The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Activity Search Report

The Activity Search report helps you find the result of every DNS, URL, and IP request from your various identities, ordered in descending date and time. It lists all security (and non-security) related activity within the identities reporting to Umbrella for the selected time and also allows you to refine your search using filters to see only what you need to see. This can greatly assist you in determining if there are any security issues you may have within your organization that requires your attention.

By clicking an identity or destination, you can quickly pivot from this report to the Top Identities and the Top Destinations Reports. Each report can also lead you to the Identity Details and Destination Details reports as well for further information on individual identities and destinations.

Table of Contents

View the Activity Search Report

  1. Navigate to Reporting > Core Reports > Activity Search.
    This takes you to the default view of the Activity Search report, which lists all of your identities and the internet requests, or traffic events for your organization tracked over time. The default is 24 hours.
  1. Choose a time frame to view the report. You can view the results for the last 24 hours (default), Yesterday, Last 7 Days, Last 30 Days, or a Custom range.
  1. From the Requests menu in the upper-right, choose one of the request types or leave it as All Requests which is the default. Filters will update to those that are relevant to the type of request you have chosen.
  • Domain Requests (DNS)—Can be further filtered by the response, protocol, identity type, and security categories.
  • URL Requests—Can be further filtered by the response, protocol, identity type, and security categories. Some blocked actions will provide a reason for the block, such as Antivirus or Application Control. Clicking on a URL will take you to that destination's details.
  • IP Requests—Can not be filtered further.
  1. Filter results by the response type.
    Select Allowed, Blocked, or Proxied. By default, nothing is selected, so all responses are shown.
  1. Select either HTTP or HTTPS protocol. By default neither are selected so responses for both protocols are shown.
  1. Filter by event type. By default, none are selected so responses for all event types are shown.
  1. Filter by identity types.
  1. Filter by security categories.
    For more information about security categories, see DNS Security Categories and Web Security Categories.
  1. Filter by content categories.
    For a full list of content categories, see DNS Content Categories and Web Content Categories.
  1. Choose to optionally filter results by search options.
    • Include All Traffic—Includes data from all domains including noisy domains that are filtered out by default.

Configure Columns to Display

To change the layout of the data presented in the Activity Search Report, select Columns and then check or clear the information you want to see displayed and click Apply. You can also drag and drop items in the list to reorder their position on the page.

  • Action—The activity is either Blocked or Allowed.
  • Application—What application is involved with the activity when applicable. The Application field will only populate for traffic matching policies with Application Controls enabled. If no policies have Application Control enabled then the field will remain blank.
  • Categories—Content and Security categories flagged with the activity.
  • Date and Time—The date and time stamp of the activity.
  • Destination—The destination of the activity.
  • DNS Type—The record type for the DNS request.
  • External IP—The external IP address for the activity.
  • File Name—The name of the file involved with the activity where applicable.

File Name

File Name will only populate for traffic matching policies with File Type Control or File Inspection enabled (you can enable File Type Control without blocking any file types by clicking enable and saving the policy.) If none of the policies have File Type Control enabled then the file name and extension fields will remain blank.

  • Identity—The identity which performed the activity.
  • Internal IP—The internal IP address for the activity.
  • Policy or Ruleset Identity—The identity used to determine which policy applied to this activity.
  • Request—When All Requests is selected, this column displays the type of request for each event.

From your search results, you can click an identity or destination and go to their respective Identity Details or Destination Details reports.

View Actions

Learn more about the results of your activity search, click the View Actions icon for a result and choose an item from the menu.

See Full Details

With View Actions, you can view the full details of each activity result:

The detail fields available depend on the type of event.

Filter Views

Where applicable, certain results can be filtered by the following:

  • Filter by Application
  • Filter by Destination
  • Filter by URL
  • Filter by Identity
  • Filter by External IP

Investigate View

If you have an Investigate license, you may also have the option to view further details of the domain or URL in Investigate.

Schedule an Activity Search Report

You can schedule a report to be emailed to you at regular intervals. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. For more about scheduled reports, see Schedule a Report.

When scheduling a new report for Activity Search, any current filters selected will apply.

Updated 18 days ago

Activity Search Report

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.