User Tools

Site Tools


Cisco Umbrella Top 1M Domains List

This app helps with providing guidelines for installing Cisco Umbrella Top 1M Domains List app in Trisul Network Analytics.

To create a Domain Topper Counter that can be used in NSM to train the spotlight on least common domains seen in your network traffic.

Some of the uses can be

  1. Visibility - To know the usage patterns outside the Top-1M in your enterprise.
  2. Detect Outliers - To detect rare domains, those created by DGA, typically used by malware.
  3. Iterative - To add white-list based on your enterprise and fine tune this list.
Added Quantcast-Top-1M to this as well. So any domain that is not in either of the lists can be truly said to be outside Top-1M


  • To install this App logon as admin, then select App from Web Admin > Manage > Apps > Umbrella Top1M.

  • Post install , Run the '' script to keep the FireHOL list updated as shown below.

Pre-Requisites You need to install a few packages namely

  • Luajit - apt install luajit.
  • Unzip - apt install unzip.
  • Libleveldb - apt install libleveldb1v5.
For Ubuntu-18.04,You should add the universe repository using 'sudo add-apt-repository universe'.

Installing the Feed

  • You must run the '' script in this folder to download the Umbrella-Top-1M list and keep it updated.
  • Run the following command,
#curl -O
#bash ./
Please ensure you restart the probe after this step.

Viewing Data

This APP adds a new counter group called 'Outside Umbrella Top-1M'.To view the metrics,

  1. Go to Retro > Retro Counters.
  2. Select a desired Time-frame and select 'Outside Umbrella Top-1M' COunter-group.

cisco_umbrella_top-1m_domains_list.txt · Last modified: 2020/04/01 16:37 by navaneeth