5. Response Actions

5.1. Extract Observables

Note

This step can be skipped if the observable type is known and can be mapped to the supported observables so you can build your own payload.

Extract observables using:

POST /iroh/iroh-inspect/inspect

5.1.1. API Example

API Endpoint Definition:

http

POST https://visibility.amp.cisco.com/iroh/iroh-inspect/inspect HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json

{
  "content": "cisco.com"
}

JSON Response:

[
  {
    "value": "cisco.com",
    "type": "domain"
  }
]

5.2. Respond Observable

Pass the returned array to:

POST /iroh/iroh-response/respond/observables

5.2.1. API Example

API Endpoint Definition:

http

POST https://visibility.amp.cisco.com/iroh/iroh-response/respond/observables HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json

[
  {
    "value": "cisco.com",
    "type": "domain"
  }
]

JSON Response:

{
  "data": [
    {
      "module": "Umbrella",
      "module_instance_id": "b56d3882-37d8-4c0c-af22-a5ef0cf53bd3",
      "module_type_id": "188d70f7-29d5-5069-9098-d83a3ec8e797",
      "id": "block",
      "title": "Block this domain",
      "description": "Block this domain using Umbrella Enforcement API",
      "url": "/respond/trigger/b56d3882-37d8-4c0c-af22-a5ef0cf53bd3/block?observable_type=domain&observable_value=cisco.com"
    }
  ]
}

JQ Filters for commonly used values:

• .data[].module
• .data[].title
• .data[].url

Render .data[].title link to user in a way that makes sense within the product. When this is clicked authenticate using a token.

For example:

Example with parameters: <a href="{{host}} + {{$.data[].url}}">{{.data[].title}}</a>

Example with parameter substitution: <a href="https://visibility.amp.cisco.com/respond/trigger/b56d3882-37d8-4c0c-af22-a5ef0cf53bd3/block?observable_type=domain&observable_value=cisco.com">Block this domain</a>