The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find our comprehensive guides designed to help you use with Cisco Umbrella.

Get Started    

Getting Started with Reports

Use Cisco Umbrella's reports to monitor your Umbrella integration and gain a better understanding of your Umbrella usage. Gain insights into request activity and blocked activity, determining which of your identities are generating blocked requests. Reports help build actionable intelligence in addressing security threats including changes in usage trends over time.

See also:

Available Reports

  • Security Overview—Gives you a snapshot of your environment's security activities.
  • Security Activity—Security-related activity in your environment, including malware, phishing, and all other security categories over the selected time period. Filterable by identity, destination, source IP, and security category.
  • Activity Search—Activity from the identities in your environment over a selected time period. Filterable by identity name, destination, source IP, response, content category, and security category.
  • Destinations—Lists the most active destinations within your dashboard for all identities, and that allows you to go further and find out how the traffic for this destination from your identities compares to the traffic from all of the Umbrella global networks.
  • Identities—Lists your identities in the order of which is most active, then allowing you to drill down to find out more about that specific identity and what destinations they have visited, whether those destinations are malicious or not, and a trend of their overall traffic.
  • Cloud Services—Overview of cloud services accessed by your organization over the selected time period. Filterable by cloud service name, identity, and classification.
  • Total Requests—Total requests for destinations from your organization over the selected time period. Filterable by identity.
  • Activity Volume—Total queries within your organization broken down by security categories and results over the selected time period. Filterable by identity. This report has two views: Snapshot (table) and Trend Over Time (graph).
    • Categories: DNS requests that match a Content category (only records blocked domains).
    • Destination Lists: DNS requests that match an item on the Block or Allow destination lists (e.g Global Block and Global Allow).
    • Permitted: DNS requests that do not match a category or destination list but are allowed.
  • Top Identities—A list of the top traffic-generating identities over the selected time period. Filterable by identity and destination.
  • Top Domains—A list of the most requested domains within your organization over the selected time period. Filterable by identity, response, destination, content category, and security category.
  • Top Categories—A list of the top content categories for your organization over the selected time period. Filterable by identity and response.
  • Admin Audit Log—A record of any configuration changes made to your settings by any of your Umbrella administrators.

Report Retention

The reporting of information begins as soon as you start sending traffic to Umbrella.

The following reports are retained for two calendar years:

  • Total Requests
  • Top Domains
  • Top Categories
  • Top Identities

Activity Volume is retained for one calendar year.

You can review and filter reported data on various timelines. Timelines vary depending on the report, from the last hour to the last thirty days, and in some cases, custom date ranges in increments of time—up to 30 or 90 days—going back one to two years.

The following reports are limited to a 30-day search window:

  • Top Domains
  • Total Requests
  • Security Activity
  • Activity Search

Note: Umbrella does not retain Security Activity or Activity Search data for more than 30 days.

Admin Audit log Retention

The Admin Audit log retains data for one year. You can access data in three-month increments. For more information, see the Admin Audit Log Report.

Export Report Data to CSV

Some reports let you export the results of a query to the CSV format. This lets you create other reports and graphs by feeding this data to other tools.

Note: The timezone of exported data is always the timezone selected for your account. You can change this for your account under Admin > Accounts.

Exportable reports:

  • Activity Search
  • Cloud Services
  • Top Domains
  • Top Categories
  • Top Identities
  1. From the top of the report, click Download.
  1. Give your report a good meaningful title, add the number of rows of data you want returned and click Export.
    Note: Data is limited to 1,000,000 rows when exporting to CSV. If your report exceeds 1,000,000 rows, consider re-running the report with a shorter smaller time or with a more granular filter. It's a good idea to check the last row of your first report, then re-run the report from that time period for the next chunk of data.
  1. When you click Export, you are taken to the Exported Reports page where you can download your CSV file.
  1. Click the Download icon.
    Your CSV is automatically downloaded.

Bookmark and Share Reports

The Umbrella dashboard stores report state in the URL, making it easy to share a report with colleagues or bookmark a report for future use.

  1. Navigate to Reporting and click on your desired report.
  2. Filter the report to display the data you need.
  3. Use your browser's bookmark function. When you retrieve the bookmark the report will have the same filters applied. You can also share the URL of the page with any colleague in your organization with access to your dashboard.

If the report has a relative date filter (last 24 hours, last 7 days, etc) the relative filter will always be applied. If the report has an absolute date filter (Jan 7, 2019) the absolute filter will always be applied.


Getting Started with Reports > Scheduling Reports

Getting Started with Reports


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.