The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

(Old Dec 6, 2019) Destinations Report

The Destinations report gives you access to information about the destinations that your identities are visiting, determining which are the most actively requested and when this activity occurs. From the top-level Destinations report, which lists the top 100 destinations requested within the selected time period, you can access a Destinations report that is specific to a destination. Here you can explore activity at the domain level, determining who has visited the selected domain and when. This detailed information can help you determine if any computer or networks may be compromised or are connecting to known malicious sites so that you can better protect yourself and others.


This report is only available for customers with Umbrella Insights or Platform packages, or for MSPs and customers of those MSPs. For more information on upgrading your package, please contact your Cisco Umbrella representative.

Access a Destinations Report

  1. Navigate to Reporting > Core Reporting > Destinations.
    This takes you to the top-level of the Destinations reports page, which lists the top 100 destinations requested within the selected time period. The default is 24 hours.
  1. Click a destination to go to the Destination report for that destination.
    For details about how to read a Destinations report, see Understanding a Destinations Report.
    Like other Umbrella reports, a Destinations report is time-based. You can generate a report to document activities for the last 24 hours, the previous calendar day (yesterday), the last seven days, and the last month.
  1. If you can't find a destination you're interested in, you can search for it.
    When you search for a destination, Umbrella returns any related domains and subdomains. In our example, we've searched for all requests for within the last 24 hours. When performing a search, Umbrella returns the number of requests for each destination, along with any matching subdomains. For, this search returned 782 subdomains with being the most actively requested domain within the last 24 hours.

Other Ways to Access a Destinations Report

You can also access a specific Destinations report through the Activity Search, Security Activity, or Top Domains reports.

  1. Navigate to Reporting > Core Reports > Activity Search, Reporting > Core Reports > Security Activity, or Reporting > Core Reports > Top Domains
  2. Search for a destination.
  3. Click the destination to go to the Destination report for that destination.
    For details about how to read a Destinations report, see Understanding a Destinations Report.

Understanding a Destinations Report

A Destinations report for a destination charts activities for that destination within the specified time period. The report is broken into three areas of reporting that help you answer critical questions about the destination and the identities on your network that have requested it:

Note: You might notice that you cannot schedule a Destinations report or download one either. This is due to the way in which information in this report is presented to you graphically rather than textually.

Allowed/Blocked and Global Traffic % Charting

The Allowed/ Blocked and Global Traffic % charts display DNS activity for the selected destination within the selected time period. This visualization of DNS activities lets you quickly see where the peaks are for requests for that destination as well as when it is least active. This can help in your investigation of any suspicious activities. At the top of the page, the report lists the destination's security categorization. If you do not agree with this categorization, click Suggest Security Categorization to make a request to change its categorization. Clicking Send creates an internal Umbrella ticket requesting that a security researcher review the domain’s categorization. You should receive a prompt reply.

Allowed/ Blocked Chart

The Allowed/ Blocked chart displays the number of blocked and allowed access requests for the destination you are investigating within the selected time period. To help you to compare various activities, you can turn various line graphs on and off, overlaying them for quick comparisons.

  1. Click View <destination> in Investigate to open the destination in Investigate and see even more details about the destination you are investigating.
Trend Filters

A trend filter—Blocked (Trend), Allowed (Trend), and Proxied (Trend)—displays the lowest and highest points of activity along the chart’s x-axis for the selected date based on activity going back seven weeks. You can use these filters to compare current activity against past activity. This can help you visualize traffic for a domain or identity over time, letting you get a sense of what its “normal” activity is, and by extension where there might some sort of unexpected activity or security risk.

Apply trend filters by selecting them underneath the chart. You can turn them all on or off, or just filter for one or two trends. Here, we’ve turned on the Blocked (Trend) filter and applied it against Blocked requests.

Note: Trend filters are only available for the Allowed/ Blocked chart.

Once you’ve turned on a filter, when you hover over a point on the chart, you can see the trend details for that filter at that point in time.

For example, Blocked (Trend) versus current Blocked request activity. You’ll see in the chart above that on Jan 11—a Wednesday—the trend over the last seven Wednesdays has been a minimum of two blocked requests and a maximum of 512. We can also see that for this day (Jan 11) there were 1120 blocked requests, which is more than double the trend of blocked requests for that day. This unusual activity may indicate a security problem that you can further investigate by clicking the Blocked point for this day, which takes you to the Activity Search report for the day clicked.

Global Traffic % Chart

The Global Traffic % chart displays the percentage of global traffic to a destination that is comprised of traffic from your organization’s Identities.

Reviewing this activity can help you monitor the destination for any unusual spikes in local traffic to the destination. A spike might suggest a security risk (for example, spear-phishing or other advanced persistent threat) that you should investigate further. In the example below, we can see that there was an unusual spike in traffic on January 25 that should be investigated. Perhaps someone in your organization clicked a link in a phishing email.

Access & Policy Details

The Access & Policy Details area divides itself into "Top Identities" and "Destination lists for <destination>." The information presented here helps you understand whether this destination exists in any of your custom destination lists so you can determine if any other policy affects whether this destination is allowed or blocked.

“Top Identities” lists all identities that looked up a particular domain. “Destination list for <destination>” lists all destination lists that include the destination you are investigating. Clicking a destination list takes you to the Destination Lists page (Policies > Destination Lists) and displays the destinations that make up the selected destination list in question. From this page, you can update this destination list if you need to change the destination’s status: blocked or allowed.

You can view all your policies to determine if updates are necessary based on information presented to you through the Destinations report.
Click View All Policies. This takes you to Umbrella’s Policy List page (Policies > Policy List).

You can also view all your Destination Lists.
Click View Destination Lists. This takes you to Umbrella’s Destination Lists page (Policies > Destination Lists).

Recent Activity

The Recent Activity area lets you investigate DNS activity for the destination. You can quickly see the identities that requested the destination, the response to that request (blocked or allowed) and the IP address from which the request originated. Viewing this information can help you make decisions about how to maintain your destination lists. Is an identity at risk because it is not being blocked from a malicious site or is it being blocked from domains to which it should have access? You can also use this information to monitor the DNS activities of an identity. Where is that identity going and should you be updating destination lists to block or allow this identity?

  1. Click View All Recent Activity to go to the Activity Search report (Reporting > Core Reports > Activity Search) where you can quickly view activity for the selected destination.

Activity Search Report < Destinations Report > Identities Report

Updated about a year ago

(Old Dec 6, 2019) Destinations Report

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.