CiscoUmbrellaDNS_CL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index

Attribute	Value
Ingestion API Supported	✓ Yes

Contents

Schema
Solutions
Connectors
Content Items
Parsers

Schema (17 columns)

Source: Connector definition

Column Name	Type	Description
Action	string	Whether the request was allowed or blocked.
BlockedCategories	string	The categories that resulted in the destination being blocked.
Categories	string	The security or content categories that the destination matches.
DestinationCountries	string	The two-character country identifier of the domain that was requested.
Domain	string	The domain that was requested.
ExternalIp	string	The external IP address that made the request.
Identities	string	All identities associated with this request.
IdentityTypes	string	The type of identity that made the request, for example: Roaming Computer, Network.
InternalIp	string	The internal IP address that made the request.
MostGranularIdentity	string	The first identity matched with this request in order of granularity.
MostGranularIdentityType	string	The first identity type matched with this request in order of granularity.
OrganizationId	string	The Secure Access organization ID.
QueryType	string	The type of DNS request that was made.
ResponseCode	string	The DNS return code for this request.
RuleId	string	The ID of the access rule when the DNS request is matched by a policy.
TimeGenerated	datetime
Timestamp	string	The date and time of the DNS event, expressed as a UTC-formatted string.

Solutions (1)

This table is used by the following solutions:

CiscoUmbrella

Connectors (3)

This table is ingested by the following connectors:

Connector	Selection Criteria
Cisco Umbrella (via Codeless Connector Framework)
Cisco Cloud Security
Cisco Cloud Security (using elastic premium plan)

Content Items Using This Table (21)

Analytic Rules (10)

GitHub Only:

Analytic Rule	Selection Criteria
Cisco Cloud Security - Connection to Unpopular Website Detected
Cisco Cloud Security - Connection to non-corporate private network
Cisco Cloud Security - Crypto Miner User-Agent Detected
Cisco Cloud Security - Empty User Agent Detected
Cisco Cloud Security - Hack Tool User-Agent Detected
Cisco Cloud Security - Rare User Agent Detected
Cisco Cloud Security - Request Allowed to harmful/malicious URI category
Cisco Cloud Security - Request to blocklisted file type
Cisco Cloud Security - URI contains IP address
Cisco Cloud Security - Windows PowerShell User-Agent Detected

Hunting Queries (10)

In solution CiscoUmbrella:

Hunting Query	Selection Criteria
Cisco Cloud Security - 'Blocked' User-Agents.
Cisco Cloud Security - Anomalous FQDNs for domain
Cisco Cloud Security - DNS Errors.
Cisco Cloud Security - DNS requests to unreliable categories.
Cisco Cloud Security - High values of Uploaded Data
Cisco Cloud Security - Higher values of count of the Same BytesIn size
Cisco Cloud Security - Possible connection to C2.
Cisco Cloud Security - Possible data exfiltration
Cisco Cloud Security - Proxy 'Allowed' to unreliable categories.
Cisco Cloud Security - Requests to uncategorized resources

Workbooks (1)

In solution CiscoUmbrella:

Workbook	Selection Criteria
CiscoUmbrella

Parsers Using This Table (1)

Other Parsers (1)

Parser	Solution	Selection Criteria
Cisco_Umbrella	CiscoUmbrella

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index