Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=cisco-umbrella-overview

Overview of the Cisco Umbrella integration

API Network

Cisco Umbrella is a cloud-delivered security service that provides comprehensive protection against internet-based threats. It is designed to secure access to the internet for users both inside and outside the corporate network, offering a first line of defense against cybersecurity threats.

Sophos documents

Integrate Cisco Umbrella

What we ingest

Sample alerts seen by Sophos:

  • Malware
  • Cryptomining
  • High Risk Sites and Locations
  • Phishing
  • Command and Control
  • Dynamic DNS

Filtering

We filter the results as follows:

  • We deny data provided in a non-compliant format.
  • We drop various reviewed and non-security-related messages and logs.
  • We drop various high-volume and low-value messages.

Sample threat mappings

We define the alert type from the field policycategories.label.

Sample mappings:

{"alertType": "Newly Seen Domains", "threatId": "T1568.002", "threatName": "Domain Generation Algorithms"}
{"alertType": "Mobile Threats", "threatId": "TA0005", "threatName": "Defense Evasion"}
{"alertType": "Malware", "threatId": "TA0002", "threatName": "Execution"}