The Identities report gives you access to activity information about your identities, determining which are the most active and lets you know about the destinations they are visiting. From the top-level Identities report, you can access an Identities report that is specific to an identity. Here you can explore details about its activities at the domain level, determining which sites it has visited and when. This detailed information can help you determine if an identity has visited sites that you should block.
This report is only available for customers with Umbrella Insights or Platform packages, or for MSPs and customers of those MSPs. For more information on upgrading your package, please contact your Cisco Umbrella representative.
- Navigate to Reporting > Core Reports > Identities.
This takes you to the top-level of the Identities reports page, which lists identities by requests made within the selected time period. The default is 24 hours.
- Click an identity to go to the Identities report for that identity.
For details about how to read an Identities report, see Understanding an Identities Report.
Like other Umbrella reports, an Identities report is time-based. You can generate a report to document activities for the last 24 hours, the previous calendar day (yesterday), the last seven days, and the last month.
- If you can't find an identity you're interested in, you can search for it.
When you search for an identity, the search bar dynamically updates to lists all identities related to your entry. You can select an identity from the resulting list or select All results with a name like: <name>.
You can also perform an advanced search. Click Advanced in the search bar and the Advanced pop-up window opens.
Search by identity name or type, or both. This can help you narrow your search results if you want to see all identities of the same type or if there are multiple identities with the same name.
When you search for an identity, your results depend on the type of search parameters you have selected. Umbrella returns only the identity selected or all related identities. In our example, we've searched for all identities with a name like office that have been active within the last the last 24 hours. Umbrella returns any related identities along with the number of requests made by the identity. For office, this search returns seven identities with Office Nat 1 being the most active within the last 24 hours.
An Identities report for an identity charts activities for that identity within the specified time period. The report is broken into three areas of reporting that help you answer critical questions about the activities of identities on your network:
Note: You might notice that you cannot schedule an Identities report or download one either. This is due to the way in which information in this report is presented to you graphically rather than textually. If you'd like to see these features added to this report, email us with a request: email@example.com.
Activity charting graphically displays DNS activity for the selected identity within the selected time period. This visualization of DNS activities lets you quickly see where the peaks and valleys are for request activities by that identity. This can help in your investigation of any suspicious activities. At the top of the page, the report lists the number of requests the identity has made during the selected time period. To help you to compare various activities, you can turn various line graphs on and off, overlaying them for quick comparisons.
A trend filter—Blocked (Trend), Allowed (Trend), and Proxied (Trend)—displays the lowest and highest points of activity along the chart’s x-axis for the selected date based on activity going back seven weeks. You can use these filters to compare current activity against past activity. This can help you visualize traffic for an identity over time, letting you get a sense of what its “normal” activity is, and by extension where there might some sort of unexpected activity or security risk.
Apply trend filters by selecting them underneath the chart. You can turn them all on or off, or just filter for one or two trends. Here, we’ve turned on the Blocked (Trend) filter and applied it against Blocked requests.
Once you’ve turned on a filter, when you hover over a point on the chart, you can see the trend details for that filter at that point in time.
For example, Blocked (Trend) versus current Blocked request activity. You’ll see in the chart above that on Jan 20—a Tuesday—the trend over the last seven Tuesdays has been a minimum of 612 blocked requests and a maximum of 7674. We can also see that for this day (Jan 20) there were 15666 blocked requests, which is more than double the trend of blocked requests for that day. This unusual activity may indicate a security problem that you can further investigate by clicking the Blocked point for this day, which takes you to the Activity Search report for the day clicked.
The Security Details area divides itself into "Top Destinations" and "Top Security Categories." The information presented here helps you understand whether the activities of the identity you are investigating pose a risk and helps you determine if you need to make changes to your blocked and allowed destination lists.
Top Destinations lists requests that the identity has made to destinations that pose a security risk, be it malware, phishing, etc. You can also view all top destinations for the identity by selecting the All tab.
- Click View All Destinations. This takes you to the Reporting > Additional Reports > Top Domains page.
Top Security Categories lists the type of security threats that have resulted from requests to visit malicious destinations.
- Click View All Categories. This takes you to the Reporting > Additional Reports > Top Categories page.
The Recent Activity area lets you investigate DNS activity for the identity. You can quickly see the destinations requested by the identity, the response to that request (blocked or allowed) and the IP from which the request originated. Viewing this information can help you make decisions about how to maintain your destination lists. Is an identity at risk because it is not being blocked from a malicious site or is it being blocked from domains to which it should have access? You can also use this information to monitor the DNS activities of an identity. Where is that identity going and should you be updating destination lists to block or allow this identity?