of security policies, reporting, and integration with other security systems.
Secret Revokement URL: https://docs.umbrella.com/umbrella-api/docs/authentication-and-errors
Secret Example: 4a1b2c3d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
Suspicious Activity Investigation Instructions:
- Review API access logs in the Umbrella dashboard for unusual activity.
- Check for unauthorized policy changes or configurations.
- Monitor for unexpected reporting API calls or data exports.
- Look for API calls from unusual geographic locations or IP addresses.
- Verify if there are any new integrations or applications using the API key.
Mitigation Instructions:
- Log in to the Cisco Umbrella dashboard.
-
Navigate to Admin > API Keys section.
-
Locate the compromised API key.
- Click on the "Revoke" or "Delete" button to invalidate the key.
- Generate a new API key if needed.
- Update any legitimate applications or integrations with the new API key.
- Consider implementing more restrictive API access policies.
- Enable notifications for API key usage if available.