Rapid No-Reply Umbrella Security Review Requests

Introduction

The Umbrella process for submitting security reviews currently consists a request to our human Umbrella support team. These reviews are answered and sent for review to our security research team in the order that all support cases are received.

The Umbrella support team is introducing a new way to rapidly process security review submission by skipping the human support team completely - saving up to days off of your process timeline. 

The supported submissions include request to block for a security reason and requests to allow from a security category for single domain reviews only. Multiple domain submissions are permitted for requests to add new security blocks.

Requests to review content categorization such as pornography are not accepted at this time. This includes the Parked Domains category. Recategorize content requests should be sent to umbrella-support@cisco.com.

To submit for review, mail umbrella-research-noreply@cisco.com with the following fixed format.

In the event of any failure with this automated system - please send your review requests to umbrella-support@cisco.com and our support team will address your review request in the standard response time.

Submission format

No reply submissions rely on a specific submission format. Submissions that do not meet this format will be rejected with a single reply with guidance on what to resolve. No further replies are accepted. For details on possible responses, see the next section below. Only mail sent to the address umbrella-research-noreply@cisco.com will be processed.  

Submissions are accepted with the following formats:

Mailing address (clickable link): umbrella-research-noreply@cisco.com

Single Domain: Accepts request to block, request to allow

Domain: domain.com
Request: block
Comments: Include background information or attribution and rationale here
Desired: malware

Multiple Domains: Accepts request to block only. Request to allow will be rejected.

Domaincsv: domain.com, moredomains.com,moredomain.com
Request: block
Comments: Include background information or attribution and rationale here
Comments: (Additional comments are supported - must start with comments:)
Desired: malware

or

Domaincsv: domain.com, moredomains.com,moredomain.com
moredomains.com, evenmoredomains.com, stillmoredomains.com,
afewmoredomains.com
enddomains:
Request: block
Comments: Include background information or attribution and rationale here
more comments are supported (and optional). Include additional comment lines
here. End with
endcomments:
Desired: malware

Fields:

Domain: This is the domain being sent for review. This contains just the domain name itself and nothing more on this line.

Domaincsv: This is the list of domains being submitted for review. If submitting multiple domains, the domain: field will be ignored. This field may only be used with the request type block.

Request: Is this a submission requesting the domain to be added to a security classification to be blocked (block) or a security review to clear the domain if safe (allow).

Accepted values for Request:

• block
• allow

Comments: Include any background information including phishing or malware link details or information our research team may use to review the domain.

Desired: This field confirms the desired result of the submission. Provide one of the accepted values for desired classification.

Accepted values for Desired:

• malware
• phishing
• botnet
• allowed

Acceptance confirmation

One response will confirm the arrival of the submission into our systems:

Your request (#55555) has been received and is being reviewed by our support staff.

If you do not receive a confirmation, instead send your mail to umbrella-support@cisco.com with the email subject "noreply security review" exactly.

In the event the automated system is not responding, send your request in to umbrella-support@cisco.com with a standard subject.

Possible responses

The Umbrella no-reply security review process may provide select responses that are informational in nature. They are as follows:

• Incorrect format. A formatting error will be returned with an error message on which submission area was found to not meet submission requirements
• Domain data was sourced from our partners at Talos. Currently, this requires action by our support team to review; however, you may skip the line by requesting a resubmit directly at the Talos Reputation Center website.
  • Next steps: perform one of the following
    • Submit a full Umbrella case at umbrella-support@cisco.com
    • Submit a review at the Talos Reputation Center. Umbrella data will update within 24 hours of review completion. No Umbrella case is required.

No reply will be sent if:

• Domain classification already matches desired classification (request to block a blocked domain or request to unblock a non-classified domain)
• Domain is re-categorized to match the desired request