The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Threats Report

The Threats report highlights threats your organization may have been exposed to over a given period of time and whether they are blocked or allowed.

Threats Detected

Not all threats identified by Umbrella have a corresponding threat type. You may see activity blocked under Security Activity but not see anything blocked under Top Threat Types. This is normal when a threat does not currently have a threat type associated with it.

To find this report, navigate to Reporting > Core Reports > Threats.

Threat Activity Breakdown

Assess threat types and activities.

You can select a threat from the left side of the graph to only see data for that type, then click a point on the graph to see more information.

Click View in Top Identities for details about the identities involved, or Full Details to see more information for that threat type for the selected date range.

For a definition of the threat type, click the blue information button next to its name at the top of the page to expand the definition.

When no new threats are detected in the selected time period, a notification appears in the Threat Activity Breakdown.


View the top affected identities, malicious domains, and newly seen domains. You can click View All In Activity Search for any of these sections to view the data in more detail within Activity Search.

Top Identities

Identities that have allowed or blocked threats.

Clicking on an identity's name will redirect you to Activity Search with the identity, all threat types, and all security categories as filters.

Top Malicious Domains

Malicious domains that have been allowed or blocked.

Newly Seen Domains

Domains that have recently been seen by Umbrella's resolvers for the first time, and whether they've been allowed or blocked. Newly Seen Domains are not blocked by default. To learn more about the Newly Seen Domains category, see Newly Seen Domains Security Category.

Threat Type Definitions

  • Advanced Persistent Threat (APT)—A set of stealthy and continuous computer hacking processes, often orchestrated by cybercriminals targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives.

  • Adware—Any software package that automatically renders advertisements in order to generate revenue for the author. The advertisements may be in the user interface of the software or presented in the web browser. Adware may cause tabs to open automatically that display advertising, make changes to the home page settings in your web browser, offer ad-supported links from search engines, or initiate redirects to advertising websites.

  • Backdoor—A type of trojan that enables threat actors to gain remote access and control over a system.

  • Botnet—A number of Internet-connected systems infected with malware that communicate and coordinate their actions received from command and control (C&C) servers. The infected systems are referred to as bots. The most typical uses of botnets are distributed denial-of-service (DDoS) attacks on selected targets and the propagation of spam.

  • Browser Hijacker—Any malicious code that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser or redirect to fraudulent or malicious sites. It may replace the existing home page, error page, or search page with its own. It can also redirect web requests to unwanted destinations.

  • Bulletproof Hosting—A service provided by some domain hosting or web hosting firms that allow their customer considerable leniency in the kinds of material they may upload and distribute. This type of hosting is often used for spamming, phishing, and other illegal cyber activities.

  • Cryptojacking—The covert use of a system's computer resources to mine cryptocurrency. Cryptojacking is initiated by malware or through web crypto miners embedded in website code.

  • Cryptomining— Malware that accesses cryptomining pools where miners group together and share resources—processing power—to better gather and share cryptocurrencies, and from known web cryptomining source code repositories.

  • DNS-Tunneling—Sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However, there are also malicious uses. Threat actors can use manipulated DNS requests to exfiltrate data from a compromised system to the attacker’s infrastructure. And in some cases, DNS responses are manipulated for C2 callbacks from the attacker’s infrastructure to a compromised system. IT Policy avoidance and guest WiFi abuse are also concerns.

  • Drive-by Download—Any download that happens without a person's consent or knowledge.

  • Dropper—A program or malware component that has been designed to "install" some sort of malware (ransomware, backdoor, etc.) to a target system. The dropper may download the malware to the target machine once it is received from the command and control server or from other remote locations.

  • Exploit Kit—A software kit designed to run on web servers with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.

  • Fast Flux Botnet—Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

  • Loader—Malware or malicious code used in the loading of a second-stage malware payload onto a victim's system. The loader is able to hide a malware payload inside the actual loader code instead of contacting a remote location to download a second-stage payload.

  • Malvertising—Injects malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Malvertising is often used in exploit kit redirection campaigns.

  • Mobile Trojan—A trojan designed to target and infect mobile phones running Android, iOS, Windows or other mobile operating systems.

  • Newly Seen Domains—Domains that are newly seen in our DNS logs that we have never seen lookups for in the past. Once a NSD is first seen, it's added to a list where eventually it will expire and no longer be ‘newly seen’. New domains are often 'spun-up' as part of new malware campaigns. However, a significant portion of the domains that are categorized as ‘newly seen’ will not, in fact, be malicious and detections of good domains are expected to occur with this security category.

  • Point-of-Sale Malware—Used by cybercriminals to target point of sale terminals with the intent to obtain credit card and debit card information by reading the device memory from the retail checkout point of sale system.

  • Remote Access Trojan (RAT)—Malware that allows covert surveillance or unauthorized access to a compromised system. RATs make use of specially configured communication protocols. The actions performed vary but follow typical trojan techniques of monitoring user behavior, exfiltrating data, lateral movement, and more.

  • Rootkit—A collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

  • Scareware—Malicious software or websites that use social engineering to give the perception of a threat in order to manipulate users into buying or installing unwanted software. Scareware misleads users by using fake alerts to trick them into believing there is malware on their computer and manipulates them into paying money for a fake malware removal tool or allowing an entity remote access to their system to clean the malware. Instead of remediation, the software or remote entity delivers malware to the computer.

  • Sinkhole—A DNS server that gives out false information, to prevent the use of the domain names it represents. Traffic is redirected away from it's intended target. DNS sinkholes are often used to disrupt botnet command and control servers.

  • Spam—An unwanted, unsolicited message received through email or SMS texts. Spam is sent to many users in bulk. It is often sent through the means of a botnet. Spam can contain advertising, scams, or soliciting. In the case of malspam or malicious spam, it contains malicious attachments or links that lead to malware.

  • Trojan—Malware used to compromise a system by misleading users of its true intent. Trojans typically create a backdoor, exfiltrate personal information, and can deliver additional malicious payloads.

  • Worm—Malware that replicates itself in order to spread to other computers. Worms typically spread through the computer network or removable storage devices that are shared between systems, relying on security failures on the target computer.

Schedule a Report

You can schedule a report to be emailed to you at regular intervals by clicking Schedule at the top right of the report. Your emailed report is a table showing an HTML version of the report and an attached CSV file containing the entire data set. Also included in your email is a link to a live version of the same report. For more about scheduled reports, see Schedule Reports.

Search for Threats in Activity Search

  1. Navigate to Reporting > Core Reports > Activity Search.
  2. In the search field, click Advanced to open more options for searching in Activity Report. You can search by Threat and Threat Type.

Updated about a month ago

Threats Report

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.