The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Activity Search Report

The Activity Search report helps you find the result of every DNS, URL, and IP request from your various identities, ordered in descending date and time. It lists all security (and non-security) related activity within the identities reporting to Umbrella for the selected time and also allows you to refine your search using filters to see only what you need to see. This can greatly assist you in determining if there are any security issues you may have within your organization that requires your attention.

By clicking an identity or destination, you can quickly pivot from this report to the Top Identities and the Top Destinations Reports. Each report can also lead you to the Identity Details and Destination Details reports as well for further information on individual identities and destinations.

Table of Contents:

Understand the Activity Search Report

Navigate to Reporting > Core Reports > Activity Search.
This takes you to the default view of the Activity Search report, which lists all of your identities and the internet requests, or traffic events for your organization tracked over time. The default is 24 hours.

Click the refresh icon to refresh your search results while maintaining the current filters.

Request Types

From the Requests menu in the upper-right, choose one of the request types or leave as All Requests which is the default. Filters will update to those that are relevant to the type of request you have chosen.

  • Domain Requests (DNS)—Can be further filtered by the response, protocol, identity type, and security categories.
  • URL Requests—Can be further filtered by the response, protocol, identity type, and security categories. Some blocked actions will provide a reason for the block, such as Antivirus or Application Control. Clicking on a URL will take you to that destination's details.
  • IP Requests—Can not be filtered further.

Requests by Umbrella Package

Insights and Platform customers see all requests (DNS, URL, and IP) with a selector to filter down to a specific data type. DNS only customers (Professional, Premium DNS, Branch, Roaming, and WLAN packages) will only see DNS data.

Time Frame

You can change the time frame for your search from the default of 24 hours to Yesterday, Last 7 Days, Last 30 Days, or a Custom range:


To change the layout of the data presented in the Activity Search Report, select Columns and then check or clear the information you want to see displayed and click Apply. You can also drag and drop items in the list to reorder their position on the page.

  • Action—The activity is either Blocked or Allowed.
  • Categories—Content and Security categories flagged with the activity.
  • Date and Time—The date and time stamp of the activity.
  • Destination—The destination of the activity.
  • External IP—The external IP address for the activity.
  • File Name—The name of the file involved with the activity where applicable.
  • Identity—The identity which performed the activity.
  • Identity Used by Policy—The identity used to determine which policy applied to this activity.
  • Internal IP—The internal IP address for the activity.


Use filters to refine your search so that you can view the specific data you're looking for. The "filter pills" that appear at the top of the page let you quickly see all of the filters that you have selected, including some in the Advanced Search. They are arranged on the page chronologically, so if you get to a point where the last filter you've selected results in a search returning nothing you can clear the last filter selected by clicking X for that filter pill and you should see results again.

Click the Filters icon to open the Search Filters box. Use the Search filters box to help you locate a filter. Once you have selected the necessary filters, click Apply to apply the filters to the search.

  • Response—Select Allowed, Blocked and/or Proxied. By default, none are selected, so all responses are shown.
  • Protocol—Select either HTTP or HTTPS protocol. By default neither are selected so responses for both protocols are shown.
  • Event Type—The type of activity such as applications that are downloaded or blocked, malware detected by Cisco Amp, or integrations with 3rd party products. By default, none are selected so responses for all event types are shown.
  • Identity Type—Select one or more identity types, such as Networks, Roaming Computers, Sites, and so on. By default, no identity types are selected, so all identity types are shown.
  • Security Categories—Select the security categories to show. By default, none are selected, so all are shown.
  • Search Options—By default "noisy" domains are filtered out of search results. To include all traffic select Include "Noisy" Domains.

From your search results, you can click an identity or destination and go to their respective Identity Details or Destination Details reports.

View Actions

To start learning more about the results of your activity search, click the View Actions icon for a result and choose an item from the menu.

See Full Details

With View Actions, you can view the full details of each activity result:

Click on Suggest Security Categorization if you would like to suggest a security category for this particular event.

Filter Views

Where applicable, certain results can be filtered by the following:

  • Filter by Application
  • Filter by Destination
  • Filter by URL
  • Filter by Identity
  • Filter by External IP

Investigate Views

If you have an Investigate license, you may also have the option to view further details of the domain or URL in Investigate.

Schedule a Report

You can schedule a report to be emailed to you at regular intervals. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. For more about scheduled reports, see Schedule Reports.

  1. Click Schedule and follow the Scheduling wizard's prompts.

Search for Activity

It's easy to search for the activity of a specific identity you’re interested in. Add the destination (domain, IP or URL), the identity's name or a combination of both to the search bar at the top of the page and press Enter.

Any field in the 'Advanced' dropdown can be typed in directly.

  1. Click Advanced to perform a more detailed search.
  2. Enter the specifics of your search and then click Search. You don't have to enter information for each search field; just enough to yield specific results.
  • Identity—Includes most identity types such as users (including SAML if enabled), networks, sites and roaming clients. Check "Exclude identity" to exclude results with the given identity.
  • Domain—You can search for more than one domain at a time. When you add a domain, a new field appears so that you can add another domain. Check "Exclude domain" to exclude results with the given domain.
  • SHA256—Search by the hash function.
  • URL—Search by specific URL path.
  • IP—Search for events associated with IP addresses on your network (either internal or the public egress IP address). This does not provide the capability to search for destination IP addresses.
  • Application—Search by name to find a specific application.
  • File Name—Search by the name of a file.

Security Activity Report < Activity Search Report > Destinations Report

Updated 5 months ago

Activity Search Report

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.