The investigate-ui Developer Hub

Welcome to the investigate-ui developer hub. You'll find comprehensive guides and documentation to help you start working with investigate-ui as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Domain Summary

The Domain view is displayed whenever you search for a domain name. You can be as specific as you'd like; for example, However, you should not include the protocol as Investigate is protocol agnostic. You should also not include any URL information—just the domain.

Domain Summary

The first section of information that is displayed for a domain is the Summary.

The Domain Summary section lists the Umbrella Investigate Risk Score, sub-scores, security categorizations, content categorizations, and key domain notifications. When a domain is malicious, additional domain details are displayed regarding the malicious categorization.

Domain Risk Score

The Umbrella Investigate Risk Score is based on an analysis of the domain name, the DNS query behavior of the domain, and analyst review of the domain.

Umbrella Risk score enhancements include a new emphasis on the lexical characteristics of domain names along with some key behavioral components. These scores are synthesized into one overall score—much like a credit score is made of account balances, lending history, debt ratios, and other components. The new DNS components are:

  • Lexical
    • Keyword Score
    • Lexical Score
  • Behavioral
    • TLD Rank Score
    • Geo Popularity Score


The following subscores are available currently. However, our overall score is made of many indicators. As we continue to improve the overall risk score with new features, we will evaluate good candidates for further release.

Keyword Score:

Many phishing attacks still try to take advantage of the weakest link in the security chain: people. If a domain name contains words related to legitimate companies and services, it is more likely to trick people into clicking. This style of social engineering continues to be a common technique of attackers, and we have built a method of detecting when domains are pretending to be something they are not.

Lexical Score:

A mainstay of communication between infected machines and command and control servers are domains created using domain generation algorithms (DGAs). This circumvents any need to embed the location of control servers directly in the malware, and it enables attackers to regain control of their botnets even in the face of sinkholing and takedowns. Using a generalization of the method behind the Cisco Umbrella DGA score, we can now more reliably predict when hostnames were generated in this fashion without having to rely on slower methods such as developing models of what lexical patterns to look for.

TLD Score:

Not all top level domains are created equal. Over the years, the TLDs of choice for spammers and other criminals have changed according to factors such as cost, ease of batch registration, verification of registrant identity, and abuse complaint policies. Using our global reach, we can assess the risk indicated by the currently observed abuse levels, and combined with our other indicators, help security analysts make more informed decisions.

Geo Popularity:

Cisco Umbrella's global complement of data centers gives us exceptional visibility into DNS requests made by clients around the world. Is a domain getting requests from a country where it typically doesn't? Did the number of countries requesting a domain suddenly change? By analyzing requests to domains across all countries in the world, patterns emerge that allow us to detect anomalous behavior and identify increased risk.

Domain Summary > Notification Alerts

Updated about a year ago

Domain Summary

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.