====== Cisco Umbrella Top 1M Domains List ======

This app helps with providing guidelines for installing Cisco Umbrella Top 1M Domains List app in Trisul Network Analytics.

**
To create a Domain Topper Counter that can be used in NSM to train the spotlight on least common domains seen in your network traffic.
**

{{:tips:cisco-umbrella-app.png?200|}}

Some of the uses can be

  - Visibility - To know the usage patterns outside the Top-1M in your enterprise.
  - Detect Outliers - To detect rare domains, those created by DGA, typically used by malware.
  - Iterative - To add white-list based on your enterprise and fine tune this list.

<note>Added Quantcast-Top-1M to this as well. So any domain that is not in either of the lists can be truly said to be outside Top-1M</note>

===== Installing =====

  * To install this App logon as admin, then select App from //Web Admin > Manage > Apps > Umbrella Top1M//.
{{:umbrella-top-1m.png?600|}}
  * Post install , Run the 'installfeed.sh' script to keep the FireHOL list updated as shown below.

**Pre-Requisites**
You need to install a few packages namely
  * Luajit - apt install luajit.
  * Unzip - apt install unzip.
  * Libleveldb - apt install libleveldb1v5.

<note>For Ubuntu-18.04,You should add the universe repository using 'sudo add-apt-repository universe'.</note>

===== Installing the Feed =====

  * You must run the 'installfeed.sh' script in this folder to download the Umbrella-Top-1M list and keep it updated.
  * Run the following command,

<code>#curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/umbrella-top-1m/installfeed.sh
#bash ./installfeed.sh
</code> 

<note important>Please ensure you restart the probe after this step.</note>

===== Viewing Data =====

This APP adds a new counter group called 'Outside Umbrella Top-1M'.To view the metrics,

  - Go to //Retro > Retro Counters.//
  - Select a desired Time-frame and select 'Outside Umbrella Top-1M' COunter-group.

{{:tips:outside-umbrella-counter.png?600|}}