Reporting
The Umbrella for Government Reporting API provides visibility into the traffic, events, and activities of the user devices and networks in your organization.
Use Cases and Best Practices
The Reporting API enables you to programmatically access logs and reports, and build widgets or custom reports. The Reporting API does not support bulk data retrieval. If you need to export all of your data or large data collections, you can enable logging to Amazon Simple Storage Service (Amazon S3). For more information about Umbrella logs, see Manage Your Logs in the Umbrella for Government SIG User Guide.
| Use Case | Granularity or Type | Recommendation | Considerations |
|---|---|---|---|
| Compliance or long-term event retention | Export and store all events. | Use a customer owned Amazon S3 bucket. | |
| SIEM: Event correlation | Export all events. | Use a Cisco managed Amazon S3 bucket. | Umbrella retains data for 30 days. |
| Dashboard KPI or widgets | Activity Search and Aggregations. | Use the Reporting API. | Use query parameters to filter requests. |
| Report generation | Aggregations. | Use the Reporting API. | |
| SOAR workflow: trigger | Activity Search. | Use the Reporting API. | Use query parameters to filter requests. |
Request Path Parameters
The Reporting API endpoints require various path parameters.
| Parameter | Example | Description |
|---|---|---|
| type | dns | Specify the type of traffic. Valid values: dns or proxy. |
| type | ip | Specify the type of traffic. Valid values: dns, proxy, or ip. |
| type | firewall | Specify the type of traffic. Valid values: dns, proxy, firewall, or ip. |
| type | intrusion | Specify the type of traffic. Valid values: dns, proxy, firewall, intrusion, or ip. |
| identityid | 42 | An identity ID |
| threattypeid | Ransomware | A threat type name |
| threatnameid | WannaCry | The threat name |
Request Query Parameters
You can customize and filter API requests with query parameters. Each Reporting API endpoint defines its required query parameters.
Note: Umbrella uses the timestamp of the events to sort the/activity,/activity/dns,/activity/proxy,/activity/intrusion,/activity/firewall, and/activity/amp-retrospectivecollections. If multiple events occur in the same second, the order of the collection is not guaranteed to be consistent.
| Parameter | Example | Description |
|---|---|---|
| from | 1639146300000 | A timestamp or relative time string (for example: '-1days'). Filter for data that appears after this time. Required |
| to | 1640010300000 | A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time. Required |
| offset | 0 | A number that represents an index into the collection. |
| limit | 100 | The maximum number of records to return from the collection. Required |
| limit | 100 | (Identities utility endpoint) The number of records to return from the collection. The default limit is 100. In a single response, the server returns at most 5000 records from the collection. Required |
| timezone | ASIA%2fCALCUTTA | Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'. |
| domains | cisco.com,nasa.gov |
A domain name or comma-delimited list of domain name. |
| urls | https://google.com,facebook.com/help |
A URL or comma-delimited list of URL. |
| categories | 148,151,66 | A category ID or comma-delimited list of category ID. |
| policycategories | 67,69 | A category ID or comma-delimited list of category ID. Filter request by the categories that trigger a policy. |
| ip | 10.10.10.10 | An IP address |
| order | desc | A string that describes how to order the results (for example: 'asc' or 'desc'). |
| ports | 7351,80 | A port number or comma-delimited list of port number. |
| identityids | 1,2,3 | An identity ID or comma-delimited list of identity ID. |
| identitytypes | network,roaming | An identity type or comma-delimited list of identity type. |
| applicationid | 1 | An application ID. |
| verdict | allowed,blocked,proxied | A verdict string or comma-delimited list of verdict string. |
| ruleid | 1 | A firewall policy rule ID. |
| filename | myfilename_* | A string that identifies a filename. Filter request by the filename. Supports globbing or use of the wildcard character (''). The asterisk () matches zero or more occurrences of any character. |
| securityoverridden | true | Specify whether to filter on requests that override security. |
| bundleid | 1 | A proxy bundle ID. |
| threats | A threat name or comma-delimited list of threat name. | |
| threattypes | A threat type or comma-delimited list of threat type. | |
| ampdisposition | clean,malicious,unknown | An AMP disposition string or a comma-delimited list of AMP disposition string. |
| isolatedstate | isolated | A string that describes the remote browser isolation (RBI) isolation type (for example: 'isolated' or 'not-isolated'). |
| isolatedFileAction | downloaded-safe-pdf | A string that describes the remote browser isolation (RBI) file action type (for example: 'viewed', 'downloaded-original-file', or 'downloaded-safe-pdf'). |
| datalosspreventionstate | blocked | A string that describes the status of a destination (for example: 'blocked'). Filter data for requests that were blocked to protect data. |
| sha256 | ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad | A SHA-256 hash |
| antivirusthreats | Trojan.Linux.Generic.144075 | A threat name or comma-delimited list of threat name. |
| tenantcontrols | true | If set to 'true', filter data for requests that are part of a tenant control policy. |
| search | somelabel | A string that represents a search parameter. Filter data for requests where the search string appears in the endpoint data. |
| application | Games | The application name |
| filternoisydomains | true | filter out domains that generate a lot of insignificant traffic (noise). |
| httperrors | certificateerror | Filter data for requests that resulted in a TLS error or a certificate error. Valid values: certificateerror or tlserror. |
| signatures | 1-2,1-4 | list of |
| signaturelistids | 1,2 | list of signature list ids, comma delimited |
| intrusionaction | detected,would_block | list of intrusion actions, comma delimited. Valid values are: would_block, blocked, detected |
| exists | destinationlistids,threattypes | Specify a comma-separated list of attributes to filter the data. Valid values are: categories, policycategories, applicationid, nbarapplicationid, nbarapplicationtypeids, privateapplicationid, applicationgroupids, sha256, filename, threats, threattypes, antivirusthreats, destinationlistids, httperrors. |
| connectionevent | connected | Specify the type of connection event. |
| osversions | linux-64-Ubuntu 20.04.5 LTS (Focal Fossa) | Specify a comma-separated list of OS versions to filter the data. |
| anyconnectversions | 4.10.05095 | Specify a comma-separated list of AnyConnect Roaming Security module versions to filter the data. |
Categories Query Parameter
The Umbrella for Government Reporting API categories query parameter accepts a string with a single category ID or list of comma-separated category IDs. Use the categories query parameter to search for events in your reports that are related to the categories. You can get the list of Umbrella categories from the Reporting API /categories endpoint. The category object includes the category ID. For more information about the Reporting API /categories endpoint, see Get Categories.
Umbrella for Government Reporting API Categories with IDs
Click to view the Umbrella for Government Reporting API category IDs and labels
| ID | Label |
|---|---|
| 1 | Alcohol |
| 2 | Auctions |
| 6 | Dating |
| 10 | Gambling |
| 11 | Games |
| 14 | Humor |
| 24 | Social Networking |
| 27 | Advertisements |
| 30 | Weapons |
| 37 | Parked Domains |
| 38 | Tobacco |
| 44 | Pornography |
| 52 | Politics |
| 55 | Travel |
| 60 | Drive-by Downloads/Exploits |
| 61 | Dynamic DNS |
| 62 | Mobile Threats |
| 63 | High Risk Sites and Locations |
| 64 | Command and Control |
| 65 | Command and Control |
| 66 | Malware |
| 67 | Malware |
| 68 | Phishing |
| 70 | FireEye |
| 71 | Block List |
| 72 | Allow List |
| 73 | Global Whitelist |
| 74 | Sinkhole |
| 76 | Check Point |
| 79 | ZeroFOX |
| 82 | ThreatQ |
| 84 | ThreatConnect |
| 96 | Cisco AMP Threat Grid |
| 106 | Unauthorized IP Tunnel Access |
| 107 | URL Shorteners |
| 108 | Newly Seen Domains |
| 109 | Potentially Harmful |
| 110 | DNS Tunneling VPN |
| 111 | Arts |
| 112 | Astrology |
| 113 | Computer Security |
| 114 | Digital Postcards |
| 115 | Dining and Drinking |
| 116 | Dynamic and Residential |
| 117 | Fashion |
| 118 | File Transfer Services |
| 119 | Freeware and Shareware |
| 120 | Hacking |
| 121 | Illegal Activities |
| 122 | Illegal Downloads |
| 123 | Infrastructure and Content Delivery Networks |
| 124 | Internet Telephony |
| 125 | Lotteries |
| 126 | Mobile Phones |
| 127 | Nature and Conservation |
| 128 | Online Trading |
| 129 | Personal Sites |
| 130 | Professional Networking |
| 131 | Real Estate |
| 132 | SaaS and B2B |
| 133 | Safe for Kids |
| 134 | Science and Technology |
| 135 | Sex Education |
| 136 | Social Science |
| 137 | Society and Culture |
| 138 | Software Updates |
| 139 | Web Hosting |
| 140 | Web Page Translation |
| 141 | Organizational Email |
| 142 | Online Meetings |
| 143 | Paranormal |
| 144 | Personal VPN |
| 145 | DIY Projects |
| 146 | Hunting |
| 147 | Military |
| 148 | Application |
| 150 | Cryptomining |
| 151 | Application Block |
| 152 | Application Allow |
| 153 | Infringing Intellectual Property |
| 161 | Adult |
| 162 | Web-based Email |
| 163 | Business and Industry |
| 164 | Chat and Instant Messaging |
| 165 | Cheating and Plagiarism |
| 166 | Child Abuse Content |
| 167 | Computers and Internet |
| 168 | Education |
| 169 | Entertainment |
| 170 | Extreme |
| 171 | Filter Avoidance |
| 172 | Finance |
| 173 | Government and Law |
| 174 | Hate Speech |
| 175 | Health and Medicine |
| 176 | Illegal Drugs |
| 177 | Job Search |
| 178 | Lingerie and Swimsuits |
| 179 | News |
| 180 | Non-governmental Organizations |
| 181 | Non-sexual Nudity |
| 182 | Not Actionable |
| 183 | Online Communities |
| 184 | Online Storage and Backup |
| 185 | Web Cache and Archives |
| 186 | Peer File Transfer |
| 187 | Photo Search and Images |
| 188 | Reference |
| 189 | Religion |
| 190 | Search Engines and Portals |
| 191 | Shopping |
| 192 | Sports and Recreation |
| 193 | Streaming Audio |
| 194 | Streaming Video |
| 195 | Transportation |
| 196 | Animals and Pets |
| 197 | Cannabis |
| 198 | Cloud and Data Centers |
| 199 | Conventions, Conferences and Trade Shows |
| 200 | Cryptocurrency |
| 201 | DoH and DoT |
| 202 | Internet of Things |
| 203 | Museums |
| 204 | Terrorism and Violent Extremism |
| 205 | Online Document Sharing and Collaboration |
| 206 | Private IP Addresses as Host |
| 207 | Recipes and Food |
| 208 | Regional Restricted Sites (Germany) |
| 209 | Regional Restricted Sites (Great Britain) |
| 210 | Regional Restricted Sites (Italy) |
| 211 | Regional Restricted Sites (Poland) |
Umbrella for Government Reporting API Categories with Legacy IDs
Click to view the Umbrella for Government Reporting API legacy category IDs and labels
| Legacy ID | Label |
|---|---|
| 2 | Alcohol |
| 3 | Auctions |
| 7 | Dating |
| 11 | Gambling |
| 12 | Games |
| 15 | Humor |
| 24 | Social Networking |
| 414 | Advertisements |
| 28 | Weapons |
| 57 | Parked Domains |
| 73 | Tobacco |
| 64 | Pornography |
| 66 | Politics |
| 68 | Travel |
| 83 | Drive-by Downloads/Exploits |
| 85 | Dynamic DNS |
| 87 | Mobile Threats |
| 89 | High Risk Sites and Locations |
| 90 | Command and Control |
| 92 | Command and Control |
| 94 | Malware |
| 96 | Malware |
| 98 | Phishing |
| 102 | FireEye |
| 112 | Block List |
| 114 | Allow List |
| 116 | Global Whitelist |
| 178 | Sinkhole |
| 104 | Check Point |
| 110 | ZeroFOX |
| 121 | ThreatQ |
| 125 | ThreatConnect |
| 147 | Cisco AMP Threat Grid |
| 169 | Unauthorized IP Tunnel Access |
| 170 | URL Shorteners |
| 172 | Newly Seen Domains |
| 174 | Potentially Harmful |
| 176 | DNS Tunneling VPN |
| 327 | Arts |
| 329 | Astrology |
| 331 | Computer Security |
| 333 | Digital Postcards |
| 335 | Dining and Drinking |
| 337 | Dynamic and Residential |
| 339 | Fashion |
| 341 | File Transfer Services |
| 343 | Freeware and Shareware |
| 345 | Hacking |
| 347 | Illegal Activities |
| 349 | Illegal Downloads |
| 351 | Infrastructure and Content Delivery Networks |
| 353 | Internet Telephony |
| 355 | Lotteries |
| 357 | Mobile Phones |
| 359 | Nature and Conservation |
| 361 | Online Trading |
| 363 | Personal Sites |
| 365 | Professional Networking |
| 367 | Real Estate |
| 369 | SaaS and B2B |
| 371 | Safe for Kids |
| 373 | Science and Technology |
| 375 | Sex Education |
| 377 | Social Science |
| 379 | Society and Culture |
| 381 | Software Updates |
| 383 | Web Hosting |
| 385 | Web Page Translation |
| 387 | Organizational Email |
| 389 | Online Meetings |
| 391 | Paranormal |
| 393 | Personal VPN |
| 395 | DIY Projects |
| 397 | Hunting |
| 399 | Military |
| 400 | Application |
| 403 | Cryptomining |
| 405 | Application Block |
| 407 | Application Allow |
| 409 | Infringing Intellectual Property |
| 415 | Adult |
| 416 | Web-based Email |
| 417 | Business and Industry |
| 418 | Chat and Instant Messaging |
| 419 | Cheating and Plagiarism |
| 420 | Child Abuse Content |
| 421 | Computers and Internet |
| 422 | Education |
| 423 | Entertainment |
| 424 | Extreme |
| 425 | Filter Avoidance |
| 426 | Finance |
| 427 | Government and Law |
| 428 | Hate Speech |
| 429 | Health and Medicine |
| 430 | Illegal Drugs |
| 431 | Job Search |
| 432 | Lingerie and Swimsuits |
| 433 | News |
| 434 | Non-governmental Organizations |
| 435 | Non-sexual Nudity |
| 458 | Not Actionable |
| 437 | Online Communities |
| 438 | Online Storage and Backup |
| 467 | Web Cache and Archives |
| 440 | Peer File Transfer |
| 441 | Photo Search and Images |
| 442 | Reference |
| 443 | Religion |
| 444 | Search Engines and Portals |
| 445 | Shopping |
| 446 | Sports and Recreation |
| 447 | Streaming Audio |
| 448 | Streaming Video |
| 449 | Transportation |
| 450 | Animals and Pets |
| 451 | Cannabis |
| 452 | Cloud and Data Centers |
| 453 | Conventions, Conferences and Trade Shows |
| 454 | Cryptocurrency |
| 455 | DoH and DoT |
| 456 | Internet of Things |
| 457 | Museums |
| 466 | Terrorism and Violent Extremism |
| 459 | Online Document Sharing and Collaboration |
| 460 | Private IP Addresses as Host |
| 461 | Recipes and Food |
| 462 | Regional Restricted Sites (Germany) |
| 463 | Regional Restricted Sites (Great Britain) |
| 464 | Regional Restricted Sites (Italy) |
| 465 | Regional Restricted Sites (Poland) |
Umbrella for Government Reporting API Categories with Deprecated Legacy IDs
Click to view the Umbrella for Government Reporting API deprecated legacy category IDs and labels
| Deprecated Legacy ID | Label |
|---|---|
| 1 | Adware |
| 4 | Blogs |
| 5 | Chat |
| 6 | Classifieds |
| 8 | Drugs |
| 9 | Ecommerce/Shopping |
| 10 | File Storage |
| 13 | Hate/Discrimination |
| 14 | Health and Fitness |
| 16 | Instant Messaging |
| 17 | Jobs/Employment |
| 19 | Movies |
| 33 | News/Media |
| 20 | P2P/File sharing |
| 48 | Photo Sharing |
| 21 | Portals |
| 22 | Radio |
| 23 | Search Engines |
| 47 | Software/Technology |
| 34 | Television |
| 26 | Video Sharing |
| 27 | Visual Search Engines |
| 29 | Webmail |
| 56 | Business Services |
| 52 | Educational Institutions |
| 55 | Financial Institutions |
| 49 | Government |
| 50 | Music |
| 51 | Sports |
| 58 | Adult Themes |
| 60 | Lingerie/Bikini |
| 63 | Nudity |
| 61 | Proxy/Anonymizer |
| 62 | Sexuality |
| 59 | Tasteless |
| 72 | Academic Fraud |
| 70 | Automotive |
| 67 | Forums/Message boards |
| 69 | Non-Profits |
| 71 | Podcasts |
| 65 | Religious |
| 54 | Research/Reference |
| 74 | German Youth Protection |
| 76 | Anime/Manga/Webcomic |
| 77 | Web Spam |
| 126 | Internet Watch Foundation |
| 401 | Terrorism |
| 410 | IT-AGCOM |
| 412 | IT-ADM |
Request Data by Time Range
Many Reporting API endpoints require that you set a time range to filter the data. You can define a time range with the to and from request query parameters. Also, some Reporting API endpoints enable a timerange header.
Time Range Header
The timerange header describes how to group data within a 24-hour period. This header accepts the following strings:
- minute
- hour (default value)
- day
Umbrella Reporting API resources that group data by hourly intervals do not enable the timerange header. These resources include:
- Bandwidth by Hour
- Requests by Hour
- Requests by Hour and Category
Time Range Example
The Requests by Timerange resource accepts the timerange header and the to and from query parameters. For example, you can set the timerange header to minute, the to query parameter to now, and the from query parameter to -1days.
Timestamp and Relative Time Strings
The to and from query parameters accept a timestamp string that is defined in milliseconds from the Unix epoch. For example: 1619007756000 (converted from 2021-04-21:08:22:36 GMT-04:00).
You can also set other time range strings for these parameters.
Examples of to query parameter values:
now-1days
Examples of from query parameter values:
-2days-10minutes-2weeks
Note: The time range set by thetoandfromquery parameters cannot exceed 30 days.
HTTP Redirects and Request Authorization Header
Umbrella stores the reporting data in geolocated data warehouses.
- EU:
api.umbrellagov.com/reports.eu/v2 - US:
api.umbrellagov.com/reports.us/v2
Note: If an HTTP request does not originate from the same continent as the Umbrella data center, the server responds with 302 Found.
To automatically redirect HTTP requests and preserve the HTTP Authorization header, you can set additional flags or enable a redirect setting.
curl: You must pass the-Lor--location, and--location-trustedflags to redirect thecurlHTTP request and retain the Authorization header.curl --location --location-trusted \ --request GET --url 'https://api.umbrellagov.com/reports/v2/activity?from=-7days&to=now&limit=10' \ -H 'Authorization: Bearer %YourAccessToken%' \ -H 'Content-Type: application/json'Postman: Within the Postman environment, navigate to an API and choose aGETmethod. Navigate to Settings. EnableFollow Authorization headerto preserve the Authorization header for redirect requests.
Umbrella for Government Reporting API Endpoints
You can find the Reporting API endpoints in the reports scope.
Activity
- Get Activities (All)
- Get Activity DNS
- Get Activity Proxy
- Get Activity Firewall
- Get Activity Intrusion
- Get Activity IP
- Get Activity AMP Retrospective
Top Identities
Identity Distribution
Top Destinations
Top Categories
Top Event Types
Top DNS Query Types
Organization Requests by Hour
Organization Requests by Time Range
Organization Requests by Hour and Category
Organization Requests by Time Range and Category
Deployment and Status
Bandwidth by Hour
Bandwidth by Time Range
Top Files
Total Requests
Top Threats
Top Threat Types
Utility
- Get Applications
- Get Categories
- Get Identities
- Post Identities by IDs
- Get Identity
- Get Threat Types
- Get Threat Types by Threat ID
- Get Threat Names
- Get Threat Name by Threat ID
Top IPs
Summary
Summaries by Category
Summaries by Destination
Summaries by Rule
Version: 2.0.0
Contact: Cloud Security Developer Community
Download OpenAPI DocumentContact: Cloud Security Developer Community