Cisco Umbrella Investigate API: Domain Status, Risk Score

Investigate

The Umbrella Investigate API provides a complete view of domains in relation to IP and autonomous system number (ASN) information.

You can programmatically collect and analyze the following information:

  • Domain status, risk score, and geolocation
  • Number of domain searches
  • Co-occurring domains
  • Subdomains of a domain
  • Tagged timeline of a domain, IP, or URL
  • Security reputation of a domain
  • Top accessed domains
  • WHOIS information for the domain
  • Threat intelligence data for domains, IPs, and URLs
  • Threat intelligence samples by file hash

Umbrella Investigate Add-On for Splunk

The Umbrella Investigate Add-On integrates the Umbrella Investigate API with Splunk. For more information, see Umbrella Investigate Add-On for Splunk Guide.

Cisco Secure Malware Analytics Integration

Certain Umbrella Investigate API endpoints integrate with Cisco Secure Malware Analytics. These API endpoints provide detailed information about file samples related to an IP, domain, or URL. You must have licenses to both Umbrella Investigate and Cisco Secure Malware Analytics to receive an API response that includes the samples data.

Umbrella Investigate API endpoints that require a Cisco Secure Malware Analytics license:

  • GET /samples/{destination}
  • GET /sample/{hash}
  • GET /sample/{hash}/artifacts
  • GET /sample/{hash}/connections
  • GET /sample/{hash}/behaviors

Rate Limits for Investigate API Endpoints

Umbrella enables rate limits on the Investigate API endpoints. For more information, see Rate Limits > Investigate.

Request Headers

Unless specified, the Umbrella API endpoints use JSON for all requests and responses.

Note: For POST, PUT, and PATCH operations, set the HTTP Content-Type header to application/json in your API request.

Investigate API Endpoints