Custom Integration Best Practices

Umbrella supports the integration of third-party security events and domain information through the Umbrella Enforcement API and custom destination lists. We recommend several best practices to enable you to create the most effective destination lists for a custom integration.

Table of Contents

Known Domains and Destination Lists

As your platform sends events, Umbrella validates the domain information and adds suspicious or malicious domains to your custom destination block list. If your security platform registers a security event for a known domain, Umbrella may block that domain if the event information indicates that the domain is unsafe or unknown. As a result, your networks may not have access to certain websites or files.

Before you send events to Umbrella from a third-party platform, we recommend that you create a separate destination list to allow any known or safe domains. If the custom integration sets up a destination block list for a subset of your managed Umbrella identities, you can also create a specific destination allow list for those identities or policies.

Examples of Domains or Websites to Allow:

  • Home page for your organization.
  • Domains that represent services which you provide that may have both internal and external records.
  • Cloud applications that Umbrella may not be aware of or include when evaluating a domain.

Benefits of Custom Destination Allow List

  • The custom destination allow list prevents blocks of known or safe domains. When Umbrella receives a new event, Umbrella first checks for the presence of the domain in the custom destination allow list. If the destination is present, the request is not blocked.
    Note: A destination allow list takes precedence over a destination block list when a domain is present in both.
  • The custom destination allow list isolates domains that may require further analysis. You can use the custom destination allow list for auditing the traffic in your networks or to generate reports.

Note: By default, the Global Allow destination list applies to all policies. If you add a domain to the Global Allow destination list, Umbrella allows the domain for all policies.

Add a Destination List

To add a destination list, see Add a DNS Destination List or Add a Web Destination List.
After you save the destination list, you can add it to an Umbrella DNS policy or Web policy rule. For more information, see Manage DNS Policies and Manage the Web Policy.

Delete a Domain from Custom Destination Block List

You can remove a destination from the custom destination block list through the dashboard or the Umbrella Enforcement API. When you remove a destination from the custom destination list, your security appliance or platform may send a new event which includes the same domain. If this occurs, Umbrella may block the domain. To prevent unexpected blocks, we recommend that you create a destination allow list and add the domain to this destination list.

To remove a destination from a custom destination block list, see Edit a Destination List.

You can also use the Umbrella Enforcement API to delete a destination from a custom destination block list.
For more information, see Umbrella Enforcement API Request Samples.

Set Up Custom Integrations < Custom Integration Best Practices > Manage Content Categories