• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Products & Services

New Passive DNS Enhancements for Cisco Umbrella Investigate

Author avatar of Jennifer LiouJennifer Liou
Updated — September 8, 2021 • 4 minute read
View blog >

It’s no secret that security professionals today face mounting challenges trying to keep up with sophisticated attackers. Whether it’s responding to a single, isolated incident, or researching a long-running, complex threat scenario, security teams require historical data from within and outside of their organizations in order to properly triage and provide data points to justify their actions.

When it comes to evaluating domains, security analysts need more history about a domain: DNS record changes, yes, but also the evolution of goodness or badness of the domain over time. For example, consider two domains that are very similar to each other – hosted in the same IP space, with similar unique requesting clients and request patterns. Both are benign today but one has skeletons in its closet; it has a history of being tagged with security events such as malware. As a security specialist responsible for securing your organization, you’d be more interested in this second domain, no? And of course you would not want to miss out on this rich historical data as you triage.

Another frustrating challenge for security analysts is dealing with retroactive investigations. Indicators of Compromise (IOCs) can be published long after an actual compromise took place. Often attackers will wait until the time is right to utilize infrastructure they’ve prepared for an attack, sometimes keeping domains dormant for years. You want to be able to inspect suspicious domains and IPs but you certainly do not want to tip off or alert bad actors that they are under suspicion. This could cause them to evade you by ditching the infrastructure they had been standing up.

So how can we help your SOC respond faster to threats?

We believe security systems should empower your people to investigate and respond to threats faster. Cisco Umbrella Investigate gives analysts real-time access to all of our threat intelligence about domains, IPs and malware across the internet. Security analysts love Investigate because it enables them to:

  • Better prioritize incident investigations
  • Speed up incident investigations and response
  • Easily integrate Investigate data other security orchestration tools

Investigate is available via a web console or an API.

Introducing enhanced Passive DNS

For years, we’ve provided teams with DNS-based security products to enhance their existing security stacks. We are delighted to announce our new and improved Passive DNS (pDNS) capability. Rich pDNS context helps Incident Responders investigate observables by providing a quick summary of past key events and security categorizations for domains and IPs. Our pDNS intelligence empowers Threat Hunters to get better visibility into critical historical events and relationships resulting in faster triage and more effective investigations.

There are several factors that make Cisco Umbrella Investigate’s Passive DNS feature unique. First, it’s the massive volume of our pDNS database – it is the largest in the world. Umbrella resolvers analyze over 180 billion DNS requests daily. This unique view of the internet enables researchers to better identify trends on threats, faster.

In addition, we do not just share traditional pDNS (DNS record change snapshots over time), we go beyond that and also display the security categorization data over time. This is useful for identifying not only which domains are categorized as malicious today but also for gaining a more comprehensive understanding of a domain’s history. For example, a domain could be benign one day, compromised, and some time later, remediated. Without, pDNS you would not be able to get this full context.

For example, upon first glance, this domain appears to be benign:

Investigate screen capture: DNS appears benign

The domain currently has no security categories tagged to it (as of the publishing date of this blog).

Investigate screen capture: Timeline

However, Incident Responders or Threat Hunters would find it interesting that the domain is shown to have a history:

Investigate timeline screen capture: domain used by malware

Panel details showing changes
Detail inspection panels on Passive DNS Timeline

It was tagged in Feb 2017 as a domain used by malware called Pony (above left). We are further able to see that the domain tag was removed (above center) two years later, in Feb 2019, followed by an A record change (above right) a few days later.  Incident Responders and Security Analysts may or may decide not to permit traffic to this domain depending on the risk tolerance unique to their organizations, but having this additional context at their fingertips help these teams make better informed decisions.

Other concerning scenarios include BGP hijacking – monitoring for certain DNS record changes can help prevent or speed up detection and response when certain records change to unexpected values. Also, domain convictions can vary in terms of speed to convict; even the best human analyst cannot convict with consistently high accuracy at nearly the same scale as a machine algorithm can.

By capturing up to four years of historical data, Investigate’s pDNS is much more than a traditional passive DNS database. By leveraging Investigate’s rich domain conviction historical data, you can uncover even more salient security events  impacting your business, faster.

Learn more

Interested in checking out our Passive DNS capability? Contact us today for a demo or free trial for Cisco Umbrella Investigate.

If you are currently an Investigate customer, you already have access to our enhanced Passive DNS today. You will get up to 16x more pDNS historical data with no required action. Cisco Threat Response users who have an Investigate API license will be able to view pDNS data directly in the Threat Response dashboard.

Suggested Blogs

  • Cisco Umbrella for Government: DNS Security Integrated With CISA Protective DNS August 29, 2024 4 minute read
  • Cisco Umbrella: A Leader in the GigaOm Radar for DNS Security June 26, 2024 3 minute read
  • Go Big & Go Chrome: Strengthen Cybersecurity in Education, the Enterprise & Beyond March 28, 2024 5 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella