Cisco Umbrella

· #442 most-used

DNS-layer security intelligence, automated for every team

DeveloperSecurityAutomationCloud & InfrastructureMonitoring & Alerts

Cisco Umbrella is a cloud-native DNS security platform that provides threat protection at the DNS layer — blocking malware, phishing, command-and-control callbacks, and other threats before they can establish a connection. It combines a secure web gateway, DNS-layer enforcement, cloud firewall, and the Cisco Talos-powered Investigate API into a single platform. Connect it to Actionist and your agents can automatically investigate domains and IPs for threat intelligence, add or remove destinations from block and allow lists, pull DNS activity reports for compliance and incident response, and deliver recurring security digests to your team's tools — all without anyone opening the Umbrella dashboard.

Try Cisco Umbrella with Actionist Visit Cisco Umbrella

Average time saved

10 hours

per person · per month

≈ 1 workdays back

Eliminates manual work. Agents eliminate the manual work of logging into the Cisco Umbrella dashboard, pulling reports, exporting threat data, auditing destination lists, and building compliance documents that security and operations teams do every week.

Schedule

What your Cisco Umbrella agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs

7Agents at work

24/7Always on

Agents

Tue–Thu

Tue

Wed

Thu

10a

11a

12p

Multi-app workflows

Cisco Umbrella × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows

5Apps spanned

~24 hrsSaved / week

6Personas served

For security

Featured4 apps

Phishing URL detected in email, blocked in Umbrella within a minute

When a suspicious URL arrives in the shared security inbox, the agent submits it to Cisco Umbrella Investigate for reputation scoring. If the score is below the safe threshold, the domain is immediately added to the active block destination list — enforced at the DNS layer across the organization within about a minute. A Slack alert goes to the security team and the incident is logged in Notion before any manual analyst work begins.

~15 hrs

Time saved for your team — every week, on autopilot

The flow

Trigger·When an email arrives in the security inbox containing a flagged URL

Trigger

Step 1

Gmail

Detect incoming email with suspicious URL in body

read

Step 2

Cisco Umbrella

Investigate URL for threat categorization and reputation score

write

Step 3

Cisco Umbrella

Add domain to block destination list if threat score is below threshold

write

Step 4

Slack

Post phishing alert with threat details to #security channel

write

Step 5

Notion

Log phishing incident with URL, threat score, and block action to security incident log

Result

Add domain to block destination list if threat score is below thresholdPost phishing alert with threat details to #security channelLog phishing incident with URL, threat score, and block action to security incident log

The win

Saved per run

45 min

Runs / week

~20×

Malicious domains blocked organization-wide before a second employee can click

Driven byOperations Agent

ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

Sales
30 min / week
Manual prospect domain verification
Sales reps have no visibility into the security posture of prospect domains and rely on manual web searches to spot obvious fraud, missing the majority of threat-categorized domains.
Sales Agent
0 min
Agent vets prospect domains before outreach
Before any rep makes contact, the agent queries Cisco Umbrella Investigate for each new prospect domain and flags anything with a poor reputation score — preventing reps from engaging with fraudulent identities.
Marketing
20 min / week
No pre-campaign URL security review
Marketing teams send campaign emails without checking whether embedded links pass DNS security filters, risking deliverability issues and brand-reputation damage when links are flagged by recipient tools.
Marketing Agent
0 min
Agent runs URL threat checks before campaign dispatch
Before any campaign goes out, the agent submits every embedded external URL to Cisco Umbrella Investigate and clears or flags each one — protecting the brand from distributing links that recipient DNS controls would block.
Customer Support
25 min / week
Static knowledge base links never security-checked
Support teams manually maintain knowledge base URLs with no systematic reputation checks, leading to customer complaints when articles link to destinations that are now blocked by DNS security tools.
Customer Support Agent
0 min
Agent keeps knowledge base URLs security-current
The support agent runs Umbrella Investigate on all knowledge base article links weekly, catching any URLs that have degraded in reputation since the article was written and flagging them for replacement before a customer receives them.
Human Resources
15 min / week
Onboarding links never security-checked
HR teams compile onboarding resource links without any reputation checking, occasionally leading to new hires being unable to access onboarding resources blocked by corporate DNS filtering on day one.
Human Resources Agent
0 min
Agent security-vets onboarding resources before new-hire day one
Every onboarding resource link is run through Cisco Umbrella Investigate before the kit is sent, ensuring no new hire encounters a DNS block on a mandatory onboarding destination on their first day.
Finance
20 min / week
Vendor domain security never checked before payment
Finance teams approve payments to new vendors based on invoice data alone, with no systematic check of vendor domain reputation — leaving the organization exposed to business email compromise and fraudulent vendor attacks.
Finance Agent
0 min
Agent validates vendor domains before payment approval
When a new vendor is submitted for payment, the agent automatically investigates their domain in Cisco Umbrella before approval reaches the payment stage — blocking business email compromise attempts before funds move.
Operations
60 min / week
Manual destination list maintenance and reporting
Operations teams manually log into Cisco Umbrella to audit destination lists, pull reports, and compile security digests — a time-consuming process that often results in reporting falling behind a weekly cadence.
Operations Agent
0 min
Agent maintains destination lists and delivers weekly security digests
The operations agent audits destination lists weekly, closes threat-to-block-list gaps automatically, and delivers a cross-team security digest to Slack — all without anyone logging into the Umbrella dashboard.
Legal
45 min / week
Manual monthly compliance evidence collection
Legal teams manually log into Cisco Umbrella, export multiple reports, and compile them into compliance evidence documents every month — a process that takes hours and is prone to missing the correct date range.
Legal Agent
0 min
Agent builds compliance attestation documents from Umbrella data monthly
On the first of each month, the agent retrieves the security summary, threat types, and active policies from Cisco Umbrella and compiles them into a structured attestation document ready for SOC 2 and cyber insurance audit review.

+ 100s of other Cisco Umbrella automations

Average time saved

22 hrs / person / month

Calculator

Calculate what your team saves

Team size

5 people

Hourly rate

$75 / hr

Hours saved / week

Hours saved / year

625

Annual ROI

$46,875

Based on Cisco Umbrella's typical team usage — the visible tasks plus a few other automations the agent runs: ~2.5 hrs / person / week of admin work automated.

Connect

How to plug Cisco Umbrella into Actionist

Pick the connection method that suits your environment.

Connect using a Cisco Umbrella API Key and Secret generated from the Admin > API Keys section of the Umbrella dashboard. This is the standard credential type for Umbrella's management, reporting, and investigate APIs.

Generate an API Key in Cisco Umbrella

Log in to the Cisco Umbrella dashboard and navigate to Admin > API Keys. Click Add to generate a new key pair. Choose a descriptive name and assign the scopes needed for your planned actions (reports, policies, investigate).

Copy the Key and Secret

Copy both the Key and the Secret values immediately — the secret is shown only once. Store them securely in your secrets manager.

Paste into Actionist and test

Paste the Key into the API Key field and the Secret into the API Secret field in Actionist, then click Test connection to confirm the handshake.

Credentials you'll need

API Key*

Umbrella dashboard → Admin → API Keys → Add → copy the Key field

API Secret*

Umbrella dashboard → Admin → API Keys → Add → copy the Secret field

Actions

14 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

0 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

This app has no triggers yet.

FAQs

Questions about Cisco Umbrella + Actionist

How does Actionist connect to Cisco Umbrella?

Go to the Apps tab in Actionist, find Cisco Umbrella, and click Connect. The recommended path is API key — you will need to generate OAuth2 credentials (a Key and Secret) from the Cisco Umbrella dashboard under Admin > API Keys. Paste the Key and Secret into the corresponding fields in Actionist, and the agent runs a read-only test call to confirm the handshake before any actions run.

What credentials or API keys do I need to integrate Cisco Umbrella with Actionist?

Cisco Umbrella uses OAuth2 client credentials for its management and reporting APIs. You generate a Key (Client ID) and Secret from the Umbrella dashboard under Admin > API Keys. The scopes you need depend on what the agent will do: read scopes cover reporting and investigate queries; write scopes are needed to create or modify destination lists and policies. Create the API key with the minimum required scopes for the least-privilege principle.

Can I connect Cisco Umbrella to other apps in the same Actionist workflow?

Yes. Cisco Umbrella works best when it feeds into and draws from your broader security and operations stack. Common integrations include: posting threat alerts from Umbrella's Reporting API into Slack; writing blocked domain events to Google Sheets for audit; syncing threat intelligence from Umbrella Investigate into a SIEM or ticketing tool like Jira; automatically adding malicious domains discovered in other apps to an Umbrella block destination list. Any of Actionist's 200+ connected apps can exchange data with Cisco Umbrella in the same automated workflow.

What are the most common things agents do with Cisco Umbrella?

The most common patterns are: (1) threat response — when a new threat is detected in another tool, automatically add the associated domain or IP to a Cisco Umbrella block destination list; (2) compliance reporting — pull weekly DNS activity reports and push them to a Google Sheet or Notion doc for audit; (3) domain investigation — query the Investigate API for domain reputation and threat categorization before allowing access to new vendor or partner URLs; (4) policy hygiene — regularly review destination lists to remove stale entries and keep policies clean; (5) alert routing — pull top threats from the Reporting API and post them to Slack or create Jira tickets for the security team.

Can Actionist generate automated Cisco Umbrella security reports?

Yes. The Cisco Umbrella Reporting API lets you pull DNS activity logs, top destinations, top threats, top identities, and threat type summaries for any time window. The agent can pull these reports on a schedule and push the data to Google Sheets, Notion, or a Slack digest — giving your security and compliance teams a regular automated report without anyone logging into the Umbrella dashboard.

Can Actionist automatically add or remove domains from Cisco Umbrella block lists?

Yes. The Cisco Umbrella Destination Lists API lets you create, read, update, and delete both allow and block destination lists, and add or remove individual domains, URLs, or IPs from those lists programmatically. This means an Actionist agent can respond to a threat event in another system — for example, a phishing report in your email gateway — and automatically add the offending domain to a block list in Cisco Umbrella within about a minute of detection.

How does the Cisco Umbrella Investigate API help with threat intelligence in Actionist?

Cisco Umbrella's Investigate API provides reputation scoring and threat categorization for domains, IPs, and URLs based on Cisco Talos intelligence and DNS resolver data. An Actionist agent can query the Investigate API for a domain before it is approved for use in procurement, vendor onboarding, or partner workflows — flagging anything with a low reputation score for manual review before it is ever accessed from your network.

Does Cisco Umbrella support real-time event triggers or webhooks in Actionist?

Cisco Umbrella's Reporting API provides traffic and threat data at the organizational level via scheduled API calls — it does not support real-time event streaming or webhooks. In Actionist, this means agents poll the Reporting API on a schedule (such as every 15 minutes or hourly) to retrieve new activity, rather than receiving instant push notifications. For time-sensitive threat response workflows, set a frequent polling cadence and pair it with immediate downstream actions (Slack alert, Jira ticket, block list update) to minimize response latency.