Activity Search Report
The Activity Search report helps you find the result of every DNS, URL, and IP request from your various identities, ordered in descending date and time. With additional SIG licenses, Firewall logs and IPS events are also available. The report lists all security (and non-security) related activity within the identities reporting to Umbrella for the selected time. You can also refine your search using filters to see only what you need to see. This can greatly assist you in determining whether or not there are any security issues you may have within your organization that require your attention.
By clicking an identity or destination, you can quickly pivot from this report to the Top Identities and the Top Destinations reports. Each report can also lead you to the Identity Details and Destination Details reports. These reports provide you with more information about individual identities and destinations.
Table of Contents
- Prerequisites
- Limitations
- View the Activity Search Report
- Configure Columns to Display
- View Actions
- Save Activity Search Report Columns and Filters for Future Use
- Schedule an Activity Search Report
- Use Search and Advanced Search
Prerequisites
- A minimum of Read Only access to the Umbrella dashboard. See Manage User Roles.
Limitations
The Activity Search report displays a maximum of the 10 K most recent events within a timeout period of 50 seconds. If you require the ability to view or search more events, consider logging your events to an Amazon S3 bucket—either your own, or one managed by Cisco.
View the Activity Search Report
- Navigate to Reporting > Core Reports > Activity Search.
This takes you to the default view of the Activity Search report, which lists all of your identities and the internet requests or traffic events for your organization, tracked over time. The default is 24 hours.
- Choose a time frame to view the report. You can view the results for the last 24 hours (default), Yesterday, Last 7 Days, Last 30 Days, or a Custom range.
Note: If your data for the last 30 days is significant, we recommend exporting S3 logs. For more information see Manage Your Logs.
- From the Requests menu in the upper-right, choose one of the request types or leave it as All, which is the default. Filters will update to those that are relevant to the type of request you have chosen.
- DNS—Can be further filtered by the response, protocol, identity type, and security categories.
- Web—Can be further filtered by the response, protocol, identity type, and security categories. Some blocked actions will provide a reason for the block, such as Antivirus or Application Control. Clicking on a URL will take you to that destination's details.
- IP-Layer Enforcement—Cannot be filtered further.
- Firewall—Can be further filtered by Responses: Allowed or Blocked.
- IPS—Can be further filtered by Signature: Log Only, Would Block, or Blocked.
Requests by Umbrella Package
Not all requests are available to all packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.
- Filter results by the response type.
Select Allowed, Blocked, or Proxied. By default, nothing is selected, so all responses are shown.
If Allowed is selected, click Advanced to choose further options. You have the option to see all allowed events, Allow-Security Overridden, or only events Allowed by security policies. For more information on the Allow-Security Override, see the Override Security section of Add Rules to a Ruleset. Click Apply to enable the advanced filter.
- Filter results by requests that were warned or accessed after a warn.
- Filter by isolated events. For more information, see Understand Isolated Destinations.
- Filter by IPS signature. For more information, see Manage IPS.
- Log Only—Displays the IPS events for the Log-only signature matches.
- Would Block—Traffic where a signature matched in detection mode and would have been blocked if protection mode was enabled.
- Blocked— Traffic blocked by IPS when a signature matched in protection mode.
- Select either HTTP or HTTPS protocol. By default neither are selected so responses for both protocols are shown.
- Filter by event type. By default, none are selected so responses for all event types are shown.
- Filter by identity types.
- Filter by security categories.
For more information about security categories, see DNS Security Categories and Web Security Categories.
- Filter by content categories.
For a full list of content categories, see DNS Content Categories and Web Content Categories.
- Choose to optionally filter results by search options.
- Include All Traffic—Includes data from all domains including noisy domains that are filtered out by default.
- Filter by Uncategorized—Includes destination that are not classified under a specific security or content category. For more information see the definition of Uncategorized in Web Content Categories.
Configure Columns to Display
To change the layout of the data presented in the Activity Search Report, select Columns. Check or clear the information you want to see displayed, then click Apply. You can also drag and drop items in the list to reorder their position on the page.
- Action—The activity is either Blocked or Allowed.
Note: Certificate and TLS error events display as Blocked – Certificate Error. These errors will only be displayed where the request is processed by a ruleset that has ‘HTTPS inspection’ and 'File Analysis' enabled. For more information about these errors, see Certificate and TLS Protocol Errors. - Application—What application is involved with the activity, when applicable. The Application field will only populate for traffic matching policies with Application Controls enabled. If no policies have Application Control enabled, then the field will remain blank.
- Application Category—If an application is involved with the activity, this column contains the categories associated with the application. To see a full list of application categories, see Application Categories. This is currently only applicable to Firewall policies.
- Application Protocol—If an application is involved with the activity, this column contains the protocol for the application (HTTP, SSL, RTP, DNS, or none).
- Categories—Content and Security categories flagged with the activity.
- Content Type—The type of content the user is able to see.
- Date and Time—The date and time stamp of the activity.
- Destination—The destination of the activity.
- DNS Type—The record type for the DNS request.
- External IP—The external IP address for the activity.
- File Extension—The extension of the file involved in the activity, where applicable.
- File Name—The name of the file involved with the activity, where applicable.
File Name
File Name will only populate for traffic matching policies with File Type Control or File Inspection enabled (you can enable File Type Control without blocking any file types by clicking enable and saving the policy.) If none of the policies have File Type Control enabled then the file name and extension fields will remain blank.
- Identity—The identity which performed the activity.
- Internal IP—The internal IP address for the activity.
- Policy or Ruleset Identity—The identity used to determine which policy applied to this activity.
- Protocol—Displays whether the protocol is HTTP or HTTPS.
- Referer—The ID of the program that made the request.
- Request—When All Requests is selected, this column displays the type of request for each event.
- Ruleset or Rule—The rule or policy applied. For further information on the rule (such as destination list or schedule applied) see See Full Details. Clicking on the policy or Rule name will redirect you to that policy or Rule.
- Status Code—Standard HTTP status codes.
Column Availability
Content Type, File Extension, Referrer, and Status Code are only available in SIG licenses.
Protocol and Rule are only available in CDFW (part of Cisco Umbrella SIG Essentials subscription) licenses. For more information, see Determine Your Current Package.
From your search results, you can click an identity or destination and go to their respective Identity Details or Destination Details reports.
View Actions
To learn more about the results of your activity search, click the View Actions icon (the blue ellipsis at the right of each item in the search results) for a result and choose an item from the menu.
See Full Details
With View Actions, you can view the full details of each activity result:
The detail fields available depend on the type of event.
Filter Views
Where applicable, certain results can be filtered by the following:
- Filter by Application
- Filter by Destination
- Filter by URL
- Filter by Identity
- Filter by External IP
Investigate View
If you have an Investigate license, you may also have the option to view further details of the domain or URL in Investigate.
Save Activity Search Report Columns and Filters for Future Use
When you apply a filter to the Activity Search Report, or select specific columns for display, you can save those selections so they can be used again in the future without making the individual selections again.
When you apply a filter or select columns, a SAVE SEARCH button appears on the Activity Search page.
You can use apply any combination of filters and columns. In the example below the filter applied is Response = Allowed, and the columns selected are Request, Identity, Destination IP, Destination, Destination Country, Internal IP, External IP, Action, Categories, Public Application, Client Reporting ID, Date & Time, Policy or Ruleset Identity, Source, IPS Signature, Protocol, Ruleset or Rule, Application Category, and Application Protocol.
- Click the SAVE SEARCH button.
- In the dialog that appears, review the filters to be applied to the saved search. If they are correct, click CONTINUE. Otherwise click CANCEL.
- In the dialog that appears, review the columns selected for the saved search. If they are correct, click CONTINUE. Otherwise click CANCEL.
- In the dialog that appears, give your saved search a good mnemonic name and description. Click SAVE.
Your saved activity search report will be accessible from the Saved Searches drop-down menu on the Activity Search page. Select a saved report to apply its filter and column criteria to the Activity Search results at any time.
Select All saved searches from the drop-down menu to view and edit all saved searches.
Schedule an Activity Search Report
You can schedule a report to be emailed to you at regular intervals. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. For more about scheduled reports, see Schedule a Report.
When scheduling a new report for Activity Search, any current filters selected will apply.
Search for Security Activity < Activity Search Report > Use Search and Advanced Search
Updated 6 months ago