Our organization has both Cisco Umbrella and Amp For Endpoints.
Let´s say we are getting blocked cause of malware, phishing etc.
Is there any nice way to find out which process that blocked the dns request?
I´m able to search in Cisco CTR which other devices that has been communicating with that blocked domain or IP.
But there is no way to find out which process/application did the request?
That's not possible since DNS request doesn't contain any data about process/application generated it, so Umbrella simply doesn't have visibility on that.
Shouldn't it be rather easy to get AMP for endpoints to flag any processes that tries to connect to any of the blockpages that Umbrella shows.
For example if Umbrella blocks a malware classified page, it sends an DNS response back with 18.104.22.168 (opendns/umbrella malware block page). When the process tries to connect to this IP it should be flagged in AMP for Endpoints. This would provide some very useful visibility that doesn't exist in that product today.
I hope you understand what I mean.
If you used the AnyConnect Network Visibility Module and a Netflow analysis tool (like Stealthwatch or Splunk) you could get that visibility.