Step 2. This event is sent to the Umbrella
Enforcement API via a POST request (see
Example 11-3).
Step 3. Cisco Umbrella follows the appropriate logic
and algorithm before it adds the domain to the
blocked list. It goes through these steps:
- Umbrella checks whether the domain exists in the Umbrella
global block list under one of the security categories. - It runs the Investigate API internally to decide if the domain is
benign. - It checks on the status of the domain (that is, uncategorized or
categorized). - It checks to see if the domain is already present on the
customer’s allow list within the organization.
Step 4. If all the checks are validated, Umbrella blocks
domains in that list per that customer’s
Umbrella policy security settings.
Example 11-3 Python POST Code to Add a Domain
Using the Enforcement API
Click here to view code image
""" Add domain using the Enforcement API """
import json
import requests
url = "https://s-
platform.api.opendns.com/1.0/events"
querystring = {"customerKey":"XXXXXXX-YYYY-
ZZZZ-YYYY-XXXXXXXXXXXX"}
payload = [
{
"alertTime": "2020-01-01T09:33:21.0Z",
"deviceId": "deadbeaf-e692-4724-ba36-
c28132c761de",
"deviceVersion": "13.7a",
"dstDomain": "looksfake.com",
"dstUrl":
"http://looksfake.com/badurl",
"eventTime": "2020-01-01T09:33:21.0Z",
"protocolVersion": "1.0a",
"providerName": "Security Platform"
}
]