Splunk SOAR Playbook of the Month: Cisco Umbrella DNS Denylisting

Given the recent exciting news of Splunk becoming part of Cisco, for this edition of Splunk SOAR Playbook of the Month, we thought what better way to showcase how the combination of Cisco and Splunk can help users achieve more comprehensive security than through a playbook that combines the power of Cisco Umbrella and Splunk SOAR.

At the core of every internet connection is the Domain Name System (DNS). This system translates website and domain names that we use every day into IP addresses. The ability to stop threats at the DNS-layer can be critical when it comes to defending against things like malware attacks or when you want to ensure that other devices on your network don’t attempt to connect to infected ports. Cisco Umbrella can help users achieve that important DNS-layer security.

The Playbook

The Cisco Umbrella DNS Denylisting playbook is an input playbook that accepts a domain or list of domains as an input and then allows you to block the given domain(s) in Cisco Umbrella. This process, known as DNS Denylisting, allows you to block DNS network traffic based on criteria such as IP addresses, domain names, or DNS query types. For example, you could create a list of known malicious domains for your input, and if anyone were to try and access one of those domains, be it intentionally or via something like a suspicious link in an email, the playbook would trigger a response in Cisco Umbrella that would result in a DNS query timeout, preventing access to the domain.

Incorporating the Input Playbook

Since this playbook is meant to work alongside a detection-based automation playbook, for this example, we’ll build off of a simple reputation analysis playbook.

1. In the visual playbook editor, drag a playbook block onto the canvas and connect it to your Start block
2. In the search bar, we’ll search for “VirusTotal V3 Identifier Reputation Analysis” and use this as our base playbook
3. In the domain field, select artifacts, then select destination DnsDomain
4. Next, add and connect a filter block to the canvas
5. In the Select Parameter field, select the “playbook_VirusTotal_v3_Identifier_Reputation_Analysis” from the list of options on the left and “domain” from the inputs option on the right
6. Set the parameter to greater than (>) and adjust the value next to this to 1 or more based on your specific needs. For this example, we’ll set the value to 5
7. Drag a playbook block onto the canvas and connect it to the previous filter block.
8. Search for and select “Cisco_Umbrella_DNS_Denylisting” in the search box
9. In the domain field, select the filter option you created in the previous step
10. Finish the playbook by linking the previous playbook block to the end block. Give your new playbook a name and save it
11. Now, if anyone attempts to access a URl from an existing denylist, this will trigger a response in Cisco Umbrella to block said domain based on the specified parameters
12. Additionally, once a domain is blocked, this will also create an observable in Splunk SOAR with further information about the incident and allow for further remediation or investigation.

Watch the video to see this playbook and setup process in action.

By using this playbook, you can help prevent unwanted access to known malicious domains and blacklist these potentially unwanted threats based on the aforementioned criteria types.

Be sure to check out research.splunk.com/playbooks to explore even more useful playbooks. Additionally, give some of our previous playbook blogs like this one a look. We look forward to hearing about your experience with this month’s featured playbook as well as any other playbooks you’ve recently implemented. We’ll be back next month with more playbooks and demos, but until then, get out there and get automating!