Newly Seen Domains is a security category that identifies domains that have been queried for the first time within the previous few days. When a domain is first seen being queried by any user of Cisco Umbrella, we notice that and shortly thereafter, the domain is tagged as 'newly seen' for all other users going to it for the next few days.
In a video outlining this feature, Meg Diaz from our product team runs through how it all works:
By default, this security category is set to Allow and the only immediate change will be in your reports-- such as the Activity Search or Security Activity repots. These reports will begin to show domains matching the 'Newly Seen Domain' tag. There's no action to take on your end, but we encourage you to check it out and let us know what you think.
This functionality helps expose domains that are a part of newly emerging threats, especially those tied to domains created using DGA (https://blog.opendns.com/2016/10/10/domain-generation-algorithms-effective/) or for phishing campaigns that use typos of popular domains to fool users, and more.
Implementation is simple -- it's already there and to change the category to block is just one click in your policies -- but due to the complexity of some of the ways we process this traffic, there are caveats around using this category for direct enforcement right away For more technical detail on this, please read here: https://support.umbrella.com/hc/en-us/articles/235911828