Guides
ProductDeveloperPartnerPersonal
Guides

Use Search and Advanced Search

In addition to using the filters to narrow the activity results in the Activity Search report, the Search and Advanced Search features provide further filtering of event details. For example, you can search for events with specific domains but exclude subdomains you are not interested in. Wildcards available for some fields (Domains, URLs, and File names) allow you to search for all varieties within that field. For example, using *.gif in File Name will search for all files that are .gifs.

Table of Contents

👍

Umbrella Packages and Feature Availability

Not all of the features described here are available to all Umbrella packages. Information about your current package is listed on the Admin > Licensing page. For more information, see Determine Your Current Package. If you encounter a feature here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.

Search

You can search the Activity Search Report for domains, identities, or URLs. To search and filter the report by more options, such as threat type or file name, use the Advanced Search.

1454

Wildcards

Domains

Domains can be searched in the search bar or advanced search with the wildcard * to include or exclude subdomains.
For example, example.com will search the top-level parent domain of Example, *.example.com will search for only the subdomains of Example, and *example.com will search for both the parent and subdomains of Example.

You can use wildcards to search by top-level-domain (TLD).
For example, *.example will search for all TLDs that end in .example.

1440

URLs

The wildcard * can be used in any part of the URL path to search for URLs containing certain terms.
For example, example* will search for for URLs containing "example".

1411

File Names

File names can use the wildcard * to search for file types, in Advanced Search only. For example, *.gif will search for all files that are .gifs.

1415

Advanced Search

Identity—Includes most identity types such as users (including SAML if enabled), networks, sites, and roaming clients. You can include and exclude identities from your search.

705

Domain—You can search for more than one domain at a time. When you add a domain, a new field appears so that you can add or exclude another domain.

706

SHA256—Search by the hash function.

URL—Search by specific URL path.

IP Address—Search for events associated with IP addresses on your network (either internal or public egress IP address). This does not provide the capability to search for destination IP addresses.

IP Address Port—Search by a firewall port number.

Note: This field is only available in CDFW (part of Cisco Umbrella SIG Essentials subscription) licenses.

Threat—Search by threats.

707

Threat Type—Search by threat type. For more information, see Threat Type Definitions.

707

Public Application—Search by name to find a specific application.

706

File Name—Search by the name of a file.

706

IPS Signature List Names—Search by default and custom IPS Signature List Names. For more information, see Manage IPS.

704

IPS Signatures—Search by IPS signatures. For more information, see Manage IPS.

472

Reserved IP Reporting

There are two filters associated with Reserved IP Reporting in Advanced Search:

  • Umbrella Egress IP Type – A selection list of either Shared or Reserved.
  • Umbrella Egress Data Center – A selection list of available Umbrella data centers.
708

Additionally, the Event Details window for web traffic also displays the Umbrella Egress IP Address and the Umbrella Egress Data Center of egress used for the transaction. (To view Event Details, click on the blue ellipses icon to the right of any item in the search results window.)

293

Activity Search Report < Use Search and Advanced Search > App Discovery Report