diff --git a/rules/cisco_umbrella_dns_rules/domain_blocked.yml b/rules/cisco_umbrella_dns_rules/domain_blocked.yml
index 8f18ca5e1..dab154b05 100644
--- a/rules/cisco_umbrella_dns_rules/domain_blocked.yml
+++ b/rules/cisco_umbrella_dns_rules/domain_blocked.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Low
 Description: Monitor blocked domains
 Runbook: Inspect the blocked domain and lookup for malware
+Reference: https://support.umbrella.com/hc/en-us/articles/230563627-How-to-determine-if-a-domain-or-resource-is-being-blocked-using-Chrome-Net-Internals
 SummaryAttributes:
   - action
   - internalIp
diff --git a/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml b/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml
index 971a1bb1e..d78c2ff06 100644
--- a/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml
+++ b/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml
@@ -9,6 +9,7 @@ LogTypes:
 Tags:
   - Configuration Required
   - DNS
+Reference: https://umbrella.cisco.com/blog/abcs-of-dns
 Severity: Medium
 Description: Identify lookups to suspicious domains that could indicate a phishing attack.
 Runbook: >
diff --git a/rules/cisco_umbrella_dns_rules/suspicious_domains.yml b/rules/cisco_umbrella_dns_rules/suspicious_domains.yml
index f81de366e..f73d3fd60 100644
--- a/rules/cisco_umbrella_dns_rules/suspicious_domains.yml
+++ b/rules/cisco_umbrella_dns_rules/suspicious_domains.yml
@@ -9,6 +9,7 @@ LogTypes:
 Tags:
   - DNS
   - Configuration Required
+Reference: https://umbrella.cisco.com/blog/abcs-of-dns
 Severity: Low
 Description: Monitor suspicious or known malicious domains
 Runbook: Inspect the domain and check the host for other indicators of compromise