<span class="pill kill-chain">RecordType</span>
<span class="pill kill-chain">ReplyCode</span>
<span class="pill kill-chain">Timestamp</span>
<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">blocked_category</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">destination_countries</span>
<span class="pill kill-chain">domain</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">granular_identity_type</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">identities</span>
<span class="pill kill-chain">identity_type</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">message_type</span>
<span class="pill kill-chain">organization_id</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">query</span>
<span class="pill kill-chain">query_type</span>
<span class="pill kill-chain">record_type</span>
<span class="pill kill-chain">reply_code</span>
<span class="pill kill-chain">reply_code_id</span>
<span class="pill kill-chain">rule</span>
<span class="pill kill-chain">rule_id</span>
<span class="pill kill-chain">s3_uri</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_asset</span>
<span class="pill kill-chain">src_asset_id</span>
<span class="pill kill-chain">src_asset_tag</span>
<span class="pill kill-chain">src_bunit</span>
<span class="pill kill-chain">src_category</span>
<span class="pill kill-chain">src_city</span>
<span class="pill kill-chain">src_country</span>
<span class="pill kill-chain">src_dns</span>
<span class="pill kill-chain">src_external_ip</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_is_expected</span>
<span class="pill kill-chain">src_lat</span>
<span class="pill kill-chain">src_long</span>
<span class="pill kill-chain">src_mac</span>
<span class="pill kill-chain">src_nt_host</span>
<span class="pill kill-chain">src_owner</span>
<span class="pill kill-chain">src_pci_domain</span>
<span class="pill kill-chain">src_priority</span>
<span class="pill kill-chain">src_requires_av</span>
<span class="pill kill-chain">src_should_timesync</span>
<span class="pill kill-chain">src_should_update</span>
<span class="pill kill-chain">src_translated_ip</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tag::user_category</span>
<span class="pill kill-chain">tag::user_identity_tag</span>
<span class="pill kill-chain">tag::user_watchlist</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_bunit</span>
<span class="pill kill-chain">user_category</span>
<span class="pill kill-chain">user_email</span>
<span class="pill kill-chain">user_endDate</span>
<span class="pill kill-chain">user_first</span>
<span class="pill kill-chain">user_identity</span>
<span class="pill kill-chain">user_identity_id</span>
<span class="pill kill-chain">user_identity_tag</span>
<span class="pill kill-chain">user_last</span>
<span class="pill kill-chain">user_managedBy</span>
<span class="pill kill-chain">user_nick</span>
<span class="pill kill-chain">user_phone</span>
<span class="pill kill-chain">user_prefix</span>
<span class="pill kill-chain">user_priority</span>
<span class="pill kill-chain">user_startDate</span>
<span class="pill kill-chain">user_suffix</span>
<span class="pill kill-chain">user_watchlist</span>
<span class="pill kill-chain">user_work_city</span>
<span class="pill kill-chain">user_work_country</span>
<span class="pill kill-chain">user_work_lat</span>
<span class="pill kill-chain">user_work_long</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Cisco Secure Access DNS
Description
Captures DNS security events from Cisco Secure Access (including Umbrella-style DNS policy and roaming client telemetry) with client identity, query and response metadata, resolved domain, and URL/content categorization. This data source supports detections that correlate user or host activity with high-risk categories such as proxy and anonymizer infrastructure.
Details
| Property | Value |
|---|---|
| Source | not_applicable |
| Sourcetype | cisco:cloud_security:dns |
Related Detections
| Name | Technique | Type |
|---|---|---|
| Cisco SA - Access to Anonymizer Services | Multi-hop Proxy | Anomaly |
Supported Apps
- Cisco Secure Access Add-on for Splunk (version 1.0.50)
Event Fields
Fields
Example Log
1"2026-04-20 22:23:29","EC2AMAZ-J8G2CH1","EC2AMAZ-J8G2CH1","10.0.1.115","3.151.127.146","Allowed","1 (A)","NOERROR","www.proxysite.com.","Proxy/Anonymizer,Application,Filter Avoidance","Anyconnect Roaming Client","Anyconnect Roaming Client","","139213","","8209150"
Required Output Fields
-
category
-
domain
-
src_ip
-
user
Source: GitHub | Version: 1