Enable Newly Seen Domains Security Category in Umbrella
Available Languages
Introduction
This document describes the "Newly Seen Domains" (NSD) Security Category in Cisco Umbrella.
Background Information
Newly Seen Domains (NSD) is a Security Category that identifies domains queried for the first time within the past 24 hours by any user of Cisco Umbrella DNS service (including the free OpenDNS service for home users). This security category functions identically to any other Security Category and can be enabled as part of an existing security setting or a new one. Domains remain in the list for a period of 24 hours.
How Cisco Umbrella Defines a Domain as "Newly Seen"
New domains are often created as part of new malware campaigns. Malicious actors behind these campaigns use new domains because traditional signature-based methods do not recognize them for blocking known malicious websites. For example, a phishing campaign can create a new domain to accompany a major spam campaign encouraging users to click a link. The link is not yet known to be part of this campaign and is not blocked by standard lists of known-malicious domains. Before the link is added to those lists, criminals have sufficient time to exfiltrate data, install malware, and gain network access.
The Newly Seen Domains (NSD) Security Category operates by checking DNS logs for lookups of domains that have never been seen previously. Due to the volume of invalid queries, for a domain to be marked as newly seen, the client query must receive a proper answer. Once a domain is first seen, it is added to a list for 24 hours. After this period, the domain is no longer newly seen and is removed from the list.
A report records the category a domain was under at the time it was queried. Therefore, if a domain was categorized as newly seen when queried, it reports as such in the Activity Search or Security Activity report. However, once the domain expires from the list, pivoting on that domain against current data about it (especially using the new Destinations or Identities reports, the Investigate Console, or Investigate API) no longer shows that domain as newly seen. In short, revisiting a domain several days later can no longer show it as newly seen in Umbrella. This is by design but can lead to some initial confusion.
The only definition of a Newly Seen Domain is exactly that: it is newly seen. As a result, a significant portion of the domains categorized as newly seen are not malicious, and detections of legitimate domains are expected to occur with this security category. Precautions against this occurrence have been implemented, especially for certain services and CDNs like Akamai and Cloudfront that generate randomized subdomains to serve content. Traditional assurances against highly popular domains, such as Facebook and Google, have also been used to ensure these are not included.
Additionally, only fully-qualified domain names (second-level domain or a subdomain of a second-level domain) are considered domains that are newly seen. Top-level domains and country-code top-level domains are not included in Newly Seen Domains to avoid blocking large groupings of domains.
Important Notes About Implementation
Given that some unwanted detections can be expected, Cisco Umbrella highly recommends starting to use this report in audit mode or detect only mode without blocking or taking any action. By default, any user with this category available in their security settings sees Newly Seen Domains as detections in the reports. This effectively means the feature is enabled without any blocking by default. In most cases, users must use reports to see what traffic matches the category and use that information to research these domains in more depth to determine if they could potentially represent a security threat rather than automatically blocking.
Another major caveat is that the first query to the domain is allowed. This is because Cisco Umbrella has never seen a query to that domain previously, and as such, it has not been processed by the logging systems to be included as part of the Newly Seen Domains category. The time gap between when a domain is first queried and before it appears in the list of domains matching the category is approximately five minutes but can extend beyond that because Cisco Umbrella does not necessarily process 100% of the DNS query logs (due to processing time and volume).
Proxying Newly Seen Domains
Customers utilizing the Umbrella Intelligent Proxy also observe that some domains in the NSD category are proxied. This is by design. The Umbrella Labs team uses the data gathered through proxying these new domains to determine if they can be added to the malware categories immediately. One side-effect of this is that non-standard traffic sent to a Newly Seen Domain that is also being proxied is dropped at the proxy level. The Intelligent Proxy only proxies ports 80 and 443, the ports traditionally used for web traffic. This happens automatically when the proxy is enabled, whether or not the category is blocked. To prevent a single newly seen domain from being proxied, add it to the appropriate allow list.
More information can on the Intelligent Proxy can be located in our documentation Enable the Intelligent Proxy.
Enable Newly Seen Domains
The Newly Seen Domain security category can be enabled like any other under Policies > Security Settings, then editing an existing security setting. Alternatively, it can be done within the Policy Configuration Wizard itself.
115014822286
Newly Seen Domains can also be filtered for in certain reports, such as Activity Search.
115015007423
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
03-Sep-2025
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)