cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
229
Views
0
Helpful
3
Replies

Find out which process caused an Cisco Umbrella block?

Hi!

Our organization has both Cisco Umbrella and Amp For Endpoints.

Let´s say we are getting blocked cause of malware, phishing etc.

 

Is there any nice way to find out which process that blocked the dns request?

I´m able to search in Cisco CTR which other devices that has been communicating with that blocked domain or IP.

 

But there is no way to find out which process/application did the request?

 

Best regards

Johan

3 REPLIES 3
Cisco Employee

Re: Find out which process caused an Cisco Umbrella block?

Hi Johan,

That's not possible since DNS request doesn't contain any data about process/application generated it, so Umbrella simply doesn't have visibility on that.

Highlighted

Re: Find out which process caused an Cisco Umbrella block?

Shouldn't it be rather easy to get AMP for endpoints to flag any processes that tries to connect to any of the blockpages that Umbrella shows.

 

For example if Umbrella blocks a malware classified page, it sends an DNS response back with 146.112.61.107 (opendns/umbrella malware block page). When the process tries to connect to this IP it should be flagged in AMP for Endpoints. This would provide some very useful visibility that doesn't exist in that product today.

 

I hope you understand what I mean.

Hall of Fame Master

Re: Find out which process caused an Cisco Umbrella block?

If you used the AnyConnect Network Visibility Module and a Netflow analysis tool (like Stealthwatch or Splunk) you could get that visibility.

https://www.youtube.com/watch?v=Z31TQJL1nec

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html

 

View this demo to see how NVM provides greater visibility across your network with endpoint contextual data. Learn more at www.cisco.com/go/anyconnect