cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2752
Views
1
Helpful
3
Replies

Find out which process caused an Cisco Umbrella block?

Hi!

Our organization has both Cisco Umbrella and Amp For Endpoints.

Let´s say we are getting blocked cause of malware, phishing etc.

 

Is there any nice way to find out which process that blocked the dns request?

I´m able to search in Cisco CTR which other devices that has been communicating with that blocked domain or IP.

 

But there is no way to find out which process/application did the request?

 

Best regards

Johan

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

If you used the AnyConnect Network Visibility Module and a Netflow analysis tool (like Stealthwatch or Splunk) you could get that visibility.

https://www.youtube.com/watch?v=Z31TQJL1nec

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html

 

View solution in original post

3 Replies 3

opryluts
Cisco Employee
Cisco Employee

Hi Johan,

That's not possible since DNS request doesn't contain any data about process/application generated it, so Umbrella simply doesn't have visibility on that.

Shouldn't it be rather easy to get AMP for endpoints to flag any processes that tries to connect to any of the blockpages that Umbrella shows.

 

For example if Umbrella blocks a malware classified page, it sends an DNS response back with 146.112.61.107 (opendns/umbrella malware block page). When the process tries to connect to this IP it should be flagged in AMP for Endpoints. This would provide some very useful visibility that doesn't exist in that product today.

 

I hope you understand what I mean.

Marvin Rhoads
Hall of Fame
Hall of Fame

If you used the AnyConnect Network Visibility Module and a Netflow analysis tool (like Stealthwatch or Splunk) you could get that visibility.

https://www.youtube.com/watch?v=Z31TQJL1nec

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: