The investigate-ui Developer Hub

Welcome to the investigate-ui developer hub. You'll find comprehensive guides and documentation to help you start working with investigate-ui as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    


In the past, internet security has been largely predicated on researchers or vendors obtaining a sample of an attack, a binary file, or an exploit and then publishing static detection after the attack has taken place. Although we are starting to see more effective behavior analysis methods, for the most part, they are still reactive. Simply put, infections happen first, and detection happens second.

Additionally, reputation scoring relies on expert systems that need tuning by both researchers and customers with limited feature sets. This results in low coverage systems that don't scale with the increased volume and ever-advancing complexities of tomorrow's malicious attacks. Thus, it shouldn't be surprising that traditional anti-malware detection rates are diminishing.

At Cisco, we do not believe that this reactive approach to security is effective when dealing with emerging threats. This is why we have taken a different approach: a proactive one that predicts and detects attacks based on the way in which malware is delivered and botnet command and control is constructed. In essence, our research is able to predict the likelihood of whether a domain, IP address, or entire ASN is going to originate an attack or pose a security threat before it attacks or poses a threat.

Our security engineering teams built Investigate in order to predict, identify, and investigate the internet origin of attacks. Investigate was built leveraging data mining and algorithmic classification techniques such as machine learning, graph theory, anomaly detection, and temporal patterns in combination with contextual search, visualization, and scoring. We are able to leverage an extraordinary amount of data from our security network, and then apply big data storage, data mining methods, machine learning, graph theory, vector analysis, and other mathematical models to categorize and predict attacks before they happen.

Investigate is based on information gathered by the Umbrella Global Network, the world’s largest security network.

About this Guide

This document explains the information and scores that Investigate displays and is intended to help give you a better idea of how to interpret these results. At times, we will reference the Investigate API. For more information, see our Umbrella Investigate REST API documentation.

The Umbrella security team publishes research that underlies the results that Investigate provides to our blog. To help you gain some real-world context for the features of Investigate, you can read our blog here.

Access Umbrella Investigate

To access Investigate, sign in—using your Umbrella account credentials—to

Only those users that have explicitly been granted rights to Investigate have access to it.

Managing accounts can be done through your account settings, at

Introduction > Getting Started

Updated about a year ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.