The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Security Overview Report

To help gain a better perspective of security-related activity within your Umbrella environment, the Security Overview report provides you with easy to read charts of your organization's identities and their activity. You can easily see what's going on with groups of identities and the types of internet requests they're making and where any problems might be popping up. Then you can pivot from this Security Overview report to more advanced reports and determine if there are security risks to your environment that require you to take action.

Access the Security Overview Report

  1. Navigate to Reporting > Core Reports > Security Overview.
    The Security Overview report is divided into three main areas. At the top, you'll find overview charts for security events. The middle area provides you with a hierarchical view of your security activity—what is generating the most activity—and from which you can click through to other reports—Destination, Identity, and Activity Search. The bottom of the report is where you'll find statistical charts documenting the deployment activity for your organization.

Filtering Based on Time Period

The Security Overview report is time-based and can be generated to show activity for the last 24 hours, the previous calendar day (yesterday), the last seven days, or the last month.

Schedule a Report

You can schedule a report to be emailed to you at regular intervals. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. For more about scheduled reports, see Scheduling Reports.

  1. Click Schedule and follow the Scheduling wizard's prompts.

Tip

Umbrella reports are highly time dependent. Time is UTC by default but can be changed to a different timezone on a per-user basis. Navigate to Settings > Accounts and update your account's time setting.

Filter Security Activity

Filters allow you to change the types of events and identities shown in the security blocks section. You can toggle between "monitoring only mode" by choosing Security Blocks or All Security Events. All Security Events* includes those events tagged as security but were not blocked.

If filters are not visible, click Filters.

The report is intelligent enough to default to the correct mode, so if your organization has no security blocks for the time period selected, it will automatically default to All Security Events, showing the potential events that could have been blocked. If there are any security blocks for a time period, the report will show the blocks. This filter allows users to toggle back and forth between the two views.

Filters – Events and Identities

The Events and Identities filters work in conjunction with each other, meaning that they are always both on but can be set up in different combinations. You might select Events > Security Blocks in combination with Identities > All Identities or Events > Security Blocks with Exclude Sites & Networks.

Networks generate a far higher volume of traffic than a single computer so excluding them from the report can help identify particular machines with an unusually high volume of security events being blocked (or allowed, as the case may be).

Selecting an Events filter changes the events returned for the most active destinations, identities, and request types:

  • Security Blocks—Lists only those requests blocked by Umbrella for the selected time period.
  • All Security Events—Lists all security events for the selected time period. This is the default view if there are no security events within the selected time period.

Selecting an Identities filter changes the identities returned for the most active destinations, identities, and request types:

  • All Identities—Lists all requests for all identities for the selected period.
  • Exclude Sites & Networks—Lists all requests for roaming clients and active directory (AD) users.

Selecting any combination of filter will change the charts to reflect that combination.

Events – Security Blocks and All Security Events

The top set of charts provides you with a quick and easy to follow overview of security activity that has occurred within your organization for the selected time period. Your view is based on the default Events filter selected:

  • Security Blocks—If there has been a security event within the selected time period.
  • All Security Events—If there has NOT been a security event within the selected time period.

You can quickly see spikes in activity that might indicate a change or threat to your environment that requires your attention. You can roll over each chart to see the number of events that occurred at that time and then click at that point to go the Activity Search page to see activity details for that specific time.

Security Blocks Filter

  • All Requests—All requests (blocked and allowed) made within the selected time period.
  • All Blocked Requests—All requests blocked within the selected time period. This includes requests blocked by content access settings (Policies > Policy Components > Content Categories) and requests blocked from your custom destination lists (Policies > Policy Components > Destination Lists).
  • All Security Blocks—All blocks based on security category settings only, not including blocks as a result of destination lists or content categories. Security Blocks is shown if there are security blocks for the selected time period or if the Security Blocks filter is selected.

All Security Events Filter

  • All Requests—All requests (blocked and allowed) made within the selected time period.
  • All Blocked Requests—All requests blocked within the selected time period. This includes requests blocked by content access settings (Policies > Policy Components > Content Categories) and requests blocked from your custom destination lists (Policies > Policy Components > Destination Lists).
  • All Security Events—A total of all security events that were blocked and that could have been blocked if the policy were adjusted to include the category as blocked for the identities in question. This helps show if policies should be tightened to block something you're missing, or if you're evaluating Umbrella and aren't ready to flip on enforcement. This is displayed if there are no security events for the selected time period or if All Security Events filter is selected.

Most Active Destination, Identity, or Request Type

You can view which destination, identity, or request type is generating the highest number of blocks within your environment. These are not the most active generally, just the ones that are most blocked. From the lists of most active types, you can click through to specific reports to get specific detail.

Use this information to determine which destinations, identities, or types are seeing the most activity and use them as a jumping off point to other more advanced reports. This can help you to determine if there are changes you need to make that will better protect your environment.

Click View Blocked Requests to go to the Activity Search report and see a detailed list of all blocked requests.

By Destination

The By Destination tab lists security activity by destination. Either Blocked Requests or Requests are listed depending on the Events filter selected.

Click a destination to go to the Destinations report for that destination

By Identity

The By Identity tab lists security activity by identity. Either Blocked Requests or Requests are listed depending on the Events filter selected.

Click an identity to go to the Identities report.

By Type

The By Type tab lists security activity by request type (domain or URL). Either Blocked Requests or Requests are listed depending on the Events filter selected.

Click a type to go to the Security Activity report.

Active Identities

At the bottom of the report, you'll find some helpful charts that encapsulate in percentages deployment activity for your organization. Active Networks, Active Roaming Clients, and Active Virtual Appliances quickly show you how many of each type are currently online and active.

  • View Networks takes you to the Deployments > Core Identities > Networks page.
  • View Roaming Clients takes you to the Deployments > Core Identities > Roaming Computers page. (Not available with all Umbrella packages.)
  • View Virtual Appliances take you to the Deployments > Configuration > Sites and Active Directory page. (Not available with all Umbrella packages.)

Schedule a Report < Security Overview Report > Security Activity Report

Security Overview Report


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.