The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Activity Search Report

The Activity Search report helps you find the result of every DNS, URL, and IP request from your various identities, ordered in descending date and time. It lists all security (and non-security) related activity within the identities reporting to Umbrella for the selected time and also allows you to refine your search using filters to see only what you need to see. This can greatly assist you in determining if there are any security issues you may have within your organization that require your attention.

By clicking an identity or destination, you can quickly pivot from this report to the Identities and Destinations reports.

Access the Activity Search Report

  1. Navigate to Reporting > Core Reports > Activity Search.
    This takes you to the default view of the Activity Search report, which lists all of your identities and the internet requests, or traffic events for your organization tracked over time. The default is 24 hours.
    Note: The Activity Search is limited to 500 results per query. If you require more than 500 results, use the time filter to chunk results by time, and export each set of results. Alternately, refine the filter to remove results you're not interested in.

Insights and Platform customers see all requests (DNS, URL, and IP) with a selector to filter down to a specific data type. DNS only customers (Professional, Premium DNS, Branch, Roaming, and WLAN packages) will only see DNS data. For more information on upgrading your package to include Proxy (URL) and IP support, please contact your Cisco Umbrella representative.

  1. From the Requests menu in the upper-right, choose one of All Requests, Domain Requests (DNS), URL Requests, or IP Requests.
    Filters will update to those that are relevant to the type of request you have chosen.
  1. Optionally, change the time period for your search.
  1. Optionally, select Columns and then check or clear the information you want to see displayed.
    You can drag and drop items in the list to reorder their position on the page.
  1. Select filters and click Apply.
    Click the Filters icon to open the Search Filters box. Use the Search filters box to help you locate a filter.
    Note: There are no filters for IP Requests.

From your search results, you can click an identity or destination and go to their respective identities or destinations report. These reports give you even greater insight into your organization's internet activity.

  1. To start learning more about the results of your activity search, click the View Actions icon for a result and choose an item from the menu.

With View Actions, you can view the full details of each activity result.

Use View Actions to refine your results by filtering based on a single internet activity. Filter activity so that you can see all result with the same identity, destination, or IP address.

If you have access to Investigate, you can also click through to Investigate and view the domain URL, or IP address details there.

Identity Used by Policy

If you enable the Identity Used by Policy column, you can see the identity used to determine the policy applied to a request. Requests can often have multiple identities; you can see all identities by choosing See Full Details from the View Actions menu on the right-hand side of each request row.

Schedule a Report

You can schedule a report to be emailed to you at regular intervals. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. For more about scheduled reports, see Schedule Reports.

  1. Click Schedule and follow the Scheduling wizard's prompts.


Umbrella reports are highly time dependent. Time is UTC by default but can be changed to a different timezone on a per-user basis. Navigate to Settings > Accounts and update your account's time setting.


Like other Umbrella reports, the Activity Search report is time-based. You can generate a search report to document activities for the last 24 hours, the previous calendar day (yesterday), the last seven days, the last month, or a custom date range.

If you want to search using a custom date range, select Custom range.
Note that even with the custom date range, you are limited to a thirty-day time frame.

Selecting Relative Time lets you set a date range that is relative to the current day. For example, you might set a date range that starts six days ago and ends three days ago.


Most, if not all, Umbrella reports are highly time dependent. The time is UTC by default, but can be changed to a different timezone on a per-user basis. Navigate to Settings > Accounts and update your account's time setting.

Search for Activity

It's easy to search for the activity of a specific identity you’re interested in. Add the destination (domain, IP or URL), the identity's name or a combination of both to the search bar at the top of the page and press Enter.

Any field in the 'Advanced' dropdown can be typed in directly.

Note: The IP portion of the Advanced Search allows a user to search for events associated with IP addresses on their network (either internal or the public egress IP address), it does not provide the capability to search for destination IP addresses.

  1. Click Advanced to perform a more detailed search.
  2. Enter the specifics of your search and then click Search. You don't have to enter information for each search field; just enough to yield specific results. You can search for more than one domain at a time. When you add a domain, a new field appears so that you can add another domain.
    Note: Search parameters differ between request types.

Use filters to refine your search so that you see exactly what you want. The "filter pills" that appear at the top of the page let you quickly see all of the filters that you have selected. They are arranged on the page chronologically, so if you get to a point where the last filter you've selected results in a search returning nothing you can clear the last filter selected by clicking X for that filter pill and you should see results again.

If filters are not visible, click the Toggle Filters icon.

When you select a filter, it appears at the top of the page so that you can easily see how you are filtering your report. Quickly change how you're filtering your report filter by removing them here instead of searching for them on the side of the page.

All Request Filters

Filter by response, protocol, identity type, security categories, and content categories. Select any or all of these filters.

Domain Request Filters

Filter by response, protocol, identity type, and security categories. Select any or all of these filters.

URL Request Filters

Filter by response, protocol, identity type, and security categories. Select any or all of these filters.

Security Activity Report < Activity Search Report > Destinations Report

Activity Search Report

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.