Umbrella's Security Categories are categories of security defence. We've categorized security threats to give you more control over exactly what you'd like to enable and report. These categories are used in creating policies and in viewing reports for when things are blocked, or even when they are not. If a domain matches a security category but is not set to be blocked by a security setting in your policy, this is still reported as an allowed visit to a destination that matches one of the security categories.
Configuring your Security Categories
The information below should be cross-referenced against the Security Settings at Policies > Security Settings in your Umbrella dashboard.
The security settings categories are, at a minimum, the ones listed below:
There is also an Integrations sub-category that's available for certain packages. The Integrations security category consists of domains that have been added to Umbrella through individual integrations. For more about integrations, read https://support.umbrella.com/hc/en-us/sections/206680227-Umbrella-Integrations.
Having information in this section of your configuration depends on what, if any, integrations you've enabled. It can include technology partners like Cisco AMP Threat Grid and FireEye. and can also include any custom integrations.
Security Categories Explained
By default, no security categories are enabled. In general, we suggest that you find the right combination for your organization's policies—some identities may require a more strict security posture than others; however, there are some categories we recommend enabling for most or all identities, unless you are simply testing to see what Umbrella would have blocked. This does not mean you shouldn't use those categories in your policy, just that you should monitor your reports to see if these categories make sense to apply to your identities.
|Enable by default?|
|Malware||Yes||Block requests to access servers hosting malware and compromised websites via any application, protocol, or port.|
|Command and Control Callbacks||Yes||Prevent compromised devices from communicating with hackers' command and control servers via any application, protocol or port and help identify potentially infected machines on your network.|
|Newly Seen Domains||No||Domains that have become active very recently. These are often used in new attacks.|
|Dynamic DNS||No||Block sites that are hosting dynamic DNS content.|
|DNS Tunneling VPN||No||VPN services that allow users to disguise their traffic by tunneling it through the DNS protocol. These can be used to bypass corporate policies regarding access and data transfer.|
|Potentially Harmful Domains||No||Domains that exhibit suspicious behavior and may be part of an attack. This category has a higher risk of unwanted detections.|