We will soon end-of-life (EOL) the Cloud Service Report and replace it with the App Discovery report. For more information about the App Discovery report, see App Discovery Report.
The Cloud Services report allows you to gain visibility into the cloud services being used across your organization, identify usage patterns, and uncover shadow IT. Identifying the cloud services that users within your organization are using as shadow IT services is now becoming a daily concern for administrators, especially those worried about data loss, information containment and understanding the needs of the end user.
From the vantage point of the Cisco global network, Umbrella is able to see all of the domains that your organization is accessing. Normally those events are just logged to our Activity Search report and security events are logged to the Security Activity report. The Cloud Services report shows how the DNS requests match up against a compiled list of cloud services. This unique perspective improves visibility around how cloud services are used by users within your organization.
This report is only available for customers with Umbrella Insights or Platform packages, or for MSPs and customers of those MSPs. For more information on upgrading your package, please contact your Cisco Umbrella representative.
The Cloud Services report takes information about the users’ behavior when accessing services in the cloud and lets you take action with the knowledge in the report. And with Umbrella's “any device, anywhere, anytime” approach, you know about cloud services that your users are accessing even when they're not on the network. Umbrella discovers all cloud services in use, including email, file sharing, SaaS, IaaS, and PaaS services and helps you in reporting on their use.
The Cloud Services report uses data from your Umbrella dashboard, including policy settings for identities you've already provisioned, then matches the DNS traffic from your organization to specific cloud services to let you know more about how your users are using cloud services. The report includes trends for any new services being adopted, including dates when they were first used and last seen.
These days, nearly everyone uses online storage, web-based email, collaboration tools, educational sites or social media in their personal and professional lives. For this report, a 'cloud service' is any of the hundreds of SaaS, IaaS, PaaS or simply "cloud" computing services available today. In fact, Umbrella itself is a cloud service and is listed as one in the report. We've compiled a list of over 30 different cloud services classifications, covering hundreds of individual cloud service.
The Cloud Services report is your window into how your users are taking advantage of the ever-expanding range of cloud services so you can look to mitigate, restrict or supplement their usage. This information can be used in several ways. It can be helpful to find out why these services are being used and whether they are a meeting a need that there isn't a formal process for in your organization. For instance, if your users are using an online storage system instead of a file server, this could be in order to boost their productivity rather than bypass security. Alternately, a cloud service could be used to bypass the traditional safeguards you have in place for data loss prevention and knowing that it's being used can assist you in better securing your work environment from data loss.
Umbrella has access to a list of thousands of cloud services ranging from very small companies to software giants. If a domain that’s been visited by someone in your organization matches a domain we've identified as part of a cloud service, there’s a match for that cloud service in the report. The Cloud Services report provides details on which URL each cloud service consists of.
The cloud services are also broken into classifications, or types of service, which helps refine your queries to those cloud services classifications most important to your security needs.
Note: services classifications are NOT the same thing as category settings (Policies > Content Categories). They may overlap, but the cloud services classifications include things that the content categories do not and vice versa. For instance, pornography is not considered a Cloud Service Classification, but it is a content category. A service like Salesforce has a Cloud Service Classification of CRM/SFA, but the Category Setting is Software/Technology. As such, they should be treated separately both for reporting and enforcement purposes.
- Navigate to Reporting > Additional Reports > Cloud Services.
- Under Filter Cloud Services > Filter by Classification, click Select.
Cloud Data Services
CRM & SFA
Data & Analytics
IaaS (Infrastructure as a Service)
Internet of Things
Social Media Management
SSO and Identity Management
The Cloud Services report is compiled with data collected from your organization by looking at the URLs identities are visiting. This information can be seen today in the Activity Search report. Umbrella then meshes that data to URLs belonging to specific cloud services.
Note: Logging must be enabled in order to collect data. Without logging enabled, the report will appear blank.
For the report to generate data, logging of content requests must be enabled in your policies. If you have disabled logging, you need to re-enable it in order for the Cloud Services report to have data to display. Logging is required for the requests for these cloud services because they are not security event (eg: malware), but content related DNS queries.
- Navigate to Policies > Management > All Policies.
- Expand a policy and on the summary page expand Advanced Settings.
- Enable Log All Requests.
- Click Save.
It’s also important that the policy with logging enabled is in the proper order for policy hierarchy in order to collect events from all relevant identities.
A key point about this report is that all the data displayed is tied to the time frame of the report, including the report summary. By default, the time frame is seven days, but you can use the Filter by date selection to change that. Reducing the scope of the report to the "Last 24 Hours" can help you pinpoint any new cloud service use on your network.
You can also search for any cloud service by entering the name, or a part of the name into the search bar.
Pick the service you're interested in, then click Show Service Details. This brings you to the Service Details section of the report and only show the identities that were using this cloud service.
The summary includes the number of Cloud Services seen over the time period specified, including the number of new cloud services for that time period and the number of identities within your organization that have accessed cloud services.
Note: The filter is also displayed at the very top of the report summary. In this example, the report is set to display All Identities over the last 7 Days and with All Classifications.
- Cloud Services—The number of individual discrete cloud services observed being accessed by identities within your organization over the time period set in the filter.
- Never Before Seen—The number of the cloud services seen over the time period set in the filter that are new to your organization's usage.
- Total Identity Count—The total number of identities that have accessed cloud services within the time specified in the filter.
The Cloud Services Report Summary then lists all of the Cloud Services. Each column is sortable with the exception of Classification. If you wish to sort by Classification, use the Filter by Classification.
By default, the report is sorted with the cloud service with the highest number of requests at the top. Click the up and down arrows to sort on that column.
- Name—The name of the cloud service itself. For more detail regarding what this service is, select the service and click on it.
- Classification—Classifications describe what the service is typically used for. Each service has one or more classifications. For a complete list of cloud service classifications, click Filter by Classification.
- Identities—The number of identities within your organization accessing this cloud service.
- Trend—The increase or decrease in the number of identities requesting this cloud service over the time period selected.
- Requests—The total number of requests for this cloud service from your organization over the time period selected.
- Blocked—Percentage of your requests for a service that were blocked over the time period selected.
- First Seen—The date at which this service was first seen being used by identities within your organization.
- Last Seen—The date that the most recent request for a service was made.
You can drill down into each cloud service to show a report of the use of individual services by identities within your organization.
- Click the name of the Cloud Service in the report, or use the "Search for a cloud service" option.
Service Details for the service appears.
- Website—The website is for the company that provides the cloud service. In this case, the name of the cloud service and the company name are the same but that is not always the case.
- Cloud Service Domains—This is the list of URLs that Umbrella has matched against to determine if the cloud service is in use. Often a cloud service will only have one cloud service domain; however, if a service has more than one—if a user visits any one of the cloud service domains listed—it's considered a match. In the Salesforce example, they have more of these URLs than fits in the interface. Clicking the + will expand to show them all.
- Classifications—The types or classifications of the service is shown. In this example, there is only one, but a cloud service can belong to multiple classifications.
- Description—A brief description of the cloud service gives perspective on what this cloud service is and what potential IT services it provides for the users using the service.
Beneath the overview of the cloud service itself is a list of the identities using the cloud service.
Note: The filter for time and identity is also displayed at the very top of the report summary. In this example, the report is set to display All Identities over the last 7 Days.
- Total Identity Count—The number of total identities accessing this cloud service. The named identities are below in the Identities column.
- Total Requests—The number of total requests to this cloud service. Requests by identity are broken down in the Requests column.
- Allowed—The percentage of requests for this site allowed. The number of allowed requests by identity are displayed in the Allowed column.
- Blocked—The percentage of requests for this site blocked. The number of blocked requests by identity are displayed in the Blocked column.