Skip to content

Latest commit

 

History

History
103 lines (71 loc) · 2.35 KB

respond_observable.rst

File metadata and controls

103 lines (71 loc) · 2.35 KB

Response Actions

Extract Observables

Note

This step can be skipped if the observable type is known and can be mapped to the supported observables so you can build your own payload.

Extract observables using:

POST /iroh/iroh-inspect/inspect

API Example

API Endpoint Definition:

.. http:example::

    POST https://visibility.amp.cisco.com/iroh/iroh-inspect/inspect HTTP/1.1
    Authorization: Bearer ${jwt}
    Content-Type: application/json

    {
      "content": "cisco.com"
    }

JSON Response:

[
  {
    "value": "cisco.com",
    "type": "domain"
  }
]

Respond Observable

Pass the returned array to:

POST /iroh/iroh-response/respond/observables

API Example

API Endpoint Definition:

.. http:example::

    POST https://visibility.amp.cisco.com/iroh/iroh-response/respond/observables HTTP/1.1
    Authorization: Bearer ${jwt}
    Content-Type: application/json

    [
      {
        "value": "cisco.com",
        "type": "domain"
      }
    ]

JSON Response:

{
  "data": [
    {
      "module": "Umbrella",
      "module_instance_id": "b56d3882-37d8-4c0c-af22-a5ef0cf53bd3",
      "module_type_id": "188d70f7-29d5-5069-9098-d83a3ec8e797",
      "id": "block",
      "title": "Block this domain",
      "description": "Block this domain using Umbrella Enforcement API",
      "url": "/respond/trigger/b56d3882-37d8-4c0c-af22-a5ef0cf53bd3/block?observable_type=domain&observable_value=cisco.com"
    }
  ]
}

JQ Filters for commonly used values:

  • .data[].module
  • .data[].title
  • .data[].url

Render .data[].title link to user in a way that makes sense within the product. When this is clicked authenticate using a token.

For example:

Example with parameters: <a href="{{host}} + {{$.data[].url}}">{{.data[].title}}</a>

Example with parameter substitution: <a href="https://visibility.amp.cisco.com/respond/trigger/b56d3882-37d8-4c0c-af22-a5ef0cf53bd3/block?observable_type=domain&observable_value=cisco.com">Block this domain</a>