Solved: Find out which process caused an Cisco Umbrella block?

Johan Anderstrom · ‎06-18-2019

Hi!

Our organization has both Cisco Umbrella and Amp For Endpoints.

Let´s say we are getting blocked cause of malware, phishing etc.

Is there any nice way to find out which process that blocked the dns request?

I´m able to search in Cisco CTR which other devices that has been communicating with that blocked domain or IP.

But there is no way to find out which process/application did the request?

Best regards

Johan

Marvin Rhoads · ‎07-01-2019

If you used the AnyConnect Network Visibility Module and a Netflow analysis tool (like Stealthwatch or Splunk) you could get that visibility.

https://www.youtube.com/watch?v=Z31TQJL1nec

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html

View solution in original post

opryluts · ‎06-28-2019

Hi Johan,

That's not possible since DNS request doesn't contain any data about process/application generated it, so Umbrella simply doesn't have visibility on that.

Johan Anderstrom · ‎08-14-2019

Shouldn't it be rather easy to get AMP for endpoints to flag any processes that tries to connect to any of the blockpages that Umbrella shows.

For example if Umbrella blocks a malware classified page, it sends an DNS response back with 146.112.61.107 (opendns/umbrella malware block page). When the process tries to connect to this IP it should be flagged in AMP for Endpoints. This would provide some very useful visibility that doesn't exist in that product today.

I hope you understand what I mean.

Marvin Rhoads · ‎07-01-2019

If you used the AnyConnect Network Visibility Module and a Netflow analysis tool (like Stealthwatch or Splunk) you could get that visibility.

https://www.youtube.com/watch?v=Z31TQJL1nec

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html