Cisco Secure Access Reporting API

Reporting

The Cisco Secure Access Reporting API provides visibility into the traffic, events, and activities of the user devices, resources, and networks in an organization.

This guide provides information about the Reporting API path and query parameters, Secure Access content categories and IDs, and other location-related parameters that are required when making a request to the Reporting API. For questions about setting the location and location-trusted flags and redirecting HTTP requests, see HTTP Redirects and Request Authorization Header.

Overview

Walkthrough: Secure Access Reporting API

Rate Limits for Reporting

Secure Access enables rate limits on the Reporting API endpoints. For more information, see Rate Limits > Reporting API.

Request Headers

Unless specified, the Secure Access API endpoints use JSON for all requests and responses.

Note: For POST, PUT, and PATCH operations, set the HTTP Content-Type header to application/json in your API request.

Use Cases and Best Practices

The Secure Access Reporting API enables you to programmatically access logs and reports, and build widgets or custom reports. The Reporting API does not support bulk data retrieval. If you must export all your data or large data collections, you can enable logging to Amazon Simple Storage Service (Amazon S3). For more information about the Secure Access logs, see Manage Logging in the Cisco Secure Access Help.

Use Case Granularity or Type Recommendation Considerations
Compliance or long-term event retention Export and store all events. Use a customer owned Amazon S3 bucket.
SIEM: Event correlation Export all events. Use a Cisco managed Amazon S3 bucket. Secure Access retains data for 30 days.
Dashboard KPI or widgets Activity Search and Aggregations. Use the Reporting API. Use query parameters to filter requests.
Report generation Aggregations. Use the Reporting API.
SOAR workflow: trigger Activity Search. Use the Reporting API. Use query parameters to filter requests.

Request Path Parameters

The Secure Access Reporting API endpoints require various path parameters.

Parameter Example Description
type ztna Specify the type of traffic. Valid values are firewall or ztna.
type dns Specify the type of traffic. Valid values are dns or proxy.
type ip Specify the type of traffic. Valid values: dns, proxy, or ip.
type firewall Specify the type of traffic. Valid values: dns, proxy, firewall, or ip.
type firewall Specify the type of traffic. Valid values: dns, proxy, firewall, ip, ztna, or remote-access.
type intrusion Specify the type of traffic. Valid values: dns, proxy, firewall, intrusion, ip, remote-access, or ztna.
identityid 42 An identity ID.
threattypeid Ransomware The name of the threat type.
threatnameid WannaCry The name of the threat.

Request Query Parameters

You can customize and filter the Secure Access Reporting API requests with query parameters. Each Reporting API endpoint defines its required query parameters.

Note: Secure Access uses the timestamp of the events to sort the /activity, /activity/dns, /activity/proxy, /activity/decryption, /activity/intrusion, /activity/firewall, /activity/ztna, and /activity/amp-retrospective collections. If multiple events occur in the same second, the order of the collection is not guaranteed to be consistent.

For more information about time-related query parameters, see Timestamp and Relative Time Strings.

Parameter Example Description
from 1639146300000 A timestamp or relative time string (for example: '-1days') Filter for data that appears after this time.
Required
to 1640010300000 A timestamp or relative time string (for example: 'now'). Filter for data that appears before this time.
Required
offset 0 A number that represents an index into the collection.
offset 0 (See specific API endpoints) A number that represents an index into the collection.
Required
limit 100 The maximum number of records to return from the collection.
Required
limit 100 (Identities utility endpoint) The number of records to return from the collection. The default limit is 100. In a single response, the server returns at most 5000 records from the collection.
Required
timezone ASIA%2fCALCUTTA Display the timestamp of the traffic events in the specified timezone. For the timezone, provide a continent and city separated by an url-encoded forward slash ('/'), for example: timezone='ASIA%2fCALCUTTA'.
domains cisco.com,nasa.gov A domain name or comma-delimited list of domain name.
urls https://google.com,facebook.com/help A URL or comma-delimited list of URL.
categories 148,151,66 A category ID or comma-delimited list of category ID.
policycategories 67,69 A category ID or comma-delimited list of category ID. Filter request by the categories that trigger a policy.
ip 10.10.10.10 An IP address
order desc A string that describes how to order the results. Valid values are: asc or desc.
ports 7351,80 A port number or comma-delimited list of port number.
identityids 1,2,3 An identity ID or comma-delimited list of identity ID.
identitytypes network,roaming An identity type or comma-delimited list of identity type.
applicationid 1 The ID of the application.
verdict allowed,blocked A string or comma-delimited string that describes the verdict about accessing the destination.
ruleid 1 The firewall policy rule ID.
ruleids 31,47 A comma-delimited list of firewall policy rule IDs.
Required
groupids 31,47 A comma-delimited list of resource connector group IDs.
Required
cputhreshold 16 The CPU threshold (cputhreshold) percentage that is used to filter overloaded groups.
Required
agentids 31,47 A comma-delimited list of resource connector agent IDs.
Required
privateresourceids 29,31 A comma-delimited list of private resource IDs.
Required
privateresourceid 47 A private resource ID.
Required
filename myfilename_* A string that identifies a filename. Filter the request by the filename. Supports globbing or use of the wildcard character (''). The asterisk () matches zero or more occurrences of any character.
securityoverridden true Specify whether to filter on requests that override security.
bundleid 1 A proxy bundle ID.
threats A threat name or comma-delimited list of threat name.
threattypes A threat type or comma-delimited list of threat type.
ampdisposition clean,malicious,unknown An AMP disposition string or a comma-delimited list of AMP disposition string.
isolatedstate isolated A string that describes the remote browser isolation (RBI) isolation type. Valid values are: isolated or not-isolated.
isolatedFileAction downloaded-safe-pdf A string that describes the remote browser isolation (RBI) file action type. Valid values are: viewed, downloaded-original-file, or downloaded-safe-pdf.
datalosspreventionstate blocked A string that describes the status of a destination. Valid values are: blocked. Filter data for requests that the DLP services block to protect data.
sha256 ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad A SHA-256 hash.
antivirusthreats Trojan.Linux.Generic.144075 A threat name or comma-delimited list of threat names.
tenantcontrols true If set to true, filter data for requests that are part of a tenant control policy.
search somelabel A string that represents a search parameter. Filter data for requests in which the search string appears in the endpoint data.
application Games Filter on the name of the application.
filternoisydomains true Filter out domains that generate a lot of insignificant traffic (noise).
httperrors certificateerror Filter data for requests that resulted in a TLS error or a certificate error. Valid values are: certificateerror or tlserror.
signatures 1-2,1-4 The signature or comma-separated list of - signatures.
signaturelistids 1,2 The signature ID or comma-separated list of signature list IDs.
ipsprofile config,profile An IPS profile string or comma-delimited list of IPS profile string.
intrusionaction detected,would_block An action or list of comma-separated intrusion actions. Valid values are: would_block, blocked, and detected.
exists destinationlistids,threattypes Specify an attribute or comma-separated list of attributes to filter the data. Valid values are: categories, policycategories, applicationid, nbarapplicationid, nbarapplicationtypeids, privateapplicationid, applicationgroupids, sha256, filename, threats, threattypes, antivirusthreats, destinationlistids, and httperrors.
connectionevent connected Specify the type of connection event.
osversions linux-64-Ubuntu 20.04.5 LTS (Focal Fossa) Specify a comma-separated list of OS versions.
anyconnectversions 4.10.05095,5.10 Specify a comma-separated list of AnyConnect Roaming Security module versions.
ztnatype clientless Specify the Zero Trust Network Access (ZTNA) session type.
decryptaction decryptinbound,donodecrypt The list of comma-separated decryption actions. Valid values are: decryptinbound, decryptoutbound, donotdecrypt, and decrypterror.

Categories Query Parameter

The Secure Access Reporting API categories query parameter accepts a string with a single category ID or list of comma-separated category IDs. Use the categories query parameter to search for events in your reports that are related to the categories. You can get the list of Secure Access categories from the Secure Access Reporting API /categories endpoint. The category object includes the category ID. For more information about the Secure Access Reporting API /categories endpoint, see Get Categories.

Secure Access Reporting API Categories with IDs

Click to view the Secure Access Reporting API category IDs and labels
IDLabel
1Alcohol
2Auctions
6Dating
10Gambling
11Games
14Humor
24Social Networking
27Advertisements
30Weapons
37Parked Domains
38Tobacco
44Pornography
52Politics
55Travel
60Drive-by Downloads/Exploits
61Dynamic DNS
62Mobile Threats
63High Risk Sites and Locations
64Command and Control
65Command and Control
66Malware
67Malware
68Phishing
70FireEye
71Block List
72Allow List
73Global Whitelist
74Sinkhole
76Check Point
79ZeroFOX
82ThreatQ
84ThreatConnect
96Cisco AMP Threat Grid
106Unauthorized IP Tunnel Access
107URL Shorteners
108Newly Seen Domains
109Potentially Harmful
110DNS Tunneling VPN
111Arts
112Astrology
113Computer Security
114Digital Postcards
115Dining and Drinking
116Dynamic and Residential
117Fashion
118File Transfer Services
119Freeware and Shareware
120Hacking
121Illegal Activities
122Illegal Downloads
123Infrastructure and Content Delivery Networks
124Internet Telephony
125Lotteries
126Mobile Phones
127Nature and Conservation
128Online Trading
129Personal Sites
130Professional Networking
131Real Estate
132SaaS and B2B
133Safe for Kids
134Science and Technology
135Sex Education
136Social Science
137Society and Culture
138Software Updates
139Web Hosting
140Web Page Translation
141Organizational Email
142Online Meetings
143Paranormal
144Personal VPN
145DIY Projects
146Hunting
147Military
148Application
150Cryptomining
151Application Block
152Application Allow
153Infringing Intellectual Property
161Adult
162Web-based Email
163Business and Industry
164Chat and Instant Messaging
165Cheating and Plagiarism
166Child Abuse Content
167Computers and Internet
168Education
169Entertainment
170Extreme
171Filter Avoidance
172Finance
173Government and Law
174Hate Speech
175Health and Medicine
176Illegal Drugs
177Job Search
178Lingerie and Swimsuits
179News
180Non-governmental Organizations
181Non-sexual Nudity
182Not Actionable
183Online Communities
184Online Storage and Backup
185Web Cache and Archives
186Peer File Transfer
187Photo Search and Images
188Reference
189Religion
190Search Engines and Portals
191Shopping
192Sports and Recreation
193Streaming Audio
194Streaming Video
195Transportation
196Animals and Pets
197Cannabis
198Cloud and Data Centers
199Conventions, Conferences and Trade Shows
200Cryptocurrency
201DoH and DoT
202Internet of Things
203Museums
204Terrorism and Violent Extremism
205Online Document Sharing and Collaboration
206Private IP Addresses as Host
207Recipes and Food
208Regional Restricted Sites (Germany)
209Regional Restricted Sites (Great Britain)
210Regional Restricted Sites (Italy)
211Regional Restricted Sites (Poland)

Secure Access Reporting API Categories with Legacy IDs

Click to view the Secure Access Reporting API legacy category IDs and labels
Legacy IDLabel
2Alcohol
3Auctions
7Dating
11Gambling
12Games
15Humor
24Social Networking
414Advertisements
28Weapons
57Parked Domains
73Tobacco
64Pornography
66Politics
68Travel
83Drive-by Downloads/Exploits
85Dynamic DNS
87Mobile Threats
89High Risk Sites and Locations
90Command and Control
92Command and Control
94Malware
96Malware
98Phishing
102FireEye
112Block List
114Allow List
116Global Whitelist
178Sinkhole
104Check Point
110ZeroFOX
121ThreatQ
125ThreatConnect
147Cisco AMP Threat Grid
169Unauthorized IP Tunnel Access
170URL Shorteners
172Newly Seen Domains
174Potentially Harmful
176DNS Tunneling VPN
327Arts
329Astrology
331Computer Security
333Digital Postcards
335Dining and Drinking
337Dynamic and Residential
339Fashion
341File Transfer Services
343Freeware and Shareware
345Hacking
347Illegal Activities
349Illegal Downloads
351Infrastructure and Content Delivery Networks
353Internet Telephony
355Lotteries
357Mobile Phones
359Nature and Conservation
361Online Trading
363Personal Sites
365Professional Networking
367Real Estate
369SaaS and B2B
371Safe for Kids
373Science and Technology
375Sex Education
377Social Science
379Society and Culture
381Software Updates
383Web Hosting
385Web Page Translation
387Organizational Email
389Online Meetings
391Paranormal
393Personal VPN
395DIY Projects
397Hunting
399Military
400Application
403Cryptomining
405Application Block
407Application Allow
409Infringing Intellectual Property
415Adult
416Web-based Email
417Business and Industry
418Chat and Instant Messaging
419Cheating and Plagiarism
420Child Abuse Content
421Computers and Internet
422Education
423Entertainment
424Extreme
425Filter Avoidance
426Finance
427Government and Law
428Hate Speech
429Health and Medicine
430Illegal Drugs
431Job Search
432Lingerie and Swimsuits
433News
434Non-governmental Organizations
435Non-sexual Nudity
458Not Actionable
437Online Communities
438Online Storage and Backup
467Web Cache and Archives
440Peer File Transfer
441Photo Search and Images
442Reference
443Religion
444Search Engines and Portals
445Shopping
446Sports and Recreation
447Streaming Audio
448Streaming Video
449Transportation
450Animals and Pets
451Cannabis
452Cloud and Data Centers
453Conventions, Conferences and Trade Shows
454Cryptocurrency
455DoH and DoT
456Internet of Things
457Museums
466Terrorism and Violent Extremism
459Online Document Sharing and Collaboration
460Private IP Addresses as Host
461Recipes and Food
462Regional Restricted Sites (Germany)
463Regional Restricted Sites (Great Britain)
464Regional Restricted Sites (Italy)
465Regional Restricted Sites (Poland)

Secure Access Reporting API Categories with Deprecated Legacy IDs

Click to view the Secure Access Reporting API deprecated legacy category IDs and labels
Deprecated Legacy IDLabel
1Adware
4Blogs
5Chat
6Classifieds
8Drugs
9Ecommerce/Shopping
10File Storage
13Hate/Discrimination
14Health and Fitness
16Instant Messaging
17Jobs/Employment
19Movies
33News/Media
20P2P/File sharing
48Photo Sharing
21Portals
22Radio
23Search Engines
47Software/Technology
34Television
26Video Sharing
27Visual Search Engines
29Webmail
56Business Services
52Educational Institutions
55Financial Institutions
49Government
50Music
51Sports
58Adult Themes
60Lingerie/Bikini
63Nudity
61Proxy/Anonymizer
62Sexuality
59Tasteless
72Academic Fraud
70Automotive
67Forums/Message boards
69Non-Profits
71Podcasts
65Religious
54Research/Reference
74German Youth Protection
76Anime/Manga/Webcomic
77Web Spam
126Internet Watch Foundation
401Terrorism
410IT-AGCOM
412IT-ADM

Request Data by Time Range

Many Secure Access Reporting API endpoints require that you set a time range to filter the data. You can define a time range with the to and from request query parameters. Additionally, some Secure Access Reporting API endpoints enable a timerange header.

Time Range Header

The timerange header describes how to group data within a twenty-four hour period. This header accepts the following strings:

  • minute
  • hour (default value)
  • day

Secure Access Reporting API resources that group data by hourly intervals do not enable the timerange header. These resources include:

  • Bandwidth by Hour
  • Requests by Hour
  • Requests by Hour and Category

Time Range Example

The Requests by Timerange resource accepts the timerange header as well as the to and from query parameters. For example, you can set the timerange header to minute, the to query parameter to now, and the from query parameter to -1days.

Timestamp and Relative Time Strings

The to and from query parameters accept a timestamp string defined in milliseconds from the Unix epoch. For example: 1619007756000 (converted from 2021-04-21:08:22:36 GMT-04:00).

You can also set other time range string values for these parameters.

Examples of to query parameter values:

  • now
  • -1days

Examples of from query parameter values:

  • -2days
  • -10minutes
  • -2weeks

Note: The time range set by the to and from query parameters cannot exceed 30 days.

HTTP Redirects and Request Authorization Header

Secure Access stores the reporting data in geolocated data warehouses. Depending on the location where you make an API request, you must use a base URI in the request that is associated with your location.

The base URIs for reaching the Secure Access Reporting API from Europe (EU) and the United States (US) are:

  • EU: api.sse.cisco.com/reports.eu/v2
  • US: api.sse.cisco.com/reports.us/v2

Note: If an HTTP request does not originate from the same continent as the location of the Secure Access data warehouse, Secure Access responds with 302 Found.

To automatically redirect HTTP requests and preserve the HTTP Authorization header, you can set additional flags on the client and enable a redirect setting.

  • curl: You must pass the -L or --location, and --location-trusted flags to redirect the curl HTTP request and retain the Authorization header.

     curl --location --location-trusted \
 --request GET --url 'https://api.sse.cisco.com/reports/v2/activity?from=-7days&to=now&limit=10' \
 -H 'Authorization: Bearer %YourAccessToken%' \
 -H 'Content-Type: application/json'

  • Postman: Within the Postman environment, navigate to an API and choose a GET method. Navigate to Settings. Enable Follow Authorization header to preserve the Authorization header for redirect requests.

Secure Access Reporting API Endpoints

You can find the Reporting API endpoints in the reports scope.

Activity

Top Identities

Identity Distribution

Top Resources

Top Destinations

Top Categories

Top Event Types

Top DNS Query Types

Organization Requests by Hour

Organization Requests by Time Range

Organization Requests by Hour and Category

Organization Requests by Time Range and Category

Deployment and Status

Bandwidth by Hour

Bandwidth by Time Range

Top Files

Total Requests

Top Threats

Top Threat Types

Utility

Top IPs

Summary

Summaries by Category

Summaries by Destination

Summaries by Rule

Remote Access

Private Resource

Requests Resource Connector

Requests Summary Resource Connector Groups

Resource Connectors

Rules Activity

Unique Resources