The /topmillion endpoint returns the Umbrella top popular domains seen list. The data can be downloaded in a zip file directly (see below), but the Investigate API can be used to stream this data into a SIEM more easily than downloading a file.
The popularity list contains our most queried domains based on passive DNS usage across our Umbrella global network of more than 100 Billion requests per day with 65 million unique active users, in more than 165 countries. Unlike Alexa, the metric is not based on only browser based 'http' requests from users but rather takes in to account the number of unique client IPs invoking this domain relative to the sum of all requests to all domains. In other words, our popularity ranking reflects the domain’s relative internet activity agnostic to the invocation protocols and applications where as ’site ranking’ models (such as Alexa) focus on the web activity over port 80 mainly from browsers.
As for Alexa, the site’s rank is based on combined measure of unique visitors (Alexa users who visit the site per day) and page views (total URL requests from Alexa users for a site). Umbrella popularity lists are generated on a daily basis reflecting the actual world-wide usage of domains by Umbrella global network users and includes root domains, subdomains in addition to TLDs (Alexa list has only this). In addition, Umbrella popularity algorithm also applies data normalization methodologies to smoothen potential biases that may occur in the data due to sampling of the DNS usage data.
For more information, see Cisco Umbrella 1 Million.
curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/topmillion?limit=1000"
Note: Without the limit, you will return all 1 million results. If this is done in a browser, the volume of memory being used can cause the browser to crash. We recommend only using this endpoint once a day at the maximum as the data does not change much within a day. The limit is the only parameter.
list of domains (no label)
the list of most popular domains, starting from the most popular and descending.
curl --include \ --header "Authorization: Bearer %YourToken%" \ https://investigate.api.umbrella.com//topmillion?limit=1000
[ "google.com", "netflix.com", "api-global.netflix.com", "microsoft.com", "www.google.com", "facebook.com", "doubleclick.net", "g.doubleclick.net", "googleads.g.doubleclick.net", "hola.org" ]