The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Manage Security Settings

Cisco Umbrella's Security Categories are categories of security threat defense. We've categorized security threats to give you more control over exactly how you'd like to protect identities.

These categories are used in creating policies and in viewing reports for when things are blocked, or even when they are not. If a domain matches a security category but is not set to be blocked by a security setting in your policy, this is still reported as an allowed visit to a destination that matches one of the security categories. All of these security categories are important in understanding our other Umbrella reports, starting with the Security Overview Report.

  1. Navigate to Policies > Management > All Policies and click through the wizard until you reach the Security Settings page.

By default, three security categories are enabled, Malware, Command Control Callbacks, and Phishing. In general, we suggest that you find the right combination for your organization's policies—some identities may require a more strict security posture than others. However, there are some categories we recommend enabling for most or all identities unless you are simply testing to see what Umbrella would have blocked.

This does not mean you shouldn't use these categories in your policy, just that you should monitor your reports to see if these categories make sense to apply to your identities.


  • Command Control Callbacks—Prevent compromised devices from communicating with hackers' command and control servers through any application, protocol or port and help identify potentially infected machines on your network. Recommended to be ON. Note: this category was previously called 'botnet' in earlier versions of Umbrella. We've changed the name to better reflect what this security category prevents; the blocked destinations are the command and control for the botnet itself.
  • Cryptomining—Allows you to block identities from accessing known crypto mining pools where miners group together and share resources—processing power—to better gather and share cryptocurrencies, and from known web crypto mining source code repositories. By blocking crypto mining, Umbrella protects you from the recent emergence of cryptomining malware. Off by default.
  • DNS Tunneling VPN—VPN services that allow users to disguise their traffic by tunneling it through the DNS protocol. These can be used to bypass corporate policies regarding access and data transfer. Off by default.
  • Dynamic DNS—Block sites that are hosting dynamic DNS content. Off by default.
  • Malware—Block requests to access servers hosting malware and compromised websites through any application, protocol, or port. Recommended to be ON.
  • Newly Seen Domains—Detect domains that have been seen being queried for the first time very recently. For more important information on this category, read here. Off by default.
  • Phishing Attacks—Protect users from fraudulent hoax websites designed to steal personal information Recommended to be ON.
  • Potentially Harmful Domains—Domains that exhibit suspicious behavior and may be part of an attack. This category has a higher risk of unwanted detections. For more information, see "Potentially Harmful" Security Category. Off by default.

All of these security categories are important in understanding our other Umbrella reports, starting with the Security Overview Report.


There is also a sub-category—Integrations—that's available for some packages. The Integrations security category consists of domains that have been added to Umbrella through individual integrations. For more about integrations, read here.

Umbrella Policy Tester < Manage Security Settings > Manage Content Categories

Updated 5 months ago

Manage Security Settings

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.