Umbrella is a client library as well as a command-line tool for the APIs provided by Cisco Umbrella, formerly OpenDNS. It supports all endpoints available in the Investigate API and the Enforcement API. Contributions are welcome.
Import the library.
import "github.com/folbricht/umbrella"
Create a client for the Investigate API. Requires an API access token.
client := umbrella.NewInvestigate(key)
Query available categories.
categories, err := client.DomainCategories()
if err != nil {
return err
}
for key, value := range categories {
// do something
}
Query categorization of multiple domains.
domains := []string{"umbrella.com", "ihaveabadreputation.com"}
categorizations, err := client.DomainCategorizations(domains...)
if err != nil {
return err
}
for domain, categorization := range categorizations {
// do something
}
The command-line tools mainly exists for testing purposes and to show how the library can be used. There is one sub-command for each API endpoint and the two tools currently available can be installed with:
go get -u "github.com/folbricht/umbrella/cmd/investigate"
go get -u "github.com/folbricht/umbrella/cmd/enforcement"
Accessing the Umbrella Investigate API requires an API token which can be passed into the tool either by environment variable UMBRELLA_KEY
or by command-line option -key
. For the Enforcement API, a customer key is required which can be provided by environment variable CUSTOMER_KEY
or the -key
option. The tools support multiple sub-commands, each of which represents a specific API call. Examples of how to use the tools:
UMBRELLA_KEY=... investigate domain-timeline ihaveabadreputation.com
investigate -key <KEY> domain-categorization -showlabels ihaveabadreputation.com
investigate -key <KEY> domain-history A ihaveabadreputation.com
enforcement -key <KEY> list-all-domains
domain-categories
- List category IDs and Labelsdomain-categorization
- Categorization for a single domaindomain-categorizations
- Categorization of multiple domainsdomain-timeline
- Show the timeline of a domaindomain-volume
- Query volume of a domainsearch
- Perform a pattern searchco-occurrences
- Find domains that were queried around the same time by the same clientrelated
- Find domains related to a domainsecurity
- Show available security information for a domaindomain-history
- Query the history of a domain+typeip-history
- Query the history of a ip+typeas
- Query the Autonomous System information for an IPprefixes
- Query CIDR and Geo information for an ASNwhois-email
- Query the domains registered for a single emailwhois-emails
- Query the domains registered for multiple emailslatest-malicious
- Query the (malicious) domains associated with an IPtop-million
- Show the top most popular domains (up to 1 million)samples
- List samples associated with an IP, domain, or URLsample
- Show information about a single sample by file hashsample-artifacts
- Show information about artifacts associated with a samplesample-connections
- Show information about connections associated with a samplesample-behaviors
- List indicators associated with a sample
See investigate <command> -h
for details on any command and available options.
list-domains
- List domains currently on the blocklist (includes pagination)list-all-domains
- List all domains currently on the blocklistdelete-domain
- Remove a domain from the blocklist
See enforcement <command> -h
for details on any command and available options.