Note: This blog is solely based on my work experience and research. This is NOT an official Cisco document. All the details and recommendations in this blog are my personal opinion.
File Analysis is a key feature that helps to inspect all the files traversing through umbrella proxy to verify whether the file has any malicious content. File inspection process slightly varies between DNS Policy vs Web Policy.
There are two main products that works under the hood for File Analysis. Cisco Advanced Malware Protection (AMP) and Cisco Threat Grid (TG). Cisco Umbrella uses AMP for file inspection and TG for malware analysis.
Features depend on the Umbrella packages. File Inspection is available in both DNS Security Advantage and SIG Essentials where as Malware Analysis is available in SIG Essential package only. Table: 1 below shows you the feature matrix.
File Inspection can be enabled for all DNS policies, but only those files that belongs to the Grey domains will be inspected. To know more about Grey domains please check my previous blog.
For Web policies, File Inspection feature is enabled by default.
File Inspection must be enabled for Threat Grid Malware Analysis. Malware Analysis feature cannot be enabled without enabling File Inspection. When we click to enable the Malware Analysis feature, a pop-up window will appear to set the sandbox region. Currently the sandbox clouds are available in North America and Europe only.
Once you are done with enabling the Malware Analysis feature by selecting a sandbox region, Umbrella Org admin will receive an email from support@threatgrid[.]com with the details to login into the Umbrella TG account.
The Umbrella TG login ID is a combination of “umbrella” keyword followed by a dash and the Umbrella Org ID. For example, If your Umbrella Org ID is 1234567 then the Umbrella TG login Id will be “umbrella-1234567”.
Note: The Threat Grid password reset email from support@threatgrid[.]com will have a login name “Umbrella-{Umbrella OrgID}. You may not be able to login with this login name if your Organization doesn’t have an existing Threat Grid account.
If your organization does not have an existing Threat Grid account, you need to use the “device admin” account to login into the Umbrella TG. For the Umbrella TG device admin account you need to add “-da” at the end. Eg. Umbrella-{Umbrella-OrgID}-da, “umbrella-123445-da”.
If your organization already have a Threat Grid account, you have the option to move the Umbrella TG account under the same administration. To do this, you have to send an email to tg-provisioning@cisco[.]com with Umbrella TG Account ID (Umbrella-124567), You existing Threat Grid Org name and TG login name of Admin user, requesting to move the Umbrella TG account under your TG Account.
Use the Umbrella TG device-admin login Id (umbrella-1234567-da)and password to login into the Umbrella TG dashboard. This is a trimmed version of TG. Most of the features won’t be available in this dashboard. The main purpose of the Umbrella TG dashboard is to show the list of samples and analysis of the malwares submitted by umbrella Org. Figure: 1 below show you a sample Umbrella TG dashboard.
“Submit Sample” option is disabled alone with the dashboard analytics. On the graph tiles, if you click “Learn more” or “Upgrade” tab on the top, both will take you to upgrade page as shown in Figure: 2.
The upgrade page briefs about the key features missing when compared with the full version of TG.
On Umbrella dashboard overview page we could see if any file has been submitted to Threat Grid for sandboxing. If it has been submitted and the file was malicious then it will show up in the overview page under “File Retrospective” section as showing in the Figure: 3 below.
To learn more about the malware, you can click on the three dots (…) at the end of the line then a small pop-up box will appear with couple of options.
You can even choose to see the malware report from Threat Grid itself. The Threat Grid report will provide you malware details like Metadata, Behavioral Indicators, Network Activity, Processes, Artifacts, Registry Activity and File Activity. A sample report shown in below figure: 4.
More information
Enable Threat Grid Malware Analysis — https://docs.umbrella.com/umbrella-user-guide/docs/enable-threat-grid-malware-analysis
Cisco Threat Grid — https://www.cisco.com/c/en/us/products/security/threat-grid/index.html
