Submit Rapid No-Reply Umbrella Security Review Requests

Introduction

This document describes how to submit rapid no-reply Umbrella security review requests.

Overview

The Umbrella support team is introducing a new way to rapidly process security review submission by skipping the human support team completely - saving up to days off of your process timeline. 

The supported submissions include request to block for a security reason. Multiple domain submissions are permitted for requests to add new security blocks.

Tip: Requests to unblock a domain, review false positives, or review content categorization such as pornography are not accepted at this time. This includes the Parked Domains category. These requests must be sent to Talos Intelligence. See the article "How To: Submit A Talos Categorization Request" for instructions.

To submit for review, mail umbrella-research-noreply@cisco.com with the fixed format.

In the event of any failure with this automated system - please open a support case with Cisco Umbrella and our support team addresses your review request in the standard response time.

Submission format

No reply submissions rely on a specific submission format. Submissions that do not meet this format are rejected with a single reply with guidance on what to resolve. No further replies are accepted. For details on possible responses, see the next section below. Only mail sent to the address umbrella-research-noreply@cisco.com are processed.

Submissions are accepted with the formats:

Mailing address (clickable link): umbrella-research-noreply@cisco.com

Single Domain:

Domain: domain.comRequest: blockComments: Include background information or attribution and rationale hereDesired: malware

Multiple Domains:

Domaincsv: domain.com, moredomains.com,moredomain.comRequest: blockComments: Include background information or attribution and rationale here
Comments: (Additional comments are supported - must start with comments:)Desired: malware

or

Domaincsv: domain.com, moredomains.com,moredomain.com
moredomains.com, evenmoredomains.com, stillmoredomains.com,
afewmoredomains.com
enddomains:Request: blockComments: Include background information or attribution and rationale here
more comments are supported (and optional). Include additional comment lines
here. End with
endcomments:Desired: malware

Fields:

Domain: This is the domain being sent for review. This contains just the domain name itself and nothing more on this line. 

De-fang the domain if you are worried outbound email filters might interfere with this submission. Format accepted are as follows:

domain[.]com

Domaincsv: This is the list of domains being submitted for review. If submitting multiple domains, the domain: field are ignored. This field is only used with the request type block.

Request: Is this a submission requesting the domain to be added to a security classification to be blocked (block)?

Accepted value for Request:

• block

Comments: Include any background information including phishing or malware link details or information our research team uses to review the domain.

Comments can also contain De-Fanged URL's related to the domain submitted, but ensure you also change the "." as well. Examples:

hxxp://domain[.]com/badstuff.exe

hxxps://domain[.]com/badstuff.exe

Desired: This field confirms the desired result of the submission. Provide one of the accepted values for desired classification.

Accepted values for Desired:

• malware
• phishing
• botnet