Reporting

The Umbrella for Government Reporting API provides visibility into your network and security activities. You can find the Reporting API endpoints under the reports scope in the Cloud Security API.

Use Cases and Best Practices

The Reporting API enables you to programmatically access logs and reports, and build widgets or custom reports. The Reporting API does not support bulk data retrieval. If you need to export all of your data or large data collections, you can enable logging to Amazon Simple Storage Service (Amazon S3). For more information about Umbrella logs, see Manage Your Logs in the Umbrella for Government SIG User Guide.

Request Path Parameters

The Reporting API endpoints require various path parameters.

Request Query Parameters

You can customize and filter the API requests with query parameters. Each Reporting API endpoint defines its required query parameters.

Note: Umbrella uses the timestamp of the events to sort the /activity, /activity/dns, /activity/proxy, /activity/firewall, and /activity/amp-retrospective collections. If multiple events occur in the same second, the order of the collection is not guaranteed to be consistent.

Request Data by Time Range

Many Reporting API endpoints require that you set a time range to filter the data. You can define a time range with the to and from request query parameters. Additionally, some Reporting API endpoints enable a timerange header.

Time Range Header

The timerange header describes how to group data within a twenty-four hour period. This header accepts the following strings:

• minute
• hour (default value)
• day

Reporting API resources that group data by hourly intervals do not enable the timerange header. These resources include:

• Bandwidth by Hour
• Requests by Hour
• Requests by Hour and Category

Time Range Example

The Requests by Timerange resource accepts the timerange header as well as the to and from query parameters. For example, you can set the timerange header to minute, the to query parameter to now, and the from query parameter to -1days.

Timestamp and Relative Time Strings

The to and from query parameters accept a timestamp string defined in milliseconds from the Unix epoch. For example: 1619007756000 (converted from 2021-04-21:08:22:36 GMT-04:00).

You can also set other time range string values for these parameters.

Examples of to query parameter values:

• now
• -1days

Examples of from query parameter values:

• -2days
• -10minutes
• -2weeks

Note: The time range set by the to and from query parameters cannot exceed 30 days.

HTTP Redirects and Request Authorization Header

Umbrella stores your reporting data in data warehouses located in the Continental United States.

To automatically redirect HTTP requests and preserve the HTTP Authorization header, you can set additional flags or enable a redirect setting.

• curl: You must pass the -L or --location, and --location-trusted flags to redirect the curl HTTP request and retain the Authorization header.

  shell

  Copycurl -i --location --location-trusted \
  --request GET --url 'https://api.umbrellagov.com/reports/v2/activity?from=-7days&to=now&limit=10' \
  -H 'Authorization: Bearer %YourAccessToken%' \
  -H 'Content-Type: application/json'
  

• Postman: Within the Postman environment, navigate to an API and choose a GET method. Navigate to Settings. Enable Follow Authorization header to preserve the Authorization header for redirect requests.

Get Activities (All)

Description

List all activities (dns/proxy/firewall/intrusion) within the timeframe. Note: The IP activity report is not available.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• limit

  (Required, number) The maximum number of records to return from the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• ruleid

  (Optional, number) The firewall policy rule ID.

• filename

  (Optional, string) A string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk () matches zero or more occurrences of any character.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• isolatedstate

  (Optional, string) A string that describes the remote browser isolation (RBI) isolation type.

• isolatedFileAction

  (Optional, string) A string that describes the remote browser isolation (RBI) file action type.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• httperrors

  (Optional, string) Filter data for requests that resulted in a TLS error or a certificate error.

• exists

  (Optional, string) Specify an attribute or comma-separated list of attributes to filter the data. Valid values are: categories, policycategories, applicationid, nbarapplicationid, nbarapplicationtypeids, privateapplicationid, applicationgroupids, sha256, filename, threats, threattypes, antivirusthreats, destinationlistids, and httperrors.

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (anyOf))

  • anyOf-1
    • externalip

      (Required, string) The external IP for the entry.

    • internalip

      (Required, string) The internal IP for the entry.

    • policycategories

      (Required, array (object)) The list of the policy categories.

      • id

        (Optional, number) The ID of the category.

      • label

        (Optional, string) The descriptive label for the category.

      • type

        (Optional, string) The type of the category.

      • integration

        (Optional, boolean) Specifies whether the category is an integration.

      • deprecated

        (Optional, boolean) Specifies whether the category is a legacy category.

    • categories

      (Required, array (object)) The list of categories.

      • id

        (Optional, number) The ID of the category.

      • label

        (Optional, string) The descriptive label for the category.

      • type

        (Optional, string) The type of the category.

      • integration

        (Optional, boolean) Specifies whether the category is an integration.

      • deprecated

        (Optional, boolean) Specifies whether the category is a legacy category.

    • verdict

      (Required, string) The verdict for the entry.

    • domain

      (Required, string) The domain name for the entry.

    • timestamp

      (Required, number) The timestamp represented in milliseconds.

    • identities

      (Required, array (object)) The list of identities for the entry.

      • id

        (Required, number) The ID of the identity.

      • label

        (Required, string) The descriptive label for the identity.

      • type

        (Required, object) The information about the identity including the type.

      • id

        (Optional, number) The ID of the origin type for the identity.

      • label

        (Optional, string) The label of the origin type for the identity.

      • type

        (Optional, string) The name of the origin type for the identity.

      • deleted

        (Required, boolean) Indicates whether the identity was deleted.

    • allapplications

      (Required, array (object)) The list of all applications for the entry.

      • id

        (Optional, number) The ID of the application.

      • label

        (Optional, string) The descriptive label for the application.

      • type

        (Optional, string) The type of the application: NBAR or AVC.

      • category

        (Optional, object) The category of the application.

      • id

        (Optional, number) The ID of the application category.

      • label

        (Optional, string) The label of the application category.

    • threats

      (Required, array (object)) The list of threats for the entry.

      • label

        (Optional, string) The descriptive label for the threat name.

      • type

        (Optional, string) The type of the threat.

    • type

      (Required, string) The type of the request. A DNS request always has the type dns.

    • querytype

      (Required, string) The type of DNS request that was made. For more information, see Common DNS Request Types.

    • date

      (Required, string) The date from the timestamp based on the timezone parameter.

    • time

      (Required, string) The time in 24-hour format based on the timezone parameter.

    • returncode

      (Required, number) The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).

    • allowedapplications

      (Required, array (object)) The list of allowed applications.

      • id

        (Optional, number) The ID of the application.

      • label

        (Optional, string) The descriptive label for the application.

      • type

        (Optional, string) The type of the application: NBAR or AVC.

      • category

        (Optional, object) The category of the application.

      • id

        (Optional, number) The ID of the application category.

      • label

        (Optional, string) The label of the application category.

    • blockedapplications

      (Required, array (object)) The list of blocked applications.

      • id

        (Optional, number) The ID of the application.

      • label

        (Optional, string) The descriptive label for the application.

      • type

        (Optional, string) The type of the application: NBAR or AVC.

      • category

        (Optional, object) The category of the application.

      • id

        (Optional, number) The ID of the application category.

      • label

        (Optional, string) The label of the application category.

  • anyOf-2
    • date

      (Required, string) The date from the timestamp based on the timezone parameter.

    • destinationip

      (Required, string) The destination IP for the entry.

    • sourceip

      (Required, string) The source IP for the entry.

    • sourceport

      (Required, number) The source port for the entry.

    • destinationport

      (Required, number) The destination port for entry.

    • categories

      (Optional, array (object)) The list of categories.

      • id

        (Optional, number) The ID of the category.

      • label

        (Optional, string) The descriptive label for the category.

      • type

        (Optional, string) The type of the category.

      • integration

        (Optional, boolean) Specifies whether the category is an integration.

      • deprecated

        (Optional, boolean) Specifies whether the category is a legacy category.

    • verdict

      (Required, string) The verdict for the entry.

    • time

      (Required, string) The time in 24-hour format based on the timezone parameter.

    • timestamp

      (Required, number) The timestamp represented in milliseconds.

    • identities

      (Required, array (object)) The list of identities for the entry.

      • id

        (Required, number) The ID of the identity.

      • label

        (Required, string) The descriptive label for the identity.

      • type

        (Required, object) The information about the identity including the type.

      • id

        (Optional, number) The ID of the origin type for the identity.

      • label

        (Optional, string) The label of the origin type for the identity.

      • type

        (Optional, string) The name of the origin type for the identity.

      • deleted

        (Required, boolean) Indicates whether the identity was deleted.

    • protocol

      (Required, object) The properties of the protocol.

    • id

      (Required, number) The ID of protocol.

    • label

      (Required, string) The name of the protocol.

    • rule

      (Required, object) The properties of the firewall rule.

    • id

      (Required, number) The ID of the rule.

    • label

      (Required, string) The name of the rule.

    • privateapplicationgroup

      (Optional, object) The private application group.

    • id

      (Optional, number) The ID of application group.

    • label

      (Optional, string) The name of the application group.

    • type

      (Required, string) The type of the request. A firewall request always has type firewall.

    • allapplications

      (Required, array (object)) A list of firewall applications

      • id

        (Optional, number) The ID of the application or protocol.

      • label

        (Optional, string) The descriptive label for the application or protocol.

      • app

        (Optional, string) The information about the app type.

    • applicationprotocols

      (Required, array (object)) A list of firewall application protocols.

      • id

        (Optional, number) The ID of the application or protocol.

      • label

        (Optional, string) The descriptive label for the application or protocol.

      • app

        (Optional, string) The information about the app type.

    • direction

      (Required, string) The direction of the packet. It is destined either towards the internet or to the customer's network.

    • packetsize

      (Required, number) The size of the packet that was received.

  • anyOf-3
    • classification

      (Required, string) The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.

    • date

      (Required, string) The date from the timestamp based on the timezone parameter.

    • destinationip

      (Required, string) The destination IP for the entry.

    • destinationport

      (Required, number) The destination port for entry.

    • identities

      (Required, array (object)) The list of identities for the entry.

      • id

        (Required, number) The ID of the identity.

      • label

        (Required, string) The descriptive label for the identity.

      • type

        (Required, object) The information about the identity including the type.

      • id

        (Optional, number) The ID of the origin type for the identity.

      • label

        (Optional, string) The label of the origin type for the identity.

      • type

        (Optional, string) The name of the origin type for the identity.

      • deleted

        (Required, boolean) Indicates whether the identity was deleted.

    • protocol

      (Required, object) The properties of the protocol.

    • id

      (Required, number) The ID of protocol.

    • label

      (Required, string) The name of the protocol.

    • sessionid

      (Required, number) The unique identifier of a session, which is used to group the correlated events between various services.

    • severity

      (Required, string) The severity level of the rule.

    • signature

      (Required, object) The properties of the signature.

    • generatorid

      (Required, number) The unique ID that is assigned to the part of the IPS, which generated the event.

    • id

      (Required, number) The ID that is used to uniquely identify signatures.

    • label

      (Required, string) A descriptive label for the the signature.

    • cves

      (Required, array (string)) The list of common vulnerabilites and exposures (CVEs).

    • signaturelist

      (Required, object) The properties of the signature list.

    • id

      (Required, number) The unique ID assigned to a default or custom signature list.

    • sourceip

      (Required, string) The source IP for the entry.

    • sourceport

      (Required, number) The source port for the entry.

    • time

      (Required, string) The time in 24-hour format based on the timezone parameter.

    • timestamp

      (Required, number) The timestamp represented in milliseconds.

    • type

      (Required, string) The type of the request. An intrusion request always has type intrusion.

    • verdict

      (Required, string) The verdict for the entry.

  • anyOf-4
    • externalip

      (Required, string) The external IP for the entry.

    • internalip

      (Required, string) The internal IP for the entry.

    • policycategories

      (Required, array (object)) The list of policy categories.

      • id

        (Optional, number) The ID of the category.

      • label

        (Optional, string) The descriptive label for the category.

      • type

        (Optional, string) The type of the category.

      • integration

        (Optional, boolean) Specifies whether the category is an integration.

      • deprecated

        (Optional, boolean) Specifies whether the category is a legacy category.

    • categories

      (Required, array (object)) The list of categories.

      • id

        (Optional, number) The ID of the category.

      • label

        (Optional, string) The descriptive label for the category.

      • type

        (Optional, string) The type of the category.

      • integration

        (Optional, boolean) Specifies whether the category is an integration.

      • deprecated

        (Optional, boolean) Specifies whether the category is a legacy category.

    • verdict

      (Required, string) The verdict for the entry.

    • timestamp

      (Required, number) The timestamp represented in milliseconds.

    • identities

      (Required, array (object)) The list of identities for the entry.

      • id

        (Required, number) The ID of the identity.

      • label

        (Required, string) The descriptive label for the identity.

      • type

        (Required, object) The information about the identity including the type.

      • id

        (Optional, number) The ID of the origin type for the identity.

      • label

        (Optional, string) The label of the origin type for the identity.

      • type

        (Optional, string) The name of the origin type for the identity.

      • deleted

        (Required, boolean) Indicates whether the identity was deleted.

    • allapplications

      (Required, array (object)) The list of applications for the entry.

      • id

        (Optional, number) The ID of the application.

      • label

        (Optional, string) The descriptive label for the application.

      • type

        (Optional, string) The type of the application: NBAR or AVC.

      • category

        (Optional, object) The category of the application.

      • id

        (Optional, number) The ID of the application category.

      • label

        (Optional, string) The label of the application category.

    • allowedapplications

      (Required, array (object)) The list of allowed applications for the entry.

      • id

        (Optional, number) The ID of the application.

      • label

        (Optional, string) The descriptive label for the application.

      • type

        (Optional, string) The type of the application: NBAR or AVC.

      • category

        (Optional, object) The category of the application.

      • id

        (Optional, number) The ID of the application category.

      • label

        (Optional, string) The label of the application category.

    • blockedapplications

      (Required, array (object)) The list of blocked applications for the entry.

      • id

        (Optional, number) The ID of the application.

      • label

        (Optional, string) The descriptive label for the application.

      • type

        (Optional, string) The type of the application: NBAR or AVC.

      • category

        (Optional, object) The category of the application.

      • id

        (Optional, number) The ID of the application category.

      • label

        (Optional, string) The label of the application category.

    • responsefilename

      (Required, string) The response filename for the entry.

    • blockedfiletype

      (Required, string) The blocked file type for the entry.

    • bundleid

      (Required, number) The ID of the bundle type.

    • amp

      (Required, object) The properties of the AMP disposition and score for the malware.

    • score

      (Required, number) The AMP score.

    • disposition

      (Required, string) The AMP disposition.

    • malware

      (Required, string) The AMP malware.

    • type

      (Required, string) The type of the request. A proxy request is always of type 'proxy'.

    • tenantcontrols

      (Required, boolean) Specifies whether the request is part of a tenant control policy.

    • port

      (Required, number) The port used to make the request.

    • antivirusthreats

      (Required, object) The information about the antivirus threats.

    • puas

      (Required, array (object)) The list of potentially unwanted applications.

    • viruses

      (Required, array (string)) The list of viruses.

    • others

      (Required, array (object)) The list of other antivirus threats.

    • policy

      (Required, object) The properties of the rules in the policy.

    • timebasedrule

      (Required, boolean) Specify whether the policy triggered a time-of-day rule.

    • destinationlistids

      (Required, array (number)) The list of destination lists that the rules triggered.

    • ruleid

      (Required, number) The ID of the rule in the policy.

    • rulesetid

      (Required, number) The ID of the ruleset in the policy.

    • requestmethod

      (Optional, string) The HTTP request method.

    • responsesize

      (Required, number) The response size in bytes.

    • requestsize

      (Required, number) The response size in bytes.

    • statuscode

      (Required, number) The HTTP status code (200 or 201).

    • useragent

      (Required, string) The name of the browser that made the request.

    • referer

      (Required, string) The referring domain or URL.

    • warnstatus

      (Required, string) The warning status.

    • sha256

      (Required, string) The hex digest of the response content.

    • isolated

      (Required, object) The properties of the isolated file.

    • state

      (Required, string) The state of the isolated file.

    • fileaction

      (Required, string) The action taken for the file.

    • datalossprevention

      (Required, object) The information about the Data Loss Prevention state.

    • state

      (Required, string) Indicates the status of the DLP. The state is either blocked or the empty string ( ).

    • securityoverridden

      (Required, boolean) Specifies whether security overrides are configured.

    • contenttype

      (Required, string) The type of web content, typically text/html.

    • forwardingmethod

      (Required, string) The request method (GET, POST, HEAD, etc.)

    • httperrors

      (Required, array (object)) Certificate & TLS Errors

      • type

        (Optional, string) The type of the error, either CertificateError or TLSError.

      • code

        (Optional, number) The HTTP error code.

      • reason

        (Optional, string) The name of the error.

      • attributes

        (Optional, object) The properties of the additional information for the error.

    • threats

      (Required, array (object))

      • label

        (Optional, string) The descriptive label for the threat name.

      • type

        (Optional, string) The type of the threat.

    • egress

      (Required, object) The information about the egress IP.

    • ip

      (Required, string) The egress IP.

    • type

      (Required, string) The type of the egress IP.

    • datacenter

      (Required, object) The information about the data center.

    • id

      (Required, string) The unique ID for the data center.

    • label

      (Required, string) The name of the data center.

    • date

      (Required, string) The date from the timestamp based on the timezone parameter.

    • time

      (Required, string) The time in 24-hour format based on the timezone parameter.

    • destinationip

      (Required, string) The destination IP for the entry.

    • url

      (Required, string) The URL that was requested.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "meta": {},
    "data": [
        {
            "externalip": "52.8.160.247",
            "internalip": "52.8.160.247",
            "policycategories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "verdict": "allowed",
            "domain": "google.com",
            "timestamp": 1731002169000,
            "time": "06:31:46",
            "date": "2019-01-24",
            "identities": [
                {
                    "id": 1,
                    "label": "Catch Rate Testing System",
                    "type": {
                        "id": 21,
                        "label": "Sites",
                        "type": "site"
                    },
                    "deleted": true
                }
            ],
            "threats": [
                {
                    "label": "Wannacry",
                    "type": "Ransomware"
                }
            ],
            "allapplications": [
                {
                    "id": 1,
                    "label": "label",
                    "type": "NBAR",
                    "category": {
                        "id": 1,
                        "label": "category"
                    }
                }
            ],
            "allowedapplications": [
                {
                    "id": 1,
                    "label": "label",
                    "type": "NBAR",
                    "category": {
                        "id": 1,
                        "label": "category"
                    }
                }
            ],
            "querytype": "MX",
            "returncode": 2,
            "blockedapplications": [],
            "type": "dns"
        }
    ]
}

Get Activity DNS

Description

List all DNS entries within the timeframe.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• order

  (Optional, string) A string that describes how to order the results: ascending (asc) or descending (desc).

• limit

  (Required, number) The maximum number of records to return from the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity/dns?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • externalip

    (Required, string) The external IP for the entry.

  • internalip

    (Required, string) The internal IP for the entry.

  • policycategories

    (Required, array (object)) The list of the policy categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • categories

    (Required, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • verdict

    (Required, string) The verdict for the entry.

  • domain

    (Required, string) The domain name for the entry.

  • timestamp

    (Required, number) The timestamp represented in milliseconds.

  • identities

    (Required, array (object)) The list of identities for the entry.

    • id

      (Required, number) The ID of the identity.

    • label

      (Required, string) The descriptive label for the identity.

    • type

      (Required, object) The information about the identity including the type.

    • id

      (Optional, number) The ID of the origin type for the identity.

    • label

      (Optional, string) The label of the origin type for the identity.

    • type

      (Optional, string) The name of the origin type for the identity.

    • deleted

      (Required, boolean) Indicates whether the identity was deleted.

  • allapplications

    (Required, array (object)) The list of all applications for the entry.

    • id

      (Optional, number) The ID of the application.

    • label

      (Optional, string) The descriptive label for the application.

    • type

      (Optional, string) The type of the application: NBAR or AVC.

    • category

      (Optional, object) The category of the application.

    • id

      (Optional, number) The ID of the application category.

    • label

      (Optional, string) The label of the application category.

  • threats

    (Required, array (object)) The list of threats for the entry.

    • label

      (Optional, string) The descriptive label for the threat name.

    • type

      (Optional, string) The type of the threat.

  • type

    (Required, string) The type of the request. A DNS request always has the type dns.

  • querytype

    (Required, string) The type of DNS request that was made. For more information, see Common DNS Request Types.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • returncode

    (Required, number) The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).

  • allowedapplications

    (Required, array (object)) The list of allowed applications.

    • id

      (Optional, number) The ID of the application.

    • label

      (Optional, string) The descriptive label for the application.

    • type

      (Optional, string) The type of the application: NBAR or AVC.

    • category

      (Optional, object) The category of the application.

    • id

      (Optional, number) The ID of the application category.

    • label

      (Optional, string) The label of the application category.

  • blockedapplications

    (Required, array (object)) The list of blocked applications.

    • id

      (Optional, number) The ID of the application.

    • label

      (Optional, string) The descriptive label for the application.

    • type

      (Optional, string) The type of the application: NBAR or AVC.

    • category

      (Optional, object) The category of the application.

    • id

      (Optional, number) The ID of the application category.

    • label

      (Optional, string) The label of the application category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "externalip": "52.8.160.247",
            "internalip": "52.8.160.247",
            "policycategories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "verdict": "allowed",
            "domain": "google.com",
            "timestamp": 1731002169000,
            "time": "06:31:46",
            "date": "2019-01-24",
            "identities": [
                {
                    "id": 1,
                    "label": "Catch Rate Testing System",
                    "type": {
                        "id": 21,
                        "label": "Sites",
                        "type": "site"
                    },
                    "deleted": true
                }
            ],
            "threats": [
                {
                    "label": "Wannacry",
                    "type": "Ransomware"
                }
            ],
            "allapplications": [
                {
                    "id": 1,
                    "label": "label",
                    "type": "NBAR",
                    "category": {
                        "id": 1,
                        "label": "category"
                    }
                }
            ],
            "allowedapplications": [
                {
                    "id": 1,
                    "label": "label",
                    "type": "NBAR",
                    "category": {
                        "id": 1,
                        "label": "category"
                    }
                }
            ],
            "querytype": "MX",
            "returncode": 2,
            "blockedapplications": [],
            "type": "dns"
        }
    ],
    "meta": {}
}

Get Activity Proxy

Description

List all proxy entries within the timeframe.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• order

  (Optional, string) A string that describes how to order the results: ascending (asc) or descending (desc).

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• ruleid

  (Optional, number) The firewall policy rule ID.

• filename

  (Optional, string) A string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk () matches zero or more occurrences of any character.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• tenantcontrols

  (Optional, boolean) If set to true, filter data for requests that are part of a tenant control policy.

• isolatedstate

  (Optional, string) A string that describes the remote browser isolation (RBI) isolation type.

• isolatedFileAction

  (Optional, string) A string that describes the remote browser isolation (RBI) file action type.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• httperrors

  (Optional, string) Filter data for requests that resulted in a TLS error or a certificate error.

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity/proxy?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • externalip

    (Required, string) The external IP for the entry.

  • internalip

    (Required, string) The internal IP for the entry.

  • policycategories

    (Required, array (object)) The list of policy categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • categories

    (Required, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • verdict

    (Required, string) The verdict for the entry.

  • timestamp

    (Required, number) The timestamp represented in milliseconds.

  • identities

    (Required, array (object)) The list of identities for the entry.

    • id

      (Required, number) The ID of the identity.

    • label

      (Required, string) The descriptive label for the identity.

    • type

      (Required, object) The information about the identity including the type.

    • id

      (Optional, number) The ID of the origin type for the identity.

    • label

      (Optional, string) The label of the origin type for the identity.

    • type

      (Optional, string) The name of the origin type for the identity.

    • deleted

      (Required, boolean) Indicates whether the identity was deleted.

  • allapplications

    (Required, array (object)) The list of applications for the entry.

    • id

      (Optional, number) The ID of the application.

    • label

      (Optional, string) The descriptive label for the application.

    • type

      (Optional, string) The type of the application: NBAR or AVC.

    • category

      (Optional, object) The category of the application.

    • id

      (Optional, number) The ID of the application category.

    • label

      (Optional, string) The label of the application category.

  • allowedapplications

    (Required, array (object)) The list of allowed applications for the entry.

    • id

      (Optional, number) The ID of the application.

    • label

      (Optional, string) The descriptive label for the application.

    • type

      (Optional, string) The type of the application: NBAR or AVC.

    • category

      (Optional, object) The category of the application.

    • id

      (Optional, number) The ID of the application category.

    • label

      (Optional, string) The label of the application category.

  • blockedapplications

    (Required, array (object)) The list of blocked applications for the entry.

    • id

      (Optional, number) The ID of the application.

    • label

      (Optional, string) The descriptive label for the application.

    • type

      (Optional, string) The type of the application: NBAR or AVC.

    • category

      (Optional, object) The category of the application.

    • id

      (Optional, number) The ID of the application category.

    • label

      (Optional, string) The label of the application category.

  • responsefilename

    (Required, string) The response filename for the entry.

  • blockedfiletype

    (Required, string) The blocked file type for the entry.

  • bundleid

    (Required, number) The ID of the bundle type.

  • amp

    (Required, object) The properties of the AMP disposition and score for the malware.

  • score

    (Required, number) The AMP score.

  • disposition

    (Required, string) The AMP disposition.

  • malware

    (Required, string) The AMP malware.

  • type

    (Required, string) The type of the request. A proxy request is always of type 'proxy'.

  • tenantcontrols

    (Required, boolean) Specifies whether the request is part of a tenant control policy.

  • port

    (Required, number) The port used to make the request.

  • antivirusthreats

    (Required, object) The information about the antivirus threats.

  • puas

    (Required, array (object)) The list of potentially unwanted applications.

  • viruses

    (Required, array (string)) The list of viruses.

  • others

    (Required, array (object)) The list of other antivirus threats.

  • policy

    (Required, object) The properties of the rules in the policy.

  • timebasedrule

    (Required, boolean) Specify whether the policy triggered a time-of-day rule.

  • destinationlistids

    (Required, array (number)) The list of destination lists that the rules triggered.

  • ruleid

    (Required, number) The ID of the rule in the policy.

  • rulesetid

    (Required, number) The ID of the ruleset in the policy.

  • requestmethod

    (Optional, string) The HTTP request method.

  • responsesize

    (Required, number) The response size in bytes.

  • requestsize

    (Required, number) The response size in bytes.

  • statuscode

    (Required, number) The HTTP status code (200 or 201).

  • useragent

    (Required, string) The name of the browser that made the request.

  • referer

    (Required, string) The referring domain or URL.

  • warnstatus

    (Required, string) The warning status.

  • sha256

    (Required, string) The hex digest of the response content.

  • isolated

    (Required, object) The properties of the isolated file.

  • state

    (Required, string) The state of the isolated file.

  • fileaction

    (Required, string) The action taken for the file.

  • datalossprevention

    (Required, object) The information about the Data Loss Prevention state.

  • state

    (Required, string) Indicates the status of the DLP. The state is either blocked or the empty string ( ).

  • securityoverridden

    (Required, boolean) Specifies whether security overrides are configured.

  • contenttype

    (Required, string) The type of web content, typically text/html.

  • forwardingmethod

    (Required, string) The request method (GET, POST, HEAD, etc.)

  • httperrors

    (Required, array (object)) Certificate & TLS Errors

    • type

      (Optional, string) The type of the error, either CertificateError or TLSError.

    • code

      (Optional, number) The HTTP error code.

    • reason

      (Optional, string) The name of the error.

    • attributes

      (Optional, object) The properties of the additional information for the error.

  • threats

    (Required, array (object))

    • label

      (Optional, string) The descriptive label for the threat name.

    • type

      (Optional, string) The type of the threat.

  • egress

    (Required, object) The information about the egress IP.

  • ip

    (Required, string) The egress IP.

  • type

    (Required, string) The type of the egress IP.

  • datacenter

    (Required, object) The information about the data center.

  • id

    (Required, string) The unique ID for the data center.

  • label

    (Required, string) The name of the data center.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • destinationip

    (Required, string) The destination IP for the entry.

  • url

    (Required, string) The URL that was requested.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "destinationip": "",
            "externalip": "32.4.91.7",
            "responsesize": 3329530,
            "allapplications": [
                {
                    "id": 1313,
                    "label": "Netflix",
                    "category": {
                        "id": 47,
                        "label": "Media"
                    }
                }
            ],
            "date": "2022-02-18",
            "datalossprevention": {
                "state": ""
            },
            "antivirusthreats": {
                "puas": [],
                "viruses": [],
                "others": []
            },
            "internalip": "192.168.1.43",
            "referer": "",
            "contenttype": "",
            "tenantcontrols": false,
            "securityoverridden": false,
            "useragent": "",
            "time": "23:29:42",
            "amp": {
                "disposition": "",
                "score": 0,
                "malware": ""
            },
            "policycategories": [],
            "type": "proxy",
            "requestsize": 1996,
            "port": 443,
            "policy": {
                "ruleid": 0,
                "rulesetid": 0,
                "destinationlistids": [],
                "timebasedrule": false
            },
            "forwardingmethod": "",
            "categories": [
                {
                    "id": 17,
                    "type": "content",
                    "label": "Movies",
                    "integration": false,
                    "deprecated": true
                }
            ],
            "isolated": {
                "state": "not-isolated",
                "fileaction": ""
            },
            "statuscode": 200,
            "egress": {
                "ip": "155.190.3.8",
                "type": "shared"
            },
            "blockedfiletype": "",
            "url": "https://ipv4-lax2-ix.1.oca.anothervideo.net",
            "verdict": "allowed",
            "responsefilename": "",
            "warnstatus": "",
            "sha256": "",
            "timestamp": 1645226982000,
            "blockedapplications": [],
            "allowedapplications": [],
            "identities": [
                {
                    "id": 1,
                    "type": {
                        "id": 34,
                        "type": "anyconnect",
                        "label": "Anyconnect Roaming Client"
                    },
                    "label": "Vincent's Macbook",
                    "deleted": false
                }
            ],
            "datacenter": {
                "label": "Los Angeles, US",
                "id": "LAX"
            },
            "threats": [],
            "httperrors": [],
            "bundleid": 3
        }
    ],
    "meta": {}
}

Get Activity Firewall

Description

List all firewall activity within the timeframe.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• limit

  (Required, number) The maximum number of records to return from the collection.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• ruleid

  (Optional, number) The firewall policy rule ID.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity/firewall?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • destinationip

    (Required, string) The destination IP for the entry.

  • sourceip

    (Required, string) The source IP for the entry.

  • sourceport

    (Required, number) The source port for the entry.

  • destinationport

    (Required, number) The destination port for entry.

  • categories

    (Optional, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • verdict

    (Required, string) The verdict for the entry.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • timestamp

    (Required, number) The timestamp represented in milliseconds.

  • identities

    (Required, array (object)) The list of identities for the entry.

    • id

      (Required, number) The ID of the identity.

    • label

      (Required, string) The descriptive label for the identity.

    • type

      (Required, object) The information about the identity including the type.

    • id

      (Optional, number) The ID of the origin type for the identity.

    • label

      (Optional, string) The label of the origin type for the identity.

    • type

      (Optional, string) The name of the origin type for the identity.

    • deleted

      (Required, boolean) Indicates whether the identity was deleted.

  • protocol

    (Required, object) The properties of the protocol.

  • id

    (Required, number) The ID of protocol.

  • label

    (Required, string) The name of the protocol.

  • rule

    (Required, object) The properties of the firewall rule.

  • id

    (Required, number) The ID of the rule.

  • label

    (Required, string) The name of the rule.

  • privateapplicationgroup

    (Optional, object) The private application group.

  • id

    (Optional, number) The ID of application group.

  • label

    (Optional, string) The name of the application group.

  • type

    (Required, string) The type of the request. A firewall request always has type firewall.

  • allapplications

    (Required, array (object)) A list of firewall applications

    • id

      (Optional, number) The ID of the application or protocol.

    • label

      (Optional, string) The descriptive label for the application or protocol.

    • app

      (Optional, string) The information about the app type.

  • applicationprotocols

    (Required, array (object)) A list of firewall application protocols.

    • id

      (Optional, number) The ID of the application or protocol.

    • label

      (Optional, string) The descriptive label for the application or protocol.

    • app

      (Optional, string) The information about the app type.

  • direction

    (Required, string) The direction of the packet. It is destined either towards the internet or to the customer's network.

  • packetsize

    (Required, number) The size of the packet that was received.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "date": "2019",
            "destinationip": "52.8.160.247",
            "sourceip": "192.168.0.1",
            "sourceport": 0,
            "destinationport": 0,
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "verdict": "allowed",
            "time": "12:34",
            "timestamp": 1731002169000,
            "identities": [
                {
                    "id": 1,
                    "label": "Catch Rate Testing System",
                    "type": {
                        "id": 21,
                        "label": "Sites",
                        "type": "site"
                    },
                    "deleted": false
                }
            ],
            "protocol": {
                "id": 17,
                "label": "UDP"
            },
            "rule": {
                "id": 1,
                "label": "Default Rule"
            },
            "type": "firewall",
            "allapplications": [
                {
                    "id": 72,
                    "label": "dns IT Service Management",
                    "app": ""
                }
            ],
            "applicationprotocols": [
                {
                    "id": 72,
                    "label": "dns IT Service Management",
                    "app": ""
                }
            ],
            "packetsize": 32,
            "direction": "towards"
        }
    ],
    "meta": {}
}

Get Activity Intrusion

Description

List all Intrusion Prevention System (IPS) activity within the timeframe.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• limit

  (Required, number) The maximum number of records to return from the collection.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• signatures

  (Optional, string) The signature or comma-separated list of - signatures.

• signaturelistids

  (Optional, string) The signature ID or comma-separated list of signature list IDs.

• intrusionaction

  (Optional, string) An action or list of comma-separated intrusion actions. Valid values are: would_block, blocked, and detected.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity/intrusion?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • classification

    (Required, string) The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • destinationip

    (Required, string) The destination IP for the entry.

  • destinationport

    (Required, number) The destination port for entry.

  • identities

    (Required, array (object)) The list of identities for the entry.

    • id

      (Required, number) The ID of the identity.

    • label

      (Required, string) The descriptive label for the identity.

    • type

      (Required, object) The information about the identity including the type.

    • id

      (Optional, number) The ID of the origin type for the identity.

    • label

      (Optional, string) The label of the origin type for the identity.

    • type

      (Optional, string) The name of the origin type for the identity.

    • deleted

      (Required, boolean) Indicates whether the identity was deleted.

  • protocol

    (Required, object) The properties of the protocol.

  • id

    (Required, number) The ID of protocol.

  • label

    (Required, string) The name of the protocol.

  • sessionid

    (Required, number) The unique identifier of a session, which is used to group the correlated events between various services.

  • severity

    (Required, string) The severity level of the rule.

  • signature

    (Required, object) The properties of the signature.

  • generatorid

    (Required, number) The unique ID that is assigned to the part of the IPS, which generated the event.

  • id

    (Required, number) The ID that is used to uniquely identify signatures.

  • label

    (Required, string) A descriptive label for the the signature.

  • cves

    (Required, array (string)) The list of common vulnerabilites and exposures (CVEs).

  • signaturelist

    (Required, object) The properties of the signature list.

  • id

    (Required, number) The unique ID assigned to a default or custom signature list.

  • sourceip

    (Required, string) The source IP for the entry.

  • sourceport

    (Required, number) The source port for the entry.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • timestamp

    (Required, number) The timestamp represented in milliseconds.

  • type

    (Required, string) The type of the request. An intrusion request always has type intrusion.

  • verdict

    (Required, string) The verdict for the entry.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "type": "intrusion",
            "date": "12-02-22",
            "destinationip": "10.10.10.10",
            "protocol": {
                "id": 17,
                "label": "UDP"
            },
            "sourceip": "10.10.10.10",
            "signaturelist": {
                "id": 1111
            },
            "classification": "malicious",
            "rule": [
                {
                    "id": 391327,
                    "label": "UNKNOWN"
                }
            ],
            "ipsProfile": "PROFILE",
            "sourceport": 22,
            "sessionid": 190898098,
            "verdict": "detected",
            "destinationport": 33,
            "timestamp": 1594557262000,
            "time": "09:30",
            "identities": [
                {
                    "id": 211034846,
                    "type": {
                        "id": 34,
                        "type": "anyconnect",
                        "label": "Anyconnect Roaming Client"
                    },
                    "label": "omerta",
                    "deleted": false
                }
            ],
            "severity": "HIGH",
            "signature": {
                "generatorid": 1,
                "id": 47829,
                "label": "SERVER-OTHER JBoss Richfaces expression language injection attempt",
                "cves": [
                    "cve-2015-0279",
                    "cve-2018-12532"
                ]
            }
        }
    ],
    "meta": {}
}

Get Activity IP

Description

(Deprecated) List all IP activity within the timeframe.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• limit

  (Required, number) The maximum number of records to return from the collection.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity/ip?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array ())

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [],
    "meta": {}
}

Get Activity AMP Retrospective

Description

List all AMP retrospective activity within the timeframe.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• limit

  (Required, number) The maximum number of records to return from the collection.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• sha256

  (Optional, string) A SHA-256 hash.

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/activity/amp-retrospective?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • timestamp

    (Required, number) The timestamp represented in seconds.

  • firstseenat

    (Required, number) The date and time (a timestamp expressed in seconds) when the malware event was first recorded.

  • disposition

    (Required, string) The disposition for the entry.

  • score

    (Required, number) The score for the entry.

  • hostname

    (Required, string) The hostname for the entry.

  • malwarename

    (Required, string) The name of the malware for the entry.

  • sha256

    (Required, string) The SHA256 hash for the entry.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "timestamp": 1548311506,
            "firstseenat": 1548311506,
            "disposition": "clean",
            "score": 10,
            "hostname": "google.com",
            "malwarename": "malware",
            "sha256": "9495b6c155044053953efe30ebaf804780c114e7b721b14f6a5b0a782769696e"
        }
    ],
    "meta": {}
}

Get Top Identities (All)

Description

List the identities by the number of requests made, sorted in descending order.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-identities?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • requests

    (Required, number) The total number of requests made by this identity.

  • bandwidth

    (Required, number) The amount of bandwidth

  • identity

    (Required, object) The information about the identity.

  • id

    (Required, number) The ID of the identity.

  • label

    (Required, string) The descriptive label for the identity.

  • type

    (Required, object) The information about the identity including the type.

  • id

    (Optional, number) The ID of the origin type for the identity.

  • label

    (Optional, string) The label of the origin type for the identity.

  • type

    (Optional, string) The name of the origin type for the identity.

  • deleted

    (Required, boolean) Indicates whether the identity was deleted.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • rank

    (Required, number) The rank of the result based on the number of requests.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "requests": 3827,
            "bandwidth": 7051943359,
            "identity": {
                "id": 1,
                "label": "Catch Rate Testing System",
                "type": {
                    "id": 21,
                    "label": "Sites",
                    "type": "site"
                },
                "deleted": false
            },
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "rank": 3
        }
    ],
    "meta": {}
}

Get Top Identities

Description

List the identities for the specific traffic type by the number of requests. Sort the results in descending order.

Access Scope: Reports > Aggregations > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-identities/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • requests

    (Required, number) The total number of requests made by this identity.

  • bandwidth

    (Required, number) The amount of bandwidth

  • identity

    (Required, object) The information about the identity.

  • id

    (Required, number) The ID of the identity.

  • label

    (Required, string) The descriptive label for the identity.

  • type

    (Required, object) The information about the identity including the type.

  • id

    (Optional, number) The ID of the origin type for the identity.

  • label

    (Optional, string) The label of the origin type for the identity.

  • type

    (Optional, string) The name of the origin type for the identity.

  • deleted

    (Required, boolean) Indicates whether the identity was deleted.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • rank

    (Required, number) The rank of the result based on the number of requests.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "requests": 3827,
            "bandwidth": 7051943359,
            "identity": {
                "id": 1,
                "label": "Catch Rate Testing System",
                "type": {
                    "id": 21,
                    "label": "Sites",
                    "type": "site"
                },
                "deleted": false
            },
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "rank": 3
        }
    ],
    "meta": {}
}

Get Identity Distribution (All)

Description

List the number of requests by identity types.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/identity-distribution?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • requests

    (Required, number) The requests made by the identity type.

  • unique_identity_count

    (Required, number) The number unique identities associated with the identity type.

  • identitytype

    (Required, object) The information about the identity including the type.

  • id

    (Optional, number) The ID of the origin type for the identity.

  • label

    (Optional, string) The label of the origin type for the identity.

  • type

    (Optional, string) The name of the origin type for the identity.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "requests": 312,
            "unique_identity_count": 12,
            "identitytype": {
                "id": 21,
                "label": "Sites",
                "type": "site"
            }
        }
    ],
    "meta": {}
}

Get Identity Distribution By Type

Description

List the number of requests by identity for the type of traffic.

Access Scope: Reports > Aggregations > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/identity-distribution/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object)) The list of identity distributions.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • requests

    (Required, number) The requests made by the identity type.

  • unique_identity_count

    (Required, number) The number unique identities associated with the identity type.

  • identitytype

    (Required, object) The information about the identity including the type.

  • id

    (Optional, number) The ID of the origin type for the identity.

  • label

    (Optional, string) The label of the origin type for the identity.

  • type

    (Optional, string) The name of the origin type for the identity.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "requests": 312,
            "unique_identity_count": 12,
            "identitytype": {
                "id": 21,
                "label": "Sites",
                "type": "site"
            }
        }
    ],
    "meta": {}
}

Get Top Destinations

Description

List the destinations by the number of requests made to this destination. Return the results in descending order.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-destinations?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • bandwidth

    (Required, number) The amount of bandwidth

  • rank

    (Required, number) The rank of the result based on the number of requests.

  • domain

    (Required, string) The domain name.

  • count

    (Required, number) The total number of requests made for this destination.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • categories

    (Required, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • policycategories

    (Required, array (object)) The policy categories that are associated with the destination.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "bandwidth": 223437,
            "rank": 4,
            "domain": "google.com",
            "count": 3827,
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "policycategories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ]
        }
    ],
    "meta": {}
}

Get Top Destinations By Type

Description

List the destinations by type of destination and the number of requests made to this destination. Return the collection in descending order.

Access Scope: Reports > Aggregations > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-destinations/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • bandwidth

    (Required, number) The amount of bandwidth

  • rank

    (Required, number) The rank of the result based on the number of requests.

  • domain

    (Required, string) The domain name.

  • count

    (Required, number) The total number of requests made for this destination.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • categories

    (Required, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • policycategories

    (Required, array (object)) The policy categories that are associated with the destination.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "bandwidth": 223437,
            "rank": 4,
            "domain": "google.com",
            "count": 3827,
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "policycategories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ]
        }
    ],
    "meta": {}
}

Get Top URLs

Description

List the top number of URLs that are requested for a certain domain.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-urls?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • count

    (Required, number) The total number of requests.

  • path

    (Required, string) The URL path.

  • categories

    (Required, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • rank

    (Required, number) The numeric rank of the top URL.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "count": 884,
            "path": "/backend-api/conversation",
            "categories": [
                {
                    "id": 132,
                    "type": "content",
                    "label": "SaaS and B2B",
                    "integration": false,
                    "deprecated": false
                }
            ],
            "rank": 1
        },
        {
            "count": 123,
            "path": "",
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "rank": 2
        }
    ],
    "meta": {}
}

Get Top Categories (All)

Description

List the categories that received the greatest number of requests. Order the number of requests in descending order.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-categories?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • rank

    (Required, number) The rank of the result based on the number of requests.

  • category

    (Required, object) The properties of the category.

  • id

    (Optional, number) The ID of the category.

  • label

    (Optional, string) The descriptive label for the category.

  • type

    (Optional, string) The type of the category.

  • integration

    (Optional, boolean) Specifies whether the category is an integration.

  • deprecated

    (Optional, boolean) Specifies whether the category is a legacy category.

  • count

    (Required, number) The number of requests that match this category.

  • bandwidth

    (Optional, number) The amount of bandwidth

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "rank": 5,
            "category": {
                "id": 66,
                "label": "Malware",
                "typse": "security",
                "integration": true
            },
            "count": 3827
        }
    ],
    "meta": {}
}

Get Top Categories By Type

Description

List the categories for the type of traffic that received the greatest number of requests. Order the number of requests in descending order.

Access Scope: Reports > Aggregations > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-categories/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • rank

    (Required, number) The rank of the result based on the number of requests.

  • category

    (Required, object) The properties of the category.

  • id

    (Optional, number) The ID of the category.

  • label

    (Optional, string) The descriptive label for the category.

  • type

    (Optional, string) The type of the category.

  • integration

    (Optional, boolean) Specifies whether the category is an integration.

  • deprecated

    (Optional, boolean) Specifies whether the category is a legacy category.

  • count

    (Required, number) The number of requests that match this category.

  • bandwidth

    (Optional, number) The amount of bandwidth

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "rank": 5,
            "category": {
                "id": 66,
                "label": "Malware",
                "type": "security",
                "integration": true
            },
            "count": 3827
        }
    ],
    "meta": {}
}

Get Top Event Types (All)

Description

List the top event types by the number of requests made for each type of event. Order the number of requests in descending order. The valid event types are: domain_security, domain_integration, url_security, url_integration, cisco_amp, and antivirus.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-eventtypes?from=<value>&to=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • eventtype

    (Required, string) The type of the event.

  • count

    (Required, number) The number of requests that match the event type (eventtype).

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "eventtype": "antivirus",
            "count": 3827
        }
    ],
    "meta": {}
}

Get Top DNS Query Types

Description

List the top types of DNS query.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• offset

  (Optional, number) A number that represents an index in the collection.

• limit

  (Required, number) The maximum number of records to return from the collection.

• order

  (Optional, string) A string that describes how to order the results: ascending (asc) or descending (desc).

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-dns-query-types?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • requests

    (Required, number) The total number of requests.

  • querytype

    (Required, string) The type of the DNS query.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "requests": 123,
            "querytype": "A"
        }
    ],
    "meta": {}
}

Get Requests by Hour (All)

Description

List the activity volume within the timeframe.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/requests-by-hour?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • count

    (Required, number) The number of requests in the hour.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "count": 123,
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00"
        }
    ],
    "meta": {}
}

Get Requests by Hour

Description

List the activity volume within the timeframe.

Access Scope: Reports > Granular Events > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/requests-by-hour/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • count

    (Required, number) The number of requests in the hour.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "count": 123,
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00"
        }
    ],
    "meta": {}
}

Get Requests by Timerange (All)

Description

List the activity volume within the timeframe.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/requests-by-timerange?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object)) The information about the requests within the timerange.

  • count

    (Required, number) The number of requests in the hour.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "count": 123,
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00"
        }
    ],
    "meta": {}
}

Get Requests by Timerange

Description

List the activity volume within the timeframe.

Access Scope: Reports > Granular Events > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/requests-by-timerange/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • count

    (Required, number) The number of requests in the hour.

  • counts

    (Required, object) The information about the requests.

  • requests

    (Optional, number) The total number of requests.

  • allowedrequests

    (Optional, number) The number of requests that were allowed.

  • blockedrequests

    (Optional, number) The number of requests that were blocked.

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "count": 123,
            "counts": {
                "requests": 123,
                "allowedrequests": 60,
                "blockedrequests": 63
            },
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00"
        }
    ],
    "meta": {}
}

Get Requests by Hour and Category (All)

Description

List the activity volume within the timeframe by type of category.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/categories-by-hour?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • counts

    (Required, array (object)) The list of counts for the category.

    • category

      (Required, object) The properties of the category.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

    • requests

      (Required, number) The total number of requests for the category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00",
            "counts": [
                {
                    "category": {
                        "id": 66,
                        "label": "Malware",
                        "type": "security",
                        "integration": true
                    },
                    "requests": 123
                }
            ]
        }
    ],
    "meta": {}
}

Get Requests by Hour and Category

Description

List the activity volume for the type of category within the timeframe.

Access Scope: Reports > Granular Events > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/categories-by-hour/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • counts

    (Required, array (object)) The list of counts for the category.

    • category

      (Required, object) The properties of the category.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

    • requests

      (Required, number) The total number of requests for the category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00",
            "counts": [
                {
                    "category": {
                        "id": 66,
                        "label": "Malware",
                        "type": "security",
                        "integration": true
                    },
                    "requests": 123
                }
            ]
        }
    ],
    "meta": {}
}

Get Requests by Timerange and Category (All)

Description

List the activity volume within the timeframe by category.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/categories-by-timerange?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • counts

    (Required, array (object)) The list of counts for the category.

    • category

      (Required, object) The properties of the category.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

    • requests

      (Required, number) The total number of requests for the category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00",
            "counts": [
                {
                    "category": {
                        "id": 66,
                        "label": "Malware",
                        "type": "security",
                        "integration": true
                    },
                    "requests": 123
                }
            ]
        }
    ],
    "meta": {}
}

Get Requests by Timerange and Category

Description

List the activity volume within the timeframe by category.

Access Scope: Reports > Granular Events > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/categories-by-timerange/{type}?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

  • counts

    (Required, array (object)) The list of counts for the category.

    • category

      (Required, object) The properties of the category.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

    • requests

      (Required, number) The total number of requests for the category.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00",
            "counts": [
                {
                    "category": {
                        "id": 66,
                        "label": "Malware",
                        "type": "security",
                        "integration": true
                    },
                    "requests": 123
                }
            ]
        }
    ],
    "meta": {}
}

Get Deployment Status

Description

List the deployment status within the timeframe.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/deployment-status?from=<value>&to=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • type

    (Required, object) The information about the identity including the type.

  • id

    (Optional, number) The ID of the origin type for the identity.

  • label

    (Optional, string) The label of the origin type for the identity.

  • type

    (Optional, string) The name of the origin type for the identity.

  • activecount

    (Required, number) The count of the active identity type.

  • count

    (Required, number) The total count of the identity type.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "id": 21,
            "label": "Sites",
            "type": {
                "id": 1,
                "label": "Sites",
                "type": "Sites"
            },
            "activecount": 1,
            "count": 1
        }
    ],
    "meta": {}
}

Get Bandwidth by Hour (All)

Description

List the bandwidth in bytes within the timeframe. Only returns proxy data.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/bandwidth-by-hour?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • inboundbytes

    (Required, number) The number of inbound bytes.

  • outboundbytes

    (Required, number) The number of outbound bytes.

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "inboundbytes": 123,
            "outboundbytes": 456,
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00"
        }
    ],
    "meta": {}
}

Get Bandwidth by Timerange (All)

Description

List the bandwidth in bytes within the timeframe. Only returns proxy data.

Access Scope: Reports > Granular Events > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/bandwidth-by-timerange?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • inboundbytes

    (Required, number) The number of inbound bytes.

  • outboundbytes

    (Required, number) The number of outbound bytes.

  • timestamp

    (Required, number) The timestamp represented in milliseconds for the bucket.

  • date

    (Required, string) The date from the timestamp based on the timezone parameter.

  • time

    (Required, string) The time in 24-hour format based on the timezone parameter.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "inboundbytes": 123,
            "outboundbytes": 456,
            "timestamp": 1559836800000,
            "date": "2019",
            "time": "16:00:00"
        }
    ],
    "meta": {}
}

Get Top Files (Proxy)

Description

List the top files within the timeframe. Only returns proxy data.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• limit

  (Required, number) The maximum number of records to return from the collection.

• offset

  (Optional, number) A number that represents an index in the collection.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/top-files?from=<value>&to=<value>&limit=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, array (object))

  • requests

    (Required, number) The number of requests for the file.

  • sha256

    (Required, string) The SHA256 hash for the entry.

  • categories

    (Required, array (object)) The list of categories.

    • id

      (Optional, number) The ID of the category.

    • label

      (Optional, string) The descriptive label for the category.

    • type

      (Optional, string) The type of the category.

    • integration

      (Optional, boolean) Specifies whether the category is an integration.

    • deprecated

      (Optional, boolean) Specifies whether the category is a legacy category.

  • identitycount

    (Required, number) The count of the identities for the entry.

  • filenames

    (Required, array (string)) The list of filenames for the entry.

  • filetypes

    (Required, array (string)) The list of filetypes for the entry.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": [
        {
            "requests": 123,
            "sha256": "9495b6c155044053953efe30ebaf804780c114e7b721b14f6a5b0a782769696e",
            "categories": [
                {
                    "id": 66,
                    "label": "Malware",
                    "type": "security",
                    "integration": true
                }
            ],
            "identitycount": 1,
            "filenames": [],
            "filetypes": []
        }
    ],
    "meta": {}
}

Get Total Requests (All)

Description

Get the count of the total requests.

Access Scope: Reports > Aggregations > Read-Only

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• ruleid

  (Optional, number) The firewall policy rule ID.

• sha256

  (Optional, string) A SHA-256 hash.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample

Copy
curl -L --location-trusted --request GET --url 'https://api.umbrellagov.com/reports/v2/total-requests?from=<value>&to=<value>' \
-H 'Authorization: Bearer %YourAccessToken%' \
-H 'Content-Type: application/json'

Response Schema (object)

• data

  (Required, object) The total number of requests.

• count

  (Required, number) The total number of requests.

• meta

  (Required, object) The properties of the metadata.

Response Sample

Copy{
    "data": {
        "count": 42
    },
    "meta": {}
}

Get Total Requests (By Type)

Description

Get the count of the total requests for the request type.

Access Scope: Reports > Aggregations > Read-Only

Path Parameters

• type

  (Required, string) Specify the type of traffic.

Query Parameters

• from

  (Required, string) A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time.

• to

  (Required, string) A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.

• domains

  (Optional, string) A domain name or comma-delimited list of domain name.

• urls

  (Optional, string) A URL or comma-delimited list of URL.

• categories

  (Optional, string) A category ID or comma-delimited list of category ID.

• policycategories

  (Optional, string) A category ID or comma-delimited list of category ID. Filter the request by the categories that trigger a policy.

• ip

  (Optional, string) An IP address.

• ports

  (Optional, string) A port number or comma-delimited list of port numbers.

• identityids

  (Optional, string) An identity ID or comma-delimited list of identity IDs.

• identitytypes

  (Optional, string) An identity type or comma-delimited list of identity types.

• applicationid

  (Optional, string) The ID of the application.

• ruleid

  (Optional, number) The firewall policy rule ID.

• verdict

  (Optional, string) A string or comma-delimited string that describes whether the traffic can reach the destination.

• securityoverridden

  (Optional, boolean) Specify whether to filter on requests that override security.

• bundleid

  (Optional, number) A proxy bundle ID.

• threats

  (Optional, string) A threat name or comma-delimited list of threat names.

• threattypes

  (Optional, string) A threat type or comma-delimited list of threat types.

• ampdisposition

  (Optional, string) An AMP disposition string or a comma-delimited list of AMP disposition strings.

• antivirusthreats

  (Optional, string) A threat name or comma-delimited list of threat names.

• datalosspreventionstate

  (Optional, string) A string that describes the status of a destination. Filter for requests that are blocked by the DLP layer security.

• filternoisydomains

  (Optional, boolean) Filter out domains that generate a lot of insignificant traffic (noise).

• timezone

  (Optional, string) Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.

Request Sample